Closed
Bug 1375050
Opened 7 years ago
Closed 7 years ago
Crash @[GetExistingSlots /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: jkratzer, Assigned: catalinb)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
884 bytes,
text/html
|
Details | |
3.13 KB,
patch
|
jdai
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381.
ASAN:DEADLYSIGNAL
=================================================================
==15867==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7f7e60474ce0 bp 0x7ffd8f1428f0 sp 0x7ffd8f142840 T0)
==15867==The signal is caused by a READ memory access.
==15867==Hint: address points to the zero page.
#0 0x7f7e60474cdf in GetExistingSlots /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12
#1 0x7f7e60474cdf in RemoveMutationObserver /home/worker/workspace/build/src/dom/base/nsINode.h:1059
#2 0x7f7e60474cdf in nsLabelsNodeList::MaybeResetRoot(nsINode*) /home/worker/workspace/build/src/dom/base/nsContentList.cpp:1169
#3 0x7f7e626e3566 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:519:25
#4 0x7f7e626ef51e in nsGenericHTMLFormElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:1896:39
#5 0x7f7e625ac38c in mozilla::dom::HTMLInputElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4852:52
#6 0x7f7e6060ac66 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1608:14
#7 0x7f7e60611390 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2514:14
#8 0x7f7e60c656c9 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1795:12
#9 0x7f7e60c656c9 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1799
#10 0x7f7e60c656c9 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:856
#11 0x7f7e61f56dbe in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2960:13
#12 0x7f7e6842a4a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#13 0x7f7e6842a4a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#14 0x7f7e68644dde in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2458:14
#15 0x7f7e0ca12df6 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12 in GetExistingSlots
==15867==ABORTING
[Exit code: -6]
Flags: in-testsuite?
Comment 1•7 years ago
|
||
Catalin, you've been looking at nsINode recently, right? :)
Flags: needinfo?(catalin.badea392)
Assignee | ||
Comment 2•7 years ago
|
||
Attachment #8884783 -
Flags: review?(jdai)
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(catalin.badea392)
Comment 3•7 years ago
|
||
Comment on attachment 8884783 [details] [diff] [review]
Fix crash in nsLabelsNodeList::MaybeResetRoot
Review of attachment 8884783 [details] [diff] [review]:
-----------------------------------------------------------------
The change is fine but I'd like to see crash test included before setting r+ flag, thank you!
Attachment #8884783 -
Flags: review?(jdai)
Updated•7 years ago
|
Assignee: nobody → catalin.badea392
Priority: -- → P1
Updated•7 years ago
|
Crash Signature: [@ nsLabelsNodeList::MaybeResetRoot ]
Assignee | ||
Comment 4•7 years ago
|
||
Attachment #8885730 -
Flags: review?(jdai)
Assignee | ||
Updated•7 years ago
|
Attachment #8884783 -
Attachment is obsolete: true
Updated•7 years ago
|
Attachment #8885730 -
Flags: review?(jdai) → review+
Pushed by catalin.badea392@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/54b1caeb09ec
Fix crash in nsLabelsNodeList::MaybeResetRoot r=jdai
Comment 6•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Comment 7•7 years ago
|
||
mozregression says this was caused by bug 556743.
Blocks: 556743
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•