Bug 1547897 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
Testcase found while fuzzing mozilla-central rev 420e18a75314.

==25827==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7f1ffff8 (pc 0x55786b6e45f1 bp 0x000000000053 sp 0x7fff7f200000 T0)
    #0 0x55786b6e45f0 in __asan::GetCurrentThread() /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404
    #1 0x55786b68e0af in __tls_get_addr /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5108:3
    #2 0x7f9648f3b042 in _$LT$core..cell..Cell$LT$T$GT$$GT$::get::h3d7388ced6d8decf /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libcore/cell.rs:249:16
    #3 0x7f9648f3b042 in _$LT$std..thread..local..fast..Key$LT$T$GT$$GT$::get::h9a4f441257a47656 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:375
    #4 0x7f9648f3b042 in style::sharing::SHARING_CACHE_KEY::__getit::h39eb9af1526d9223 /builds/worker/workspace/build/src/<::std::thread::local::__thread_local_inner macros>:23
    #5 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h245fabef33f11428 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:297
    #6 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::he5f0be01b5c3942a /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:246
    #7 0x7f9648f3b042 in _$LT$style..sharing..StyleSharingCache$LT$E$GT$$GT$::new::ha71dd31374b7d3d5 /builds/worker/workspace/build/src/servo/components/style/sharing/mod.rs:541
    #8 0x7f9649001941 in _$LT$style..context..ThreadLocalStyleContext$LT$E$GT$$GT$::new::h8e0fc5583d2364df /builds/worker/workspace/build/src/servo/components/style/context.rs:783:27
    #9 0x7f9649001941 in Servo_ResolveStyleLazily /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:4914
    #10 0x7f964282efd3 in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1094:10
    #11 0x7f964286b5d3 in nsComputedDOMStyle::DoGetComputedStyleNoFlush(mozilla::dom::Element*, nsAtom*, mozilla::PresShell*, nsComputedDOMStyle::StyleType) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:573:17
    #12 0x7f96424454b6 in GetComputedStyleNoFlush /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.h:95:12
    #13 0x7f96424454b6 in mozilla::EditorBase::IsPreformatted(nsINode*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3718
    #14 0x7f96426eeafe in mozilla::WSRunObject::GetRuns() /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:880:10
    #15 0x7f96424a441c in mozilla::WSRunObject::WSRunObject(mozilla::HTMLEditor*, nsINode*, int) /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.h:173:9
    #16 0x7f964251b664 in mozilla::HTMLEditRules::CheckForInvisibleBR(mozilla::dom::Element&, mozilla::HTMLEditRules::BRLocation, int) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6477:15
    #17 0x7f96425109c3 in mozilla::HTMLEditRules::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:3339:9
    #18 0x7f96424bda93 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2748:32
    #19 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #20 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #21 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #22 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #23 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #24 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #25 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #26 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #27 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #28 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #29 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #30 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #31 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #32 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #33 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #34 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #35 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #36 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #37 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #38 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #39 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #40 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #41 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #42 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #43 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #44 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #45 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #46 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #47 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #48 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #49 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #50 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
...truncated...
Revision 1 by
on 
Testcase found while fuzzing mozilla-central rev 420e18a75314.

```
==25827==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7f1ffff8 (pc 0x55786b6e45f1 bp 0x000000000053 sp 0x7fff7f200000 T0)
    #0 0x55786b6e45f0 in __asan::GetCurrentThread() /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404
    #1 0x55786b68e0af in __tls_get_addr /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5108:3
    #2 0x7f9648f3b042 in _$LT$core..cell..Cell$LT$T$GT$$GT$::get::h3d7388ced6d8decf /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libcore/cell.rs:249:16
    #3 0x7f9648f3b042 in _$LT$std..thread..local..fast..Key$LT$T$GT$$GT$::get::h9a4f441257a47656 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:375
    #4 0x7f9648f3b042 in style::sharing::SHARING_CACHE_KEY::__getit::h39eb9af1526d9223 /builds/worker/workspace/build/src/<::std::thread::local::__thread_local_inner macros>:23
    #5 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h245fabef33f11428 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:297
    #6 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::he5f0be01b5c3942a /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:246
    #7 0x7f9648f3b042 in _$LT$style..sharing..StyleSharingCache$LT$E$GT$$GT$::new::ha71dd31374b7d3d5 /builds/worker/workspace/build/src/servo/components/style/sharing/mod.rs:541
    #8 0x7f9649001941 in _$LT$style..context..ThreadLocalStyleContext$LT$E$GT$$GT$::new::h8e0fc5583d2364df /builds/worker/workspace/build/src/servo/components/style/context.rs:783:27
    #9 0x7f9649001941 in Servo_ResolveStyleLazily /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:4914
    #10 0x7f964282efd3 in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1094:10
    #11 0x7f964286b5d3 in nsComputedDOMStyle::DoGetComputedStyleNoFlush(mozilla::dom::Element*, nsAtom*, mozilla::PresShell*, nsComputedDOMStyle::StyleType) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:573:17
    #12 0x7f96424454b6 in GetComputedStyleNoFlush /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.h:95:12
    #13 0x7f96424454b6 in mozilla::EditorBase::IsPreformatted(nsINode*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3718
    #14 0x7f96426eeafe in mozilla::WSRunObject::GetRuns() /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:880:10
    #15 0x7f96424a441c in mozilla::WSRunObject::WSRunObject(mozilla::HTMLEditor*, nsINode*, int) /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.h:173:9
    #16 0x7f964251b664 in mozilla::HTMLEditRules::CheckForInvisibleBR(mozilla::dom::Element&, mozilla::HTMLEditRules::BRLocation, int) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6477:15
    #17 0x7f96425109c3 in mozilla::HTMLEditRules::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:3339:9
    #18 0x7f96424bda93 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2748:32
    #19 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #20 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #21 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #22 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #23 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #24 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #25 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #26 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #27 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #28 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #29 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #30 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #31 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #32 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #33 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #34 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #35 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #36 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #37 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #38 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #39 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #40 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #41 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #42 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #43 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #44 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #45 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #46 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #47 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #48 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #49 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #50 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
...truncated...
```

Back to Bug 1547897 Comment 0