Closed Bug 1383747 Opened 7 years ago Closed 7 years ago

Crash [@ get] in /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:284:27

Categories

(Core :: DOM: Selection, defect, P2)

Product:
Core
Component:
DOM: Selection
Version:
55 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: jkratzer, Assigned: jchen)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

trigger.html
680 bytes, text/html
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.

ASAN:DEADLYSIGNAL
=================================================================
==14861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fcbd872c5c1 bp 0x7ffea2a5ead0 sp 0x7ffea2a5ea40 T0)
==14861==The signal is caused by a READ memory access.
==14861==Hint: address points to the zero page.
    #0 0x7fcbd872c5c0 in get /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:284:27
    #1 0x7fcbd872c5c0 in operator-> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:316
    #2 0x7fcbd872c5c0 in NodePrincipal /home/worker/workspace/build/src/dom/base/nsINode.h:901
    #3 0x7fcbd872c5c0 in nsContentUtils::CanCallerAccess(nsINode*) /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:2306
    #4 0x7fcbd8c9e30c in nsRange::SetStartBefore(nsINode&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsRange.cpp:1327:8
    #5 0x7fcbd8cb3868 in nsRange::ExcludeNonSelectableNodes(nsTArray<RefPtr<nsRange> >*) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3506:18
    #6 0x7fcbd89d59bb in mozilla::dom::Selection::UserSelectRangesToAdd(nsRange*, nsTArray<RefPtr<nsRange> >&) /home/worker/workspace/build/src/dom/base/Selection.cpp:1103:10
    #7 0x7fcbd89d09ca in mozilla::dom::Selection::AddItem(nsRange*, int*, bool) /home/worker/workspace/build/src/dom/base/Selection.cpp:1144:7
    #8 0x7fcbd89e4045 in mozilla::dom::Selection::SetAnchorFocusToRange(nsRange*) /home/worker/workspace/build/src/dom/base/Selection.cpp:2770:9
    #9 0x7fcbd89e559d in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:2967:11
    #10 0x7fcbd89e4b05 in mozilla::dom::Selection::Extend(nsINode*, int) /home/worker/workspace/build/src/dom/base/Selection.cpp:2874:3
    #11 0x7fcbdced82b3 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:1507:34
    #12 0x7fcbdced6608 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:951:14
    #13 0x7fcbd89ec348 in mozilla::dom::Selection::Modify(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:3948:24
    #14 0x7fcbd983704c in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:886:9
    #15 0x7fcbda5e7340 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13
    #16 0x7fcbe0c2e594 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #17 0x7fcbe0c2e594 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #18 0x7fcbe0c1730b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #19 0x7fcbe0c1730b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066
    #20 0x7fcbe0bfde08 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
Flags: in-testsuite?
Priority: -- → P2
Regression range:
INFO: Last good revision: 17e2e2aa8f56546d6749d41266af06b7390df7db
INFO: First bad revision: 9fc3f64f258358a93d2b6ea11e931725a8e3e677
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=17e2e2aa8f56546d6749d41266af06b7390df7db&tochange=9fc3f64f258358a93d2b6ea11e931725a8e3e677

Fix range:
INFO: First good revision: f9b9ffb6fea52259bbcf00eca45285a930f0ca59
INFO: Last bad revision: 274953221bdfcec279aa53c02d1aa96d441a4359
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=274953221bdfcec279aa53c02d1aa96d441a4359&tochange=f9b9ffb6fea52259bbcf00eca45285a930f0ca59

Regressed by bug 1351170 and fixed by bug 1382342. NI myself to land this testcase as a crashtest.
Assignee: nobody → nchen
Blocks: 1351170
Status: NEW → RESOLVED
Has Regression Range: --- → yes
Closed: 7 years ago
status-firefox56: --- → fixed
status-firefox57: --- → fixed
status-firefox-esr52: --- → unaffected
Depends on: 1383242
Flags: needinfo?(ryanvm)
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Version: unspecified → 55 Branch
   "fixed by 1382342"
"Depends on: 1383242"
----------------^^
transposed digits?
Yup, should have been 1383242. Oh well, I'm over it.
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: