Open
Bug 1361065
Opened 6 years ago
Updated 6 months ago
Assertion failure: !mDoneCreating || mType != NS_FORM_INPUT_RANGE || !GetValidityState(VALIDITY_STATE_RANGE_UNDERFLOW) (HTML5 spec does not allow underflow for type=range) @ [/home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1513]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
171 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8.
Assertion failure: !mDoneCreating || mType != NS_FORM_INPUT_RANGE || !GetValidityState(VALIDITY_STATE_RANGE_UNDERFLOW) (HTML5 spec does not allow underflow for type=range), at /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1513
ASAN:DEADLYSIGNAL
=================================================================
==28580==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2e95a3ca10 bp 0x7ffe646184b0 sp 0x7ffe64618000 T0)
==28580==The signal is caused by a WRITE memory access.
==28580==Hint: address points to the zero page.
#0 0x7f2e95a3ca0f in mozilla::dom::HTMLInputElement::AfterSetAttr(int, nsIAtom*, nsAttrValue const*, bool) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1493:7
#1 0x7f2e93cb084e in mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /home/worker/workspace/build/src/dom/base/Element.cpp:2498:10
#2 0x7f2e93caff56 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2375:10
#3 0x7f2e95b383f9 in nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:829:34
#4 0x7f2e93ca2d71 in mozilla::dom::Element::SetAttr(nsIAtom*, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1265:14
#5 0x7f2e95344bed in mozilla::dom::HTMLInputElementBinding::set_min(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:1528:9
#6 0x7f2e95538e7c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:8
#7 0x7f2e99b62681 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#8 0x7f2e99b6222d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:16
#9 0x7f2e99b630d5 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
#10 0x7f2e99b632ec in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#11 0x7f2e99b647e3 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:663:12
#12 0x7f2e9a848879 in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2432:10
#13 0x7f2e9a847eaf in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2467:20
#14 0x7f2e99aecfd9 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1459:12
#15 0x7f2e99b826dc in SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:244:12Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
Bughunter found this reproducible fatal assertion on http://www.ceskatelevize.cz/ct24#live on Windows and Linux on Beta/57 and Nightly/58.
|
||
Comment 2•6 years ago
|
||
Jason, did you mean to attach a testcase? Unfortunately, I can't reproduce on the site from comment 1.
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
Flags: needinfo?(jkratzer)
|
|
||
Comment 4•6 years ago
|
||
Reproduces as far back as a year, which is the furthest back mozregression can go. Still reproduces on trunk with or without Stylo enabled.
Has Regression Range: --- → no
status-firefox-esr52:
--- → wontfix
|
||
Comment 5•5 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Updated•2 years ago
|
status-firefox89:
--- → wontfix
status-firefox90:
--- → affected
status-firefox91:
--- → affected
status-firefox-esr78:
--- → affected
Component: Layout: Form Controls → DOM: Core & HTML
|
|
||
Comment 6•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/UQCvnGgxINFWsFDWYIahVA/index.html
|
||
Updated•6 months ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•