Open Bug 1885462 Opened 1 year ago Updated 3 months ago

Crash in [@ mozilla::dom::Selection::SelectFrames]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox125 --- affected

People

(Reporter: mccr8, Assigned: sefeng211)

References

Details

(Keywords: crash, leave-open)

Crash Data

Attachments

(1 file)

Bug 1885462 - Add a new MOZ_DIAGNOSTIC_ASSERT_IF assert to Selection::SelectFrames
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/d935db4c-8512-4e90-b9f8-9f19b0240314

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(aRange.IsPositioned())

Top 10 frames of crashing thread:

0  xul.dll  mozilla::dom::Selection::SelectFrames const  dom/base/Selection.cpp:1736
1  xul.dll  mozilla::dom::Selection::Clear  dom/base/Selection.cpp:1341
1  xul.dll  mozilla::dom::Selection::CollapseInternal  dom/base/Selection.cpp:2496
2  xul.dll  mozilla::dom::Selection::CollapseInLimiter  dom/base/Selection.cpp:2444
3  xul.dll  mozilla::dom::Selection::CollapseInLimiter  dom/base/Selection.h:221
3  xul.dll  mozilla::dom::Selection::CollapseInLimiter  dom/base/Selection.h:216
3  xul.dll  nsFrameSelection::TakeFocus  layout/generic/nsFrameSelection.cpp:1342
4  xul.dll  nsFrameSelection::HandleClick  layout/generic/nsFrameSelection.cpp:1170
5  xul.dll  nsIFrame::MoveCaretToEventPoint  layout/generic/nsIFrame.cpp:4873
6  xul.dll  nsIFrame::HandleEvent  layout/generic/nsIFrame.cpp:4407

Possible regression.

Flags: needinfo?(jjaschke)

Masayuki, is the assert at this point the right thing to do? There's quite a few callers of SelectFrames(), which don't necessarily enforce the range to be positioned (e.g. the Clear() which is visible in the crash stack trace).

I could see this assert being meaningful if aSelect is true, but I would assume it'd be safer in general to just return early if the range is not positioned. Or is it rather a bug that there is a non-positioned range in Selection at all?

Flags: needinfo?(jjaschke) → needinfo?(masayuki)

Yes, I think the assertion is reasonable. AbstractRange::mIsPositioned is set to true only when both boundaries and the range root are properly set to non-null and the given range should be previous selection range in the case. So, my question (and the root cause) is, how did the selection range become "not positioned"?

Note that I changed that the range will be removed from selections when the range becomes "not positioned" or is updated into different range root in 124. So the change is applied even in the beta channel. I'm not sure where is the remaining path causing this odd state.

Flags: needinfo?(masayuki)
Severity: -- → S3

Bug 1890888 has a fuzz testcase that repros this crash

See Also: → 1890888

Thank you. However, it seems that it's caused by supporting selection across shadow DOM boundaries and it was landed recently. So, I guess that there is another cause. On the other hand, the testcase provides a good example how to create the odd situation.

Bug 1896229 has a fuzz testcase that crashes with this crash signature.

See Also: → 1896229

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 content process crashes on beta

:avandolder, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(avandolder)
Keywords: topcrash

Sean, should this crash also be fixed by the patch for bug 1890899?

Flags: needinfo?(avandolder) → needinfo?(sefeng)

Hey, this just happened for me on a recent Nightly. My build ID was 20240531093001, which I guesss hould be recent enough?

The crash is in MOZ_DIAGNOSTIC_ASSERT(aRange.IsPositioned()); from Selection.cpp#1771.

Happens somewhat reproducible on one of my local home network appliances. Not easy for me to build a test case but happy to re-test if someone needs this.

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

I find a code looking odd to me.
https://searchfox.org/mozilla-central/rev/01aaa47e62a2015e7641f26ab0bc2bb00ab579b8/dom/base/Selection.cpp#704
When it's called, it does not clear the selection ranges, but unregister itself from the ranges. However, this path should not related to the stack in comment 0 because it's called during a press of the primary button of the pointing device...

I wonder if this relates to shadow-crossing selection. I.e,
the default boundaries (nsRange.mStart, nsRange.mEnd) are collapsed,
but there's a CrossShadowBoundaryRange that makes this nsRange
still valid to many callers.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED

The proposed patch just adds an assertion to see if we can isolate this to a shadow-crossing boundary selection issue.

Flags: needinfo?(sefeng)
Keywords: leave-open
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/429c14f128c5 Add a new MOZ_DIAGNOSTIC_ASSERT_IF assert to Selection::SelectFrames r=masayuki

A few new crash reports have come in since comment 15. All of them have been MOZ_DIAGNOSTIC_ASSERT(aRange.IsPositioned()) so far.
https://crash-stats.mozilla.org/report/index/a4a9866f-802a-409d-ba52-191e20240922

This is somewhat spiking on nightly, crash volume has doubled in recent days.

Masayuki, I think this https://crash-stats.mozilla.org/report/index/22467122-bdcb-46c6-9646-500360241007 matches what you described in comment 11. Selection::Clear would do that right? Though I don't see how it can cause the crash.

thoughts?

Flags: needinfo?(masayuki)

Well, it occurs only when the cycle collector cleans Selection up. However, it seems that the crash is not after that.

AbstractRange::mIsPositioned is updated in nsRange::DoSetRange. When start and/or end boundary gets cleared, it's set to false. Then, it's removed from Selection, the assertion fails. However, I have no idea how to clear the boundaries...

Flags: needinfo?(masayuki)

Have we seen any of these crashes in fuzzing land by chance, Jason?

Flags: needinfo?(jkratzer)

No, unfortunately not. I suspect it's because of the user interaction required based on the stack?

Flags: needinfo?(jkratzer)

It just happened to me again when I was signing into a website using the password manager and clicking to submit a form. I am not sure but my selection was either the username in the field or actually something from the password managers injected popup. I am using the Firefox builtin password manager.

Hope this helps :)

Flags: needinfo?(sefeng)

Thanks, I'll submit a patch to that bug, and needs an revisit to this bug once that one is fixed.

Flags: needinfo?(sefeng)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: