Open Bug 1361065 Opened 7 years ago Updated 2 years ago

Assertion failure: !mDoneCreating || mType != NS_FORM_INPUT_RANGE || !GetValidityState(VALIDITY_STATE_RANGE_UNDERFLOW) (HTML5 spec does not allow underflow for type=range) @ [/home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1513]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr78 --- affected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox89 --- wontfix
firefox90 --- affected
firefox91 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

trigger.html
171 bytes, text/html
Details 
Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8.

Assertion failure: !mDoneCreating || mType != NS_FORM_INPUT_RANGE || !GetValidityState(VALIDITY_STATE_RANGE_UNDERFLOW) (HTML5 spec does not allow underflow for type=range), at /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1513

ASAN:DEADLYSIGNAL
=================================================================
==28580==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2e95a3ca10 bp 0x7ffe646184b0 sp 0x7ffe64618000 T0)
==28580==The signal is caused by a WRITE memory access.
==28580==Hint: address points to the zero page.
    #0 0x7f2e95a3ca0f in mozilla::dom::HTMLInputElement::AfterSetAttr(int, nsIAtom*, nsAttrValue const*, bool) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1493:7
    #1 0x7f2e93cb084e in mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /home/worker/workspace/build/src/dom/base/Element.cpp:2498:10
    #2 0x7f2e93caff56 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2375:10
    #3 0x7f2e95b383f9 in nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:829:34
    #4 0x7f2e93ca2d71 in mozilla::dom::Element::SetAttr(nsIAtom*, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1265:14
    #5 0x7f2e95344bed in mozilla::dom::HTMLInputElementBinding::set_min(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:1528:9
    #6 0x7f2e95538e7c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:8
    #7 0x7f2e99b62681 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #8 0x7f2e99b6222d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:16
    #9 0x7f2e99b630d5 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
    #10 0x7f2e99b632ec in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #11 0x7f2e99b647e3 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:663:12
    #12 0x7f2e9a848879 in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2432:10
    #13 0x7f2e9a847eaf in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2467:20
    #14 0x7f2e99aecfd9 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1459:12
    #15 0x7f2e99b826dc in SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:244:12
Flags: in-testsuite?
Depends on: 893331
Bughunter found this reproducible fatal assertion on http://www.ceskatelevize.cz/ct24#live on Windows and Linux on Beta/57 and Nightly/58.
Jason, did you mean to attach a testcase? Unfortunately, I can't reproduce on the site from comment 1.
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
Flags: needinfo?(jkratzer)
Attached file trigger.html 
Attached testcase.
Flags: needinfo?(jkratzer)
Reproduces as far back as a year, which is the furthest back mozregression can go. Still reproduces on trunk with or without Stylo enabled.
Has Regression Range: --- → no
status-firefox-esr52: --- → wontfix
status-firefox59: ?wontfix
status-firefox89: --- → wontfix
status-firefox90: --- → affected
status-firefox91: --- → affected
status-firefox-esr78: --- → affected
Component: Layout: Form Controls → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: