Closed
Bug 1383780
Opened 7 years ago
Closed 7 years ago
Stylo: Crash [@nsIContent::GetBaseURIForStyleAttr()] in /home/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:465
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla57
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | --- | fixed |
People
(Reporter: jkratzer, Assigned: xidorn)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Crash Data
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670. ASAN:DEADLYSIGNAL ================================================================= ==24274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f9882b3fb4a bp 0x7ffd45043910 sp 0x7ffd45043820 T0) ==24274==The signal is caused by a READ memory access. ==24274==Hint: address points to the zero page. #0 0x7f9882b3fb49 in nsIContent::GetBaseURIForStyleAttr() const /home/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:465 #1 0x7f9886bfb1b6 in nsDOMCSSAttributeDeclaration::GetCSSParsingEnvironment(nsDOMCSSDeclaration::CSSParsingEnvironment&) /home/worker/workspace/build/src/layout/style/nsDOMCSSAttrDeclaration.cpp:172:37 #2 0x7f9886bfc87f in ModifyDeclaration<(lambda at /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:364:5), (lambda at /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:370:5)> /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:336:5 #3 0x7f9886bfc87f in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsAString const&, bool) /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:363 #4 0x7f9886781e73 in mozilla::ChangeStyleTransaction::DoTransaction() /home/worker/workspace/build/src/editor/libeditor/ChangeStyleTransaction.cpp:196:19 #5 0x7f988695da5b in DoTransaction /home/worker/workspace/build/src/editor/txmgr/nsTransactionItem.cpp:156:26 #6 0x7f988695da5b in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /home/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:661 #7 0x7f988695d2c3 in nsTransactionManager::DoTransaction(nsITransaction*) /home/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:74:8 #8 0x7f9886782a80 in mozilla::EditorBase::DoTransaction(nsITransaction*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:748:20 #9 0x7f98867830fd in SetCSSProperty /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:463:23 #10 0x7f98867830fd in mozilla::CSSEditUtils::SetCSSPropertyPixels(mozilla::dom::Element&, nsIAtom&, int) /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:473 #11 0x7f98868d4c0e in SetAnonymousElementPosition /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:571:18 #12 0x7f98868d4c0e in mozilla::HTMLEditor::SetAllResizersPosition() /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:241 #13 0x7f98868d61d6 in mozilla::HTMLEditor::ShowResizersInner(nsIDOMElement*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:338:8 #14 0x7f98867f845e in ShowResizers /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:283:17 #15 0x7f98867f845e in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:455 #16 0x7f98868abe9e in mozilla::HTMLEditor::EndUpdateViewBatch() /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:4836:10 #17 0x7f98867aa740 in mozilla::EditorBase::EndPlaceHolderTransaction() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1018:7 #18 0x7f988689d2e0 in ~AutoPlaceHolderBatch /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:169:16 #19 0x7f988689d2e0 in mozilla::HTMLEditor::Align(nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2289 #20 0x7f988696f942 in nsAlignCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:962:22
Flags: in-testsuite?
Updated•7 years ago
|
Crash Signature: [@ nsIContent::GetBaseURIForStyleAttr const ]
Priority: -- → P1
Updated•7 years ago
|
Crash Signature: [@ nsIContent::GetBaseURIForStyleAttr const ] → [@ nsIContent::GetBaseURIForStyleAttr const ]
[@ nsIContent::GetBaseURIForStyleAttr ]
Comment 1•7 years ago
|
||
This doesn't occurs when enabling Stylo.
Comment 2•7 years ago
|
||
I got this crash [1] when trying to load the attachment. [1] https://crash-stats.mozilla.com/report/index/cdf6f635-20de-4257-82e2-6a5140170726
Crash Signature: [@ nsIContent::GetBaseURIForStyleAttr const ]
[@ nsIContent::GetBaseURIForStyleAttr ] → [@ nsIContent::GetBaseURIForStyleAttr const ]
[@ nsIContent::GetBaseURIForStyleAttr ]
[@ libxul.so@0x1201e81 | nsDOMCSSAttributeDeclaration::GetCSSParsingEnvironment ]
Component: Editor → CSS Parsing and Computation
Summary: Crash [@nsIContent::GetBaseURIForStyleAttr()] in /home/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:465 → Stylo: Crash [@nsIContent::GetBaseURIForStyleAttr()] in /home/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:465
Updated•7 years ago
|
Priority: P1 → --
Updated•7 years ago
|
Priority: -- → P1
Assignee | ||
Comment 3•7 years ago
|
||
So this happens when we want to mutate style of an svg:use element, but that element haven't yet created the anonymous content (the cloned content). Then this is the question: how can we have something in the anonymous subtree of svg:use element when we haven't create it? It seems something inserts a <span> into that svg:use somehow, presumably by editor. I'm not quite familiar with editor, but I guess it should really avoid inserting anything into svg:use's anonymous subtree. A quick and dirty fix for this, though, would be simply null-checking returned value from useElement->GetContentURLData(). When the content isn't cloned into the element, it doesn't really make sense to use the content url data there. It would still be good to avoid inserting random element into svg:use's anonymous subtree, though. masayuki, do you have idea how should we avoid inserting element into svg:use's anonymous subtree?
Flags: needinfo?(masayuki)
Assignee | ||
Comment 4•7 years ago
|
||
I can do the quick fix for this. It doesn't harm anyway.
Assignee: nobody → xidorn+moz
Comment hidden (mozreview-request) |
Comment 6•7 years ago
|
||
Perhaps, it's a resizer UI or its info. https://searchfox.org/mozilla-central/search?q=symbol:_ZN7mozilla10HTMLEditor22CreateAnonymousElementEP7nsIAtomP10nsIDOMNodeRK9nsAStringb&redirect=false Although, I feel it's buggy HTMLEditor to touch SVG <use> element's subtree for that...
Flags: needinfo?(masayuki)
Comment 7•7 years ago
|
||
mozreview-review |
Comment on attachment 8892711 [details] Bug 1383780 - Null-check return value of SVGUseElement::GetContentURLData before returning. https://reviewboard.mozilla.org/r/163704/#review169108
Attachment #8892711 -
Flags: review?(bzbarsky) → review+
Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5dd6f04aea59 Null-check return value of SVGUseElement::GetContentURLData before returning. r=bz
Comment 9•7 years ago
|
||
Backed out for failing crashtests on stylo: https://hg.mozilla.org/integration/autoland/rev/9ba3d16a975bdfa01508a969ba5a4f1841cb6463 Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=5dd6f04aea595f0225f2bb105a34fd5d533af983&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=120266970&repo=autoland [task 2017-08-02T05:57:27.421099Z] 05:57:27 INFO - REFTEST TEST-START | file:///home/worker/workspace/build/tests/reftest/tests/dom/base/crashtests/1383780.html [task 2017-08-02T05:57:27.422311Z] 05:57:27 INFO - REFTEST TEST-LOAD | file:///home/worker/workspace/build/tests/reftest/tests/dom/base/crashtests/1383780.html | 276 / 3253 (8%) [task 2017-08-02T05:57:27.426780Z] 05:57:27 ERROR - thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', /checkout/src/libcore/option.rs:335 [task 2017-08-02T05:57:27.605248Z] 05:57:27 INFO - stack backtrace: [task 2017-08-02T05:57:27.606581Z] 05:57:27 INFO - 0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace [task 2017-08-02T05:57:27.607634Z] 05:57:27 INFO - 1: std::panicking::default_hook::{{closure}} [task 2017-08-02T05:57:27.608596Z] 05:57:27 INFO - 2: std::panicking::default_hook [task 2017-08-02T05:57:27.611375Z] 05:57:27 INFO - 3: std::panicking::rust_panic_with_hook [task 2017-08-02T05:57:27.612817Z] 05:57:27 INFO - 4: std::panicking::begin_panic [task 2017-08-02T05:57:27.614518Z] 05:57:27 INFO - 5: std::panicking::begin_panic_fmt [task 2017-08-02T05:57:27.617570Z] 05:57:27 INFO - 6: core::panicking::panic_fmt [task 2017-08-02T05:57:27.618453Z] 05:57:27 INFO - 7: core::panicking::panic [task 2017-08-02T05:57:27.619901Z] 05:57:27 INFO - 8: Servo_TraverseSubtree [task 2017-08-02T05:57:27.621526Z] 05:57:27 INFO - 9: _ZN7mozilla13ServoStyleSet25PrepareAndTraverseSubtreeEPKNS_3dom7ElementENS_19ServoTraversalFlagsE [task 2017-08-02T05:57:27.622757Z] 05:57:27 INFO - 10: _ZN7mozilla10HTMLEditor22CreateAnonymousElementEP7nsIAtomP10nsIDOMNodeRK9nsAStringb [task 2017-08-02T05:57:27.624262Z] 05:57:27 INFO - 11: _ZN7mozilla10HTMLEditor13CreateResizerEsP10nsIDOMNode [task 2017-08-02T05:57:27.625766Z] 05:57:27 INFO - 12: _ZN7mozilla10HTMLEditor17ShowResizersInnerEP13nsIDOMElement [task 2017-08-02T05:57:27.627242Z] 05:57:27 INFO - 13: _ZN7mozilla10HTMLEditor12ShowResizersEP13nsIDOMElement [task 2017-08-02T05:57:27.628730Z] 05:57:27 INFO - 14: _ZN7mozilla10HTMLEditor38CheckSelectionStateForAnonymousButtonsEP12nsISelection [task 2017-08-02T05:57:27.631834Z] 05:57:27 INFO - 15: _ZN7mozilla10HTMLEditor18EndUpdateViewBatchEv [task 2017-08-02T05:57:27.632629Z] 05:57:27 INFO - 16: _ZN7mozilla10EditorBase25EndPlaceHolderTransactionEv [task 2017-08-02T05:57:27.633399Z] 05:57:27 INFO - 17: _ZN7mozilla10HTMLEditor5AlignERK9nsAString [task 2017-08-02T05:57:27.634399Z] 05:57:27 INFO - 18: _ZN14nsAlignCommand8SetStateEP9nsIEditorR8nsString [task 2017-08-02T05:57:27.635898Z] 05:57:27 INFO - 19: _ZN19nsMultiStateCommand15DoCommandParamsEPKcP16nsICommandParamsP11nsISupports [task 2017-08-02T05:57:27.637410Z] 05:57:27 INFO - 20: _ZN24nsControllerCommandTable15DoCommandParamsEPKcP16nsICommandParamsP11nsISupports [task 2017-08-02T05:57:27.638534Z] 05:57:27 INFO - 21: _ZN23nsBaseCommandController19DoCommandWithParamsEPKcP16nsICommandParams [task 2017-08-02T05:57:27.640020Z] 05:57:27 INFO - 22: _ZN16nsCommandManager9DoCommandEPKcP16nsICommandParamsP18mozIDOMWindowProxy [task 2017-08-02T05:57:27.641468Z] 05:57:27 INFO - 23: _ZN14nsHTMLDocument11ExecCommandERK9nsAStringbS2_R12nsIPrincipalRN7mozilla11ErrorResultE [task 2017-08-02T05:57:27.642948Z] 05:57:27 INFO - 24: _ZN7mozilla3dom19HTMLDocumentBindingL11execCommandEP9JSContextN2JS6HandleIP8JSObjectEEP14nsHTMLDocumentRK19JSJitMethodCallArgs [task 2017-08-02T05:57:27.644073Z] 05:57:27 INFO - 25: _ZN7mozilla3dom20GenericBindingMethodEP9JSContextjPN2JS5ValueE [task 2017-08-02T05:57:27.645502Z] 05:57:27 INFO - 26: _ZN2js23InternalCallOrConstructEP9JSContextRKN2JS8CallArgsENS_14MaybeConstructE [task 2017-08-02T05:57:27.646971Z] 05:57:27 INFO - 27: _ZL9InterpretP9JSContextRN2js8RunStateE [task 2017-08-02T05:57:27.648376Z] 05:57:27 INFO - 28: _ZN2js9RunScriptEP9JSContextRNS_8RunStateE [task 2017-08-02T05:57:27.649475Z] 05:57:27 INFO - 29: _ZN2js7ExecuteEP9JSContextN2JS6HandleIP8JSScriptEER8JSObjectPNS2_5ValueE [task 2017-08-02T05:57:27.650916Z] 05:57:27 INFO - 30: _ZL13ExecuteScriptP9JSContextRN2JS16AutoObjectVectorENS1_6HandleIP8JSScriptEEPNS1_5ValueE [task 2017-08-02T05:57:27.652406Z] 05:57:27 INFO - 31: _ZN9nsJSUtils16ExecutionContext14CompileAndExecERN2JS14CompileOptionsERNS1_18SourceBufferHolderENS1_13MutableHandleIP8JSScriptEE [task 2017-08-02T05:57:27.653272Z] 05:57:27 INFO - 32: _ZN7mozilla3dom12ScriptLoader14EvaluateScriptEPNS0_17ScriptLoadRequestE.part.312 [task 2017-08-02T05:57:27.654113Z] 05:57:27 INFO - 33: _ZN7mozilla3dom12ScriptLoader14ProcessRequestEPNS0_17ScriptLoadRequestE [task 2017-08-02T05:57:27.654873Z] 05:57:27 INFO - 34: _ZN7mozilla3dom12ScriptLoader20ProcessScriptElementEP16nsIScriptElement [task 2017-08-02T05:57:27.655662Z] 05:57:27 INFO - 35: _ZN7mozilla3dom13ScriptElement18MaybeProcessScriptEv [task 2017-08-02T05:57:27.656445Z] 05:57:27 INFO - 36: _ZN21nsHtml5TreeOpExecutor9RunScriptEP10nsIContent [task 2017-08-02T05:57:27.657245Z] 05:57:27 INFO - 37: _ZN21nsHtml5TreeOpExecutor12RunFlushLoopEv [task 2017-08-02T05:57:27.658001Z] 05:57:27 INFO - 38: _ZN22nsHtml5ExecutorFlusher3RunEv [task 2017-08-02T05:57:27.658771Z] 05:57:27 INFO - 39: _ZN8nsThread16ProcessNextEventEbPb.part.142 [task 2017-08-02T05:57:27.659553Z] 05:57:27 INFO - 40: _Z19NS_ProcessNextEventP9nsIThreadb [task 2017-08-02T05:57:27.660320Z] 05:57:27 INFO - 41: _ZN7mozilla3ipc11MessagePump3RunEPN4base11MessagePump8DelegateE [task 2017-08-02T05:57:27.661102Z] 05:57:27 INFO - 42: _ZN11MessageLoop3RunEv [task 2017-08-02T05:57:27.661843Z] 05:57:27 INFO - 43: _ZN14nsBaseAppShell3RunEv [task 2017-08-02T05:57:27.662601Z] 05:57:27 INFO - 44: _ZN12nsAppStartup3RunEv [task 2017-08-02T05:57:27.663422Z] 05:57:27 INFO - 45: _ZN7XREMain11XRE_mainRunEv [task 2017-08-02T05:57:27.664184Z] 05:57:27 INFO - 46: _ZN7XREMain8XRE_mainEiPPcRKN7mozilla15BootstrapConfigE [task 2017-08-02T05:57:27.664944Z] 05:57:27 INFO - 47: _Z8XRE_mainiPPcRKN7mozilla15BootstrapConfigE [task 2017-08-02T05:57:27.665702Z] 05:57:27 INFO - 48: _ZL7do_mainiPPcS0_ [task 2017-08-02T05:57:27.666434Z] 05:57:27 INFO - 49: main [task 2017-08-02T05:57:27.667208Z] 05:57:27 INFO - 50: __libc_start_main [task 2017-08-02T05:57:27.667961Z] 05:57:27 INFO - 51: <unknown> [task 2017-08-02T05:57:27.668710Z] 05:57:27 INFO - Redirecting call to abort() to mozalloc_abort [task 2017-08-02T05:57:27.669504Z] 05:57:27 INFO - ExceptionHandler::GenerateDump cloned child 1092 [task 2017-08-02T05:57:27.670279Z] 05:57:27 INFO - ExceptionHandler::SendContinueSignalToChild sent continue signal to child [task 2017-08-02T05:57:27.671043Z] 05:57:27 INFO - ExceptionHandler::WaitForContinueSignal waiting for continue signal... [task 2017-08-02T05:57:27.801066Z] 05:57:27 ERROR - TEST-UNEXPECTED-FAIL | file:///home/worker/workspace/build/tests/reftest/tests/dom/base/crashtests/1383780.html | application terminated with exit code 11
Flags: needinfo?(xidorn+moz)
Assignee | ||
Comment 10•7 years ago
|
||
Turns out the crash in comment 0 isn't the only crash revealed by this testcase :/
Assignee | ||
Comment 11•7 years ago
|
||
I don't know why but the testcase now crashes with
> Assertion failure: MayTraverseFrom(const_cast<Element*>(aRoot)), at /layout/style/ServoStyleSet.cpp:275
I believe I didn't see this when I submitted that patch, so presumably some changes in-between touched this.
Comment 12•7 years ago
|
||
FWIW I saw a very similar stack in bug 1384526. https://crash-stats.mozilla.com/report/index/71ff5efc-6fdc-41fe-af56-4f4240170726
Assignee | ||
Comment 13•7 years ago
|
||
So the MayTraverseFrom assertion fails because the parent of that element is the svg:use element, which doesn't have ServoData yet. I'm not sure what's going on, then. I guess one way to fix both issue is to avoid creating resizer in this case. (We may still want to preserve the null-check in the original patch, though.)
Flags: needinfo?(xidorn+moz)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 16•7 years ago
|
||
mozreview-review |
Comment on attachment 8893209 [details] Bug 1383780 - Avoid adding anonymous editor element into non-HTML element. https://reviewboard.mozilla.org/r/164242/#review169578 ::: commit-message-8f4d1:1 (Diff revision 1) > +Bug 1383780 - Avoid adding anonymous editor element into non-HTML element. r?masayuki > + > +MozReview-Commit-ID: J5kCUzA7K90 Please explain the "reason" in this commit message ::: editor/libeditor/HTMLAnonymousNodeEditor.cpp:179 (Diff revision 1) > + // Don't put anonymous editor element into non-HTML element. > + if (!parentContent->IsHTMLElement()) { And also here. The reason is important (especially it's for svg::use since somebody wants to create anonymous UI for other non-HTML elements).
Attachment #8893209 -
Flags: review?(masayuki) → review+
Assignee | ||
Comment 17•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8893209 [details] Bug 1383780 - Avoid adding anonymous editor element into non-HTML element. https://reviewboard.mozilla.org/r/164242/#review169578 > And also here. The reason is important (especially it's for svg::use since somebody wants to create anonymous UI for other non-HTML elements). The problem isn't that somebody wants to create anonymous UI for non-HTML element. It is somebody wants to create anonymous UI for an element inside a non-HTML parent, and thus the anonymous element is inserted into that parent.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 20•7 years ago
|
||
Comment on attachment 8893209 [details] Bug 1383780 - Avoid adding anonymous editor element into non-HTML element. Are you fine with that comment?
Attachment #8893209 -
Flags: review+ → review?(masayuki)
Comment 21•7 years ago
|
||
Comment on attachment 8893209 [details] Bug 1383780 - Avoid adding anonymous editor element into non-HTML element. Fine, thanks. But I still would like you to add some comments to the commit message too since writing the reason of the change is our generic rule.
Attachment #8893209 -
Flags: review?(masayuki) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 24•7 years ago
|
||
Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c64ead4af0a Avoid adding anonymous editor element into non-HTML element. r=masayuki https://hg.mozilla.org/integration/autoland/rev/192f97d9e355 Null-check return value of SVGUseElement::GetContentURLData before returning. r=bz
Comment 25•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8c64ead4af0a https://hg.mozilla.org/mozilla-central/rev/192f97d9e355
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Comment 26•7 years ago
|
||
Xidorn, should we uplift this crash fix to Beta 56? We will be running a Stylo experiment with some unsuspecting Beta 56 users.
Assignee | ||
Comment 27•7 years ago
|
||
This change has certain risk to non-stylo part, so I would be rather reluctant to uplift it. Also this is a crash from fuzz, not from a real world crash report. I think this kind of specific case should rarely appear in any sensible website. Given these, I would suggest we don't uplift it.
Flags: needinfo?(xidorn+moz)
Comment 28•7 years ago
|
||
status-firefox56 = wontfix
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•