Closed Bug 1724816 Opened 3 years ago Closed 3 years ago

crash near null in [@ nsFocusManager::UpdateCaret]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1724816 - Check the focused window still persists after MoveCaretToFocus r=smaug
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20210807-7338d7d94091 (--enable-debug --enable-fuzzing)

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL nsCOMPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:871

#0 0x7fa0b5ba06c7 in nsCOMPtr<nsPIDOMWindowOuter>::operator->() const /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:870:5
#1 0x7fa0b66da099 in nsFocusManager::UpdateCaret(bool, bool, nsIContent*) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3003:36
#2 0x7fa0b66d1e3c in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2646:5
#3 0x7fa0b66cd5f8 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:1736:5
#4 0x7fa0b66ce8d4 in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:492:3
#5 0x7fa0b65b247a in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:462:16
#6 0x7fa0b7e1fed4 in mozilla::dom::HTMLDialogElement::FocusDialog() /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:188:14
#7 0x7fa0b7e20271 in mozilla::dom::HTMLDialogElement::ShowModal(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/html/HTMLDialogElement.cpp:143:3
#8 0x7fa0b77afd58 in mozilla::dom::HTMLDialogElement_Binding::showModal(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLDialogElementBinding.cpp:251:24
#9 0x7fa0b79494b7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3299:13
#10 0x7fa0baaf5c70 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:402:13
#11 0x7fa0baaf53f2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:489:12
#12 0x7fa0baaf6bf9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:549:10
#13 0x7fa0baaec78d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553:10
#14 0x7fa0baaec78d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#15 0x7fa0baae3615 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:371:13
#16 0x7fa0baaf540f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:521:13
#17 0x7fa0baaf6bf9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:549:10
#18 0x7fa0baaf6e31 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:566:8
#19 0x7fa0bacafe63 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7fa0b75a30f9 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:282:37
#21 0x7fa0b7d25d55 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#22 0x7fa0b7d24e39 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#23 0x7fa0b7d0785b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1121:22
#24 0x7fa0b7d084d2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1312:17
#25 0x7fa0b7cfd7e5 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:394:5
#26 0x7fa0b7cfd7e5 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#27 0x7fa0b7cfced4 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:586:14
#28 0x7fa0b7cff924 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1082:11
#29 0x7fa0b7d02566 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#30 0x7fa0b6702915 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1339:17
#31 0x7fa0b6415d9a in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4301:28
#32 0x7fa0b6415c26 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4271:10
#33 0x7fa0b664cd46 in DispatchTrustedEvent /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:1455:12
#34 0x7fa0b664cd46 in MaybeDispatchSelectstartEvent(nsRange const&, bool, mozilla::dom::Document*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:823:5
#35 0x7fa0b664c7d3 in mozilla::dom::Selection::AddRangesForUserSelectableNodes(nsRange*, int*, mozilla::dom::Selection::DispatchSelectstartEvent) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:886:41
#36 0x7fa0b6651430 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1922:14
#37 0x7fa0b6653bd3 in AddRangeAndSelectFramesAndNotifyListeners /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1881:10
#38 0x7fa0b6653bd3 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3445:3
#39 0x7fa0b6653a33 in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2650:3
#40 0x7fa0b9388f7f in nsDocumentViewer::SelectAll() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2458:14
#41 0x7fa0b66f909b in nsSelectionCommand::DoCommand(char const*, nsISupports*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowCommands.cpp:654:10
#42 0x7fa0b7c80556 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/checkouts/gecko/dom/commandhandler/nsControllerCommandTable.cpp:138:26
#43 0x7fa0b7c803b6 in nsBaseCommandController::DoCommand(char const*) /builds/worker/checkouts/gecko/dom/commandhandler/nsBaseCommandController.cpp:114:24
#44 0x7fa0b7c82a70 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/checkouts/gecko/dom/commandhandler/nsCommandManager.cpp:193:22
#45 0x7fa0b6574c5f in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5295:25
#46 0x7fa0b75d0143 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3475:36
#47 0x7fa0b79494b7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3299:13
#48 0x7fa0baaf5c70 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:402:13
#49 0x7fa0baaf53f2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:489:12
#50 0x7fa0baaf6bf9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:549:10
#51 0x7fa0baaec78d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553:10
#52 0x7fa0baaec78d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3242:16
#53 0x7fa0baae3615 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:371:13
#54 0x7fa0baaf540f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:521:13
#55 0x7fa0baaf6bf9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:549:10
#56 0x7fa0baaf6e31 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:566:8
#57 0x7fa0bacafe63 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#58 0x7fa0b75a30f9 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:282:37
#59 0x7fa0b7d25d55 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#60 0x7fa0b7d24e39 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#61 0x7fa0b7d0785b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1121:22
#62 0x7fa0b7d084d2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1312:17
#63 0x7fa0b7cfd7e5 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:394:5
#64 0x7fa0b7cfd7e5 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#65 0x7fa0b7cfccff in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#66 0x7fa0b7cff924 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1082:11
#67 0x7fa0b93849a3 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1087:7
#68 0x7fa0ba49f9e4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6284:20
#69 0x7fa0ba49f4df in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5674:7
#70 0x7fa0ba4a035f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#71 0x7fa0b5b8787c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1370:3
#72 0x7fa0b5b86e4a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:968:14
#73 0x7fa0b5b85257 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:787:9
#74 0x7fa0b5b8702c in ChildDoneWithOnload /builds/worker/workspace/obj-build/dist/include/nsDocLoader.h:244:5
#75 0x7fa0b5b8702c in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:862:14
#76 0x7fa0b5b85262 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:789:9
#77 0x7fa0b5b8643f in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
#78 0x7fa0ba4bfc48 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13438:23
#79 0x7fa0b4a8766a in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
#80 0x7fa0b4a88ae3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#81 0x7fa0b659225d in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11451:18
#82 0x7fa0b656f2a0 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11381:9
#83 0x7fa0b6581596 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7901:3
#84 0x7fa0b65f1196 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#85 0x7fa0b65f1196 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#86 0x7fa0b65f1196 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#87 0x7fa0b48c5562 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#88 0x7fa0b48f035e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#89 0x7fa0b48ce0c9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#90 0x7fa0b48ccf48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
#91 0x7fa0b48cd1c3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#92 0x7fa0b48f3b56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#93 0x7fa0b48f3b56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
#94 0x7fa0b48dfcff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148:16
#95 0x7fa0b48e676a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#96 0x7fa0b5207b46 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#97 0x7fa0b5162417 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#98 0x7fa0b5162332 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#99 0x7fa0b5162332 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#100 0x7fa0b9005a48 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#101 0x7fa0ba9bfcb3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#102 0x7fa0b5208a3a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#103 0x7fa0b5162417 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#104 0x7fa0b5162332 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#105 0x7fa0b5162332 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#106 0x7fa0ba9bf8ce in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#107 0x55f5506af9b6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#108 0x55f5506af9b6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#109 0x7fa0c962f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#110 0x55f55068c7bc in _start (/home/user/workspace/browsers/m-c-20210809213353-fuzzing-debug/firefox-bin+0x157bc)
Severity: -- → S2
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/_UOtPP1XY5do_RKFx58_TA/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210810094908-efefbf74d3fc.
The bug appears to have been introduced in the following build range:

Start: c00df77af50e0703d37188be7c57032713e6efec (20210429214231)
End: e4c1a20756de7c7be63fffdded2e0b16c01ecd38 (20210429202951)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=c00df77af50e0703d37188be7c57032713e6efec&tochange=e4c1a20756de7c7be63fffdded2e0b16c01ecd38

Whiteboard: [bugmon:bisected,confirmed]

The test has <dialog> and the regression range has https://hg.mozilla.org/mozilla-unified/rev/130bfa5327532a2b188e4cc06f5e1de7183327e8

Flags: needinfo?(sefeng)

In nsFocusManager::UpdateCaret, the focused window has a null check
at the beginning of the function. However, this isn't enough because
MoveCaretToFocus can possibly run scripts as well, and the scripts
may clear the focused window.

This patch adds a null check after the usage of MoveCaretToFocus.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Flags: needinfo?(sefeng)
Has Regression Range: --- → yes
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/405034da0bdf
Check the focused window still persists after MoveCaretToFocus r=smaug

https://hg.mozilla.org/mozilla-central/rev/405034da0bdf

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox93: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
status-firefox92: affectedwontfix
status-firefox-esr91: affectedwontfix
Flags: in-testsuite? → in-testsuite+

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210816215309-405034da0bdf.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox93: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: