Open Bug 2045172 Opened 2 days ago Updated 1 day ago

Hit MOZ_CRASH(Invalid ContentCache data) at checkouts/gecko/widget/ContentCache.cpp:106

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox151 --- unaffected
firefox152 --- unaffected
firefox153 --- affected

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
694 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20260528-9abeab7ea133 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Invalid ContentCache data) at checkouts/gecko/widget/ContentCache.cpp:106

#0 0x7bffdbd41fce in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7bffdbd41fce in mozilla::ContentCache::AssertIfInvalid() const /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/ContentCache.cpp:106:3
#2 0x7bffdbd497c8 in mozilla::ContentCacheInChild::CacheTextRects(nsIWidget*, mozilla::widget::IMENotification const*) /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/ContentCache.cpp:642:3
#3 0x7bffdbd4b88b in mozilla::ContentCacheInChild::SetSelection(nsIWidget*, mozilla::widget::IMENotification::SelectionChangeDataBase const&) /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/ContentCache.cpp:676:3
#4 0x7bffdbdb0794 in NotifyIMEOfSelectionChange /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/PuppetWidget.cpp:782:7
#5 0x7bffdbdb0794 in mozilla::widget::PuppetWidget::NotifyIME(mozilla::widget::TextEventDispatcher*, mozilla::widget::IMENotification const&) /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/PuppetWidget.cpp:1047:14
#6 0x7bffdbdc67cc in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/TextEventDispatcher.cpp:470:40
#7 0x7bffdbd30f44 in nsIWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/worker/checkouts/gecko/widget/nsIWidget.cpp:1973:43
#8 0x7bffd7a4e673 in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/IMEStateManager.cpp:2497:22
#9 0x7bffd7a6309c in mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange() /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/IMEContentObserver.cpp:2117:3
#10 0x7bffd7a6066d in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/worker/workspace/obj-build/dom/events/./../../../../checkouts/gecko/dom/events/IMEContentObserver.cpp:1927:7
#11 0x7bffdc605eb9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2406:13
#12 0x7bffdc61cc26 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:365:13
#13 0x7bffdc61cc26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:343:7
#14 0x7bffdc61c9ea in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:359:5
#15 0x7bffdc61c661 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:946:5
#16 0x7bffdc61b509 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:856:5
#17 0x7bffdc61a072 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:753:5
#18 0x7bffdc6196a8 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:587:14
#19 0x7bffdc6192dc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:544:9
#20 0x7bffdac8929b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:64:15
#21 0x7bffdb157909 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/dom/ipc/./../../ipc/ipdl/PVsyncChild.cpp:241:78
#22 0x7bffd1caa4ba in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/glue/./../ipdl/PBackgroundChild.cpp:4955:32
#23 0x7bffd1bfc335 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1797:25
#24 0x7bffd1bf882e in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1723:9
#25 0x7bffd1bf9647 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1512:3
#26 0x7bffd1bfab63 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1614:14
#27 0x7bffd198ed3a in mozilla::RunnableTask::Run() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:719:16
#28 0x7bffd1983e59 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:210:19
#29 0x7bffd198b31d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1358:20
#30 0x7bffd1988df8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1181:15
#31 0x7bffd1989416 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:655:36
#32 0x7bffd19a2591 in operator() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:347:37
#33 0x7bffd19a2591 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:536:5
#34 0x7bffd19c6cfc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThread.cpp:1179:16
#35 0x7bffd19d00c9 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:472:10
#36 0x7bffd1c0624e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:83:21
#37 0x7bffd1ade394 in RunInternal /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:371:10
#38 0x7bffd1ade394 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#39 0x7bffd1ade394 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#40 0x7bffdbdfebc6 in nsBaseAppShell::Run() /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/nsBaseAppShell.cpp:151:27
#41 0x7bffdbffb62b in nsAppShell::Run() /builds/worker/workspace/obj-build/widget/gtk/./../../../../checkouts/gecko/widget/gtk/nsAppShell.cpp:575:33
#42 0x7bffde0bfa9d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
#43 0x7bffd1ade394 in RunInternal /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:371:10
#44 0x7bffd1ade394 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#45 0x7bffd1ade394 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#46 0x7bffde0be93c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
#47 0x55555570a02a in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:466:22
Flags: in-testsuite?

Got this crash from the testcase on Nightly by Shift-reloading the page after the first load : https://crash-stats.mozilla.org/report/index/2b84c316-e20d-45c6-961c-1c4070260605

Crash Signature: [@ mozilla::ContentCache::AssertIfInvalid ]
Flags: needinfo?(masayuki)
Keywords: crash

I'll take a look next week.

Assignee: nobody → masayuki
Severity: -- → S2
Status: NEW → ASSIGNED

Verified bug as reproducible on mozilla-central 20260605012545-66d48816ebef.
The bug appears to have been introduced in the following build range:

Start: 0171c19d869add8c086617fb4f93ed79a23b968b (20260521123735)
End: 392a642aac421de0c7cea0587eaa5b7e6c8487e9 (20260521131905)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0171c19d869add8c086617fb4f93ed79a23b968b&tochange=392a642aac421de0c7cea0587eaa5b7e6c8487e9

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(masayuki)
Regressed by: 2031575

Set release status flags based on info from the regressing bug 2031575

status-firefox151: --- → unaffected
status-firefox152: --- → unaffected
status-firefox-esr140: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: