Assertion failure: IsInDocumentChange(), at /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:985
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox134 | --- | wontfix |
| firefox135 | --- | wontfix |
| firefox136 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs, Regression)
Details
(6 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 1 obsolete file)
|
340 bytes,
text/html
|
Details |
Found while fuzzing m-c 20241010-3176f083b259 (--enable-debug --enable-fuzzing)
A Pernosco session is available here: https://pernos.co/debug/c-wv5aa2H-Yi2eNIP-3jdg/index.html
Assertion failure: IsInDocumentChange(), at /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:985
#0 0x7d010e1d2dc8 in mozilla::IMEContentObserver::ContentAdded(nsINode*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp:985:3
#1 0x7d010c7bd4ae in operator() /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:175:22
#2 0x7d010c7bd4ae in ForEachAncestorObserver<(lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:175:22)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:60:11
#3 0x7d010c7bd4ae in Notify<(NotifyPresShell)2, (lambda at /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:175:22)> /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:94:19
#4 0x7d010c7bd4ae in mozilla::dom::MutationObservers::NotifyContentInserted(nsINode*, nsIContent*) /builds/worker/checkouts/gecko/dom/base/MutationObservers.cpp:175:3
#5 0x7d010c9505d8 in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1694:7
#6 0x7d010c9586d2 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2909:7
#7 0x7d010c9547ed in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:2241:12
#8 0x7d010c9547ed in nsINode::Prepend(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2236:3
#9 0x7d010d6ffe65 in mozilla::dom::Element_Binding::prepend(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:12203:24
#10 0x7d010d92d4e7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3266:13
#11 0x7d01110173a4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:527:13
#12 0x7d0111016b8f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:623:12
#13 0x7d011101818f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:722:8
#14 0x7d011159c44c in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/Wrapper.cpp:168:10
#15 0x7d0111568e6e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/CrossCompartmentWrapper.cpp:229:19
#16 0x7d011158b2c2 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:705:19
#17 0x7d0111017108 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:14
#18 0x7d0111adb426 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1677:10
#19 0x802c9683d5e ([anon:js-executable-memory])
|
||
Comment 1•3 months ago
|
||
tsmith: Could you attach a testcase?
|
Reporter | |
Comment 2•3 months ago
|
||
Yes but with crossfuzz the test case is the fuzzer run with a certain seed and on top of that it will likely only reproduce in exactly the same build the issue was found with. That is why I added a Pernosco session and not a test case. So that said is the test case still valuable?
|
|
||
Comment 3•3 months ago
|
||
Yeah, I checked the stack and the variable update history before the assertion failure, but I don't understand what was going on. Looks like IMEContentObserver receives a mutation of uncomposed node, but it should not happen. So, I'd like to see what was done before the DOM API call.
|
|
Reporter | |
Comment 4•3 months ago
|
||
As mentioned in comment 2 this will likely only reproduce with a specific build, here are STR:
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing --build f60d749f1adf -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
|
|
||
Comment 5•3 months ago
|
||
Thank you. Although I couldn't understand what the test does, but it's helpful to check which elements are editable.
Looks like that there is a <body> and it has already been removed from the document, but IMEContentObserver oddly keeps observing its mutation. Finally, a mutation occurs in the orphan <body>. Therefore, the document is not in a change.
Oddly, either ContentRemoved or ParentChainChanged has not been called yet. I guess that something was broken in a lower layer than this class, but it was fixed immediately. I mean that the assertion failure should occur in any builds if we still have this bug.
tsmith: Do you think this can be closed as WFM? Or, should keep open?
|
|
Reporter | |
Comment 6•3 months ago
•
|
||
(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #5)
tsmith: Do you think this can be closed as WFM? Or, should keep open?
There have been multiple reports of this issue with the latest being from last night (20241024-e509c25e4ec7). Because of the nature of this fuzzer it will require a different seed value to trigger the issue on different build (as mentioned before each test will only work with the build it found the issue on). So just because the bug exists on a build doesn't mean it can be found the fuzzer/seed combo used with different build.
|
|
||
Comment 7•3 months ago
|
||
Okay, thank you. The assertion detects a bug. Once this occurs, IME won't receive text/selection change notifications correctly until focus is changed. Therefore, IME may not work; in the worst scenario, crash in IME module loaded in our parent process. However, we've not reached the root cause of this issue, so I guess it's not realistic scenario to make users victims of this bug. Let's wait additional hits for working on this.
|
|
||
Updated•3 months ago
|
|
|
Reporter | |
Comment 8•17 days ago
|
||
|
|
Reporter | |
Comment 9•17 days ago
|
||
Domino found a much better test case.
|
||
Comment 10•17 days ago
|
||
Verified bug as reproducible on mozilla-central 20250113214519-9c70867f63db.
The bug appears to have been introduced in the following build range:
Start: 9f8a80c4ad32c1e475a99edab5b4f2f72f295139 (20240703074254)
End: 12a89b416bd596e624481e473ded99c0bcd2896f (20240703090155)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9f8a80c4ad32c1e475a99edab5b4f2f72f295139&tochange=12a89b416bd596e624481e473ded99c0bcd2896f
|
||
Updated•16 days ago
|
Description
•