Closed Bug 1375050 Opened 7 years ago Closed 7 years ago

Crash @[GetExistingSlots /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: jkratzer, Assigned: catalinb)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Testcase
884 bytes, text/html
Details
Fix crash in nsLabelsNodeList::MaybeResetRoot
3.13 KB, patch
jdai
: review+
Details | Diff | Splinter Review
Attached file Testcase 
Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381.

ASAN:DEADLYSIGNAL
=================================================================
==15867==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x7f7e60474ce0 bp 0x7ffd8f1428f0 sp 0x7ffd8f142840 T0)
==15867==The signal is caused by a READ memory access.
==15867==Hint: address points to the zero page.
    #0 0x7f7e60474cdf in GetExistingSlots /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12
    #1 0x7f7e60474cdf in RemoveMutationObserver /home/worker/workspace/build/src/dom/base/nsINode.h:1059
    #2 0x7f7e60474cdf in nsLabelsNodeList::MaybeResetRoot(nsINode*) /home/worker/workspace/build/src/dom/base/nsContentList.cpp:1169
    #3 0x7f7e626e3566 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:519:25
    #4 0x7f7e626ef51e in nsGenericHTMLFormElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:1896:39
    #5 0x7f7e625ac38c in mozilla::dom::HTMLInputElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4852:52
    #6 0x7f7e6060ac66 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1608:14
    #7 0x7f7e60611390 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2514:14
    #8 0x7f7e60c656c9 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1795:12
    #9 0x7f7e60c656c9 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1799
    #10 0x7f7e60c656c9 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:856
    #11 0x7f7e61f56dbe in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2960:13
    #12 0x7f7e6842a4a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #13 0x7f7e6842a4a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #14 0x7f7e68644dde in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2458:14
    #15 0x7f7e0ca12df6  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/dom/base/nsINode.h:1905:12 in GetExistingSlots
==15867==ABORTING
[Exit code: -6]
Flags: in-testsuite?
Catalin, you've been looking at nsINode recently, right? :)
Flags: needinfo?(catalin.badea392)

        Attachment #8884783 -
        Flags: review?(jdai)

    
  
Flags: needinfo?(catalin.badea392)

    
    

    
  
Comment on attachment 8884783 [details] [diff] [review]
Fix crash in nsLabelsNodeList::MaybeResetRoot

Review of attachment 8884783 [details] [diff] [review]:
-----------------------------------------------------------------

The change is fine but I'd like to see crash test included before setting r+ flag, thank you!

        Attachment #8884783 -
        Flags: review?(jdai)
Assignee: nobody → catalin.badea392
Priority: -- → P1
Crash Signature: [@ nsLabelsNodeList::MaybeResetRoot ]

    
  

        Attachment #8884783 -
        Attachment is obsolete: true

    
  

        Attachment #8885730 -
        Flags: review?(jdai) → review+

    
    

    
  
Pushed by catalin.badea392@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/54b1caeb09ec
Fix crash in nsLabelsNodeList::MaybeResetRoot r=jdai

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/54b1caeb09ec
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox56:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56

    
    

    
  
mozregression says this was caused by bug 556743.
Blocks: 556743

          status-firefox54:
          --- → unaffected

          status-firefox55:
          --- → unaffected

          status-firefox-esr52:
          --- → unaffected
Flags: in-testsuite? → in-testsuite+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: