1858804 - Assertion failure: mEditorBase->IsTextEditor(), at /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1157

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230813-dcf2ddfaffbf (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mEditorBase->IsTextEditor(), at /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1157

#0 0x7ff8dc7a3232 in mozilla::IMEContentObserver::OnTextControlValueChangedWhileNotObservable(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1157:3
#1 0x7ff8dcad575e in mozilla::TextControlState::SetValueWithoutTextEditor(mozilla::AutoTextControlHandlingState&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2948:19
#2 0x7ff8dcad3e0c in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2689:15
#3 0x7ff8dca23161 in mozilla::dom::HTMLInputElement::SetValueInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:2705:33
#4 0x7ff8dca308de in SetValueInternal /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLInputElement.h:937:12
#5 0x7ff8dca308de in mozilla::dom::HTMLInputElement::SetValueFromSetRangeText(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:5598:10
#6 0x7ff8dcaba226 in mozilla::TextControlState::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&, mozilla::Maybe<unsigned int> const&, mozilla::Maybe<unsigned int> const&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2288:40
#7 0x7ff8dcab9ea8 in mozilla::TextControlState::SetRangeText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2235:3
#8 0x7ff8dc0aef07 in mozilla::dom::HTMLInputElement_Binding::setRangeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLInputElementBinding.cpp:3843:28
#9 0x7ff8dc1255f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3327:13
#10 0x7ff8e08c65b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#11 0x7ff8e08c5ecd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#12 0x7ff8e08d6498 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#13 0x7ff8e08d6498 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3407:16
#14 0x7ff8e08c5422 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#15 0x7ff8e08c5ee9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#16 0x7ff8e08c738d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#17 0x7ff8e09adf74 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#18 0x7ff8dbe3d39b in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#19 0x7ff8dc7b3519 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#20 0x7ff8dc7b25e9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
#21 0x7ff8dc78f7d5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1348:22
#22 0x7ff8dc7908d4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1663:12
#23 0x7ff8dc790149 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1560:35
#24 0x7ff8dc7836ef in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
#25 0x7ff8dc7836ef in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:363:17
#26 0x7ff8dc782c6b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:610:18
#27 0x7ff8dc785636 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1225:11
#28 0x7ff8de8c1a92 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1085:7
#29 0x7ff8dfec7242 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6398:20
#30 0x7ff8dfec664b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5792:7
#31 0x7ff8dfec8316 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#32 0x7ff8d9f56d79 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1372:3
#33 0x7ff8d9f562f2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#34 0x7ff8d9f5449b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9
#35 0x7ff8d9f55744 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5
#36 0x7ff8dfefe21f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13891:23
#37 0x7ff8d918257f in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#38 0x7ff8d9183ac0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#39 0x7ff8dab54fec in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11673:18
#40 0x7ff8dab3b0cd in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8123:3
#41 0x7ff8dabeded9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#42 0x7ff8dabeded9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#43 0x7ff8dabeded9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#44 0x7ff8dabeded9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#45 0x7ff8dabeded9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#46 0x7ff8dabeded9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#47 0x7ff8dabeded9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#48 0x7ff8d8f444b7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#49 0x7ff8d8f3c073 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#50 0x7ff8d8f3a8b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#51 0x7ff8d8f3ad15 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#52 0x7ff8d8f481c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#53 0x7ff8d8f481c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#54 0x7ff8d8f5ebd2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#55 0x7ff8d8f65cbd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#56 0x7ff8d9c18ed5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#57 0x7ff8d9b33591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#58 0x7ff8d9b33591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#59 0x7ff8de44f598 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#60 0x7ff8e068777b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#61 0x7ff8d9c19db6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#62 0x7ff8d9b33591 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#63 0x7ff8d9b33591 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#64 0x7ff8e0686fe2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#65 0x56264cd4f236 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#66 0x56264cd4f236 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#67 0x7ff8ed229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#68 0x7ff8ed229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#69 0x56264cd24f68 in _start (/home/user/workspace/browsers/m-c-20231011211944-fuzzing-debug/firefox-bin+0x58f68) (BuildId: 2eb5cce7d8cf9cabd42b9b13372b658517f57670)

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231012211841-a5369079cd89.
The bug appears to have been introduced in the following build range:

Start: 2317c21d7aeb68528ec7946980e7ca68d74c451a (20230531095626)
End: be003bc24d249ccbd427d8ba21ea81c4637f1cda (20230531124008)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2317c21d7aeb68528ec7946980e7ca68d74c451a&tochange=be003bc24d249ccbd427d8ba21ea81c4637f1cda

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1835353

:masayuki, since you are the author of the regressor, bug 1835353, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 3

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

I guess it's no problem even though we need to touch the hot path:
https://treeherder.mozilla.org/perfherder/compare?originalProject=try&originalRevision=e2d5cde1e5ad98b1e93b42d38bc9846ab318529f&newProject=try&newRevision=9f0342f7ec945d7fa9c935286cf4f95eab3a825c&page=1&framework=13

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1858804 - Make `TextControlState::GetIMEContentObserver()` return `nullptr` if it observes for `HTMLEditor` r=smaug!

<input> and <textarea> can be an editing host. If so, setting focus to
the elements causes IMEContentObserver observing HTML editing under the
text control element instead of observing the native anonymous tree for the
elements. Therefore, if IMEContentObserver observes it with HTMLEditor,
it does not need to notify IMEContentObserver of the value changes.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

The performance result with the latest patch:
https://treeherder.mozilla.org/perfherder/comparesubtest?originalProject=try&newProject=try&newRevision=3b882cc8b520062d21c5812d5d626c653c11c042&originalSignature=4586009&newSignature=4586009&framework=13&application=firefox&originalRevision=b0984ece8e5b8247414a552a230d516970fd1436&page=1

Comment 6

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/2f69baaf82db
Make `TextControlState::GetIMEContentObserver()` return `nullptr` if it observes for `HTMLEditor` r=smaug

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42595 for changes under testing/web-platform/tests

Comment 8

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/2f69baaf82db

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 10

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231018160439-639c0da2250e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.