Closed Bug 1393171 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::dom::Selection::GetPrimaryFrameForFocusNode]

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

Attached file test_case.html
==8762==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001e (pc 0x7f5b1c026549 bp 0x7ffc6fbace50 sp 0x7ffc6fbacd60 T0)
==8762==The signal is caused by a READ memory access.
==8762==Hint: address points to the zero page.
    #0 0x7f5b1c026548 in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1617:12
    #1 0x7f5b1c026548 in IsContent src/obj-firefox/dist/include/nsINode.h:1625
    #2 0x7f5b1c026548 in mozilla::dom::Selection::GetPrimaryFrameForFocusNode(nsIFrame**, int*, bool) src/dom/base/Selection.cpp:1681
    #3 0x7f5b204c0fd4 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:863:17
    #4 0x7f5b1c03714b in mozilla::dom::Selection::Modify(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:4006:24
    #5 0x7f5b1ce7fe3c in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/SelectionBinding.cpp:916:9
    #6 0x7f5b1dc22830 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3053:13
    #7 0x7f5b2424efe4 in CallJSNative src/js/src/jscntxtinlines.h:293:15
    #8 0x7f5b2424efe4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:469
    #9 0x7f5b24238a88 in CallFromStack src/js/src/vm/Interpreter.cpp:520:12
    #10 0x7f5b24238a88 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3065
    #11 0x7f5b242201bb in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:409:12
    #12 0x7f5b2424f17c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:487:15
    #13 0x7f5b2424fad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:533:10
    #14 0x7f5b24c977db in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2951:12
    #15 0x7f5b1d670de5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #16 0x7f5b1e01f285 in Call<nsISupports *> src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #17 0x7f5b1e01f285 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215
    #18 0x7f5b1dfe94b9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1112:51
    #19 0x7f5b1dfeb580 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1283:20
    #20 0x7f5b1dfcb031 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:462:16
    #21 0x7f5b1dfce502 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:822:9
    #22 0x7f5b202bc7ce in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1081:7
    #23 0x7f5b23239fd1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7719:21
    #24 0x7f5b23235ff4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7517:7
    #25 0x7f5b2323d99f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7414:13
    #26 0x7f5b1affb042 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1320:3
    #27 0x7f5b1affa09c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:861:14
    #28 0x7f5b1aff7056 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:750:9
    #29 0x7f5b1aff8e95 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
    #30 0x7f5b1aff9afc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:488:14
    #31 0x7f5b197fe19b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:632:28
    #32 0x7f5b1c1ae73b in nsDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:9162:18
    #33 0x7f5b1c1ae2d1 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:9084:9
    #34 0x7f5b1f5641ff in nsBindingManager::DoProcessAttachedQueue() src/dom/xbl/nsBindingManager.cpp:417:10
    #35 0x7f5b1f5c4df2 in applyImpl<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #36 0x7f5b1f5c4df2 in apply<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #37 0x7f5b1f5c4df2 in mozilla::detail::RunnableMethodImpl<nsBindingManager*, void (nsBindingManager::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #38 0x7f5b1965fcbd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #39 0x7f5b19665048 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:521:10
    #40 0x7f5b1a3f5f51 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #41 0x7f5b1a35734b in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7f5b1a35734b in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7f5b1a35734b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7f5b1fa777ef in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #45 0x7f5b23b7f161 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #46 0x7f5b23d60784 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4646:22
    #47 0x7f5b23d62388 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4810:8
    #48 0x7f5b23d637bb in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4905:21
    #49 0x4eb643 in do_main src/browser/app/nsBrowserApp.cpp:236:22
    #50 0x4eb643 in main src/browser/app/nsBrowserApp.cpp:309
    #51 0x7f5b36eb982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #52 0x41d198 in _start (/home/user/workspace/browsers/m-c-1503498612-asan-opt/firefox+0x41d198)
Flags: in-testsuite?
Attached file log_2.txt
I'm going to mark this as s-s for now because I have a suspicion that this may also show up as a more serious bug.
Group: dom-core-security
Tyson's worried there's a UAF in play here, and the null deref is timing dependent but it could be worse.

Need a regression window for this so we can get the right dev involved.
Flags: needinfo?(twsmith)
Flags: needinfo?(twsmith)
INFO: Last good revision: 602e1a2a4f88e263b8eed094c49701fb3ff19a8b
INFO: First bad revision: ee7f89afcbff5f4783bbbf5218fd57e3de4383c5
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=602e1a2a4f88e263b8eed094c49701fb3ff19a8b&tochange=ee7f89afcbff5f4783bbbf5218fd57e3de4383c5
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
I need check whether focus node is nullptr.
Attachment #8900975 - Flags: review?(bugs)
Duplicate of this bug: 1393518
Attachment #8900975 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/f35bce2a5feb
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Group: dom-core-security → core-security-release
https://hg.mozilla.org/integration/mozilla-inbound/rev/1d25638f204d
Group: core-security-release
Flags: in-testsuite? → in-testsuite+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.