1870958 - Assertion failure: false (Invalid ContentCache data), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:110

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20231127-9ca2bcf6799b (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (Invalid ContentCache data), at /builds/worker/checkouts/gecko/widget/ContentCache.cpp:110

#0 0x7fb1c7a81b78 in mozilla::ContentCache::AssertIfInvalid() const /builds/worker/checkouts/gecko/widget/ContentCache.cpp:110:3
#1 0x7fb1c7a83487 in mozilla::ContentCacheInChild::CacheCaret(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:271:3
#2 0x7fb1c7a85ec5 in mozilla::ContentCacheInChild::SetSelection(nsIWidget*, mozilla::widget::IMENotification::SelectionChangeDataBase const&) /builds/worker/checkouts/gecko/widget/ContentCache.cpp:686:3
#3 0x7fb1c7aa1152 in mozilla::widget::PuppetWidget::NotifyIMEOfSelectionChange(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:837:7
#4 0x7fb1c7ab0f1f in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/TextEventDispatcher.cpp:487:40
#5 0x7fb1c7a76f7a in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:1897:43
#6 0x7fb1c5d90004 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/checkouts/gecko/dom/events/IMEStateManager.cpp
#7 0x7fb1c5d97f0d in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1973:3
#8 0x7fb1c5d96ec9 in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:1796:7
#9 0x7fb1c7e92298 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2689:13
#10 0x7fb1c7e9bda1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:13
#11 0x7fb1c7e9bda1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:345:7
#12 0x7fb1c7e9bca0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:361:5
#13 0x7fb1c7e9bb3d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:951:5
#14 0x7fb1c7e9addc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:861:5
#15 0x7fb1c7e9a049 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#16 0x7fb1c71c51cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#17 0x7fb1c74b121d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:227:78
#18 0x7fb1c739d2d0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8264:32
#19 0x7fb1c32aea9f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#20 0x7fb1c32ab7f2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#21 0x7fb1c32ac472 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#22 0x7fb1c32ad5bf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#23 0x7fb1c25c3c97 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:557:16
#24 0x7fb1c25b98a3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:884:26
#25 0x7fb1c25b8097 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:707:15
#26 0x7fb1c25b8515 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:493:36
#27 0x7fb1c25c7c06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#28 0x7fb1c25c7c06 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#29 0x7fb1c25dcf32 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#30 0x7fb1c25e405d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#31 0x7fb1c32b4a05 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#32 0x7fb1c31ce541 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#33 0x7fb1c31ce541 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#34 0x7fb1c7acedb8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x7fb1c7b8bce8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#36 0x7fb1c9ba724b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#37 0x7fb1c32b58e6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x7fb1c31ce541 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7fb1c31ce541 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7fb1c9ba6ab2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#41 0x55b6e63e2f76 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x55b6e63e2f76 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#43 0x7fb1d7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#44 0x7fb1d7829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#45 0x55b6e63b8ca8 in _start (/home/user/workspace/browsers/m-c-20231219152636-fuzzing-debug/firefox-bin+0x58ca8) (BuildId: 90d3f5cabd64731666bc1ea1e49f1b6315f5502c)

Comment 1

[Mayank Bansal]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/dc010bfb-ce78-4271-afe3-27a340231220

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231220041048-8d4d791bc8d8.
The bug appears to have been introduced in the following build range:

Start: d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda (20230526040655)
End: ffc18acbe9c027a3d6c960322b40a9d0576af311 (20230526045844)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d49f009b89ad3ae1616d96cb1d2d9234ef3f6cda&tochange=ffc18acbe9c027a3d6c960322b40a9d0576af311

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1825693

:masayuki, since you are the author of the regressor, bug 1825693, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

This is a tricky case. Probably, setting dir attr causes destroying the text control frame and its TextEditor, then, while calling prepend, the initialization of <marquee> runs, flushes the pending things and making new TextEditor. While this recreation, IMEContentObserver stops working due to bug 1162818, but the text control frame recreation recreates the anonymous subtree of TextEditor with new default value. Therefore, IMEContentObserver does not have a chance to know the value change with mutations.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1870958 - Make `TextControlState` notify `IMEContentObserver` of default value change if `TextEditor` is being initialized r=smaug!,m_kato!

The default value of <textarea> may be changed during reframes of the
corresponding nsTextControlFrame. Then, the TextEditor and the anonymous
subtree is recreated. In this moment, IMEContentObserver will restart to
observer the anonymous subtree after the editor is completely initialized,
but new default value which is caused by a mutation under <textarea> is
copied at recreating the anonymous subtree. Therefore, IMEContentObserver
fails to notify the text change before a further selection change.

For solving this issue, this patch makes TextControlState notifies
IMEContentObserver of default value change at recreating a new TextEditor.
Therefore, this patch may cause redundant text change notifications for IME.
Currently, I have a plan to fix bug 854272 to carry TextEditor instance and
the anonymous subtree over to new nsTextControlFrame. So, I believe that
this approach is reasonable for now (It'd be easier if we could add new
nsString to TextControlState without increasing the instance size, though).

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Makoto-san, could you review the patch? Thanks!

Comment 7

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/ce420ac2d83a
Make `TextControlState` notify `IMEContentObserver` of default value change if `TextEditor` is being initialized r=smaug,m_kato

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/44180 for changes under testing/web-platform/tests

Comment 9

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Thank you for your review!

Comment 10

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/ce420ac2d83a

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240125094742-6497cc2893d1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 14

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

It touched a complicated path and the crash rate is low. Let's make it just ride the train.