Closed Bug 1393171 Opened 7 years ago Closed 7 years ago

crash near null in [@ mozilla::dom::Selection::GetPrimaryFrameForFocusNode]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

test_case.html
389 bytes, text/html
Details
log_2.txt
6.21 KB, text/plain
Details
More safety check for focus node
1006 bytes, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file test_case.html
==8762==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001e (pc 0x7f5b1c026549 bp 0x7ffc6fbace50 sp 0x7ffc6fbacd60 T0) ==8762==The signal is caused by a READ memory access. ==8762==Hint: address points to the zero page. #0 0x7f5b1c026548 in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1617:12 #1 0x7f5b1c026548 in IsContent src/obj-firefox/dist/include/nsINode.h:1625 #2 0x7f5b1c026548 in mozilla::dom::Selection::GetPrimaryFrameForFocusNode(nsIFrame**, int*, bool) src/dom/base/Selection.cpp:1681 #3 0x7f5b204c0fd4 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) src/layout/generic/nsFrameSelection.cpp:863:17 #4 0x7f5b1c03714b in mozilla::dom::Selection::Modify(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:4006:24 #5 0x7f5b1ce7fe3c in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/SelectionBinding.cpp:916:9 #6 0x7f5b1dc22830 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3053:13 #7 0x7f5b2424efe4 in CallJSNative src/js/src/jscntxtinlines.h:293:15 #8 0x7f5b2424efe4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:469 #9 0x7f5b24238a88 in CallFromStack src/js/src/vm/Interpreter.cpp:520:12 #10 0x7f5b24238a88 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3065 #11 0x7f5b242201bb in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:409:12 #12 0x7f5b2424f17c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:487:15 #13 0x7f5b2424fad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:533:10 #14 0x7f5b24c977db in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2951:12 #15 0x7f5b1d670de5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #16 0x7f5b1e01f285 in Call<nsISupports *> src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #17 0x7f5b1e01f285 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215 #18 0x7f5b1dfe94b9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1112:51 #19 0x7f5b1dfeb580 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1283:20 #20 0x7f5b1dfcb031 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:462:16 #21 0x7f5b1dfce502 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:822:9 #22 0x7f5b202bc7ce in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1081:7 #23 0x7f5b23239fd1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7719:21 #24 0x7f5b23235ff4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7517:7 #25 0x7f5b2323d99f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7414:13 #26 0x7f5b1affb042 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1320:3 #27 0x7f5b1affa09c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:861:14 #28 0x7f5b1aff7056 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:750:9 #29 0x7f5b1aff8e95 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5 #30 0x7f5b1aff9afc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:488:14 #31 0x7f5b197fe19b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:632:28 #32 0x7f5b1c1ae73b in nsDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:9162:18 #33 0x7f5b1c1ae2d1 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:9084:9 #34 0x7f5b1f5641ff in nsBindingManager::DoProcessAttachedQueue() src/dom/xbl/nsBindingManager.cpp:417:10 #35 0x7f5b1f5c4df2 in applyImpl<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1142:12 #36 0x7f5b1f5c4df2 in apply<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1148 #37 0x7f5b1f5c4df2 in mozilla::detail::RunnableMethodImpl<nsBindingManager*, void (nsBindingManager::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1192 #38 0x7f5b1965fcbd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14 #39 0x7f5b19665048 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:521:10 #40 0x7f5b1a3f5f51 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #41 0x7f5b1a35734b in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #42 0x7f5b1a35734b in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #43 0x7f5b1a35734b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #44 0x7f5b1fa777ef in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #45 0x7f5b23b7f161 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288:30 #46 0x7f5b23d60784 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4646:22 #47 0x7f5b23d62388 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4810:8 #48 0x7f5b23d637bb in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4905:21 #49 0x4eb643 in do_main src/browser/app/nsBrowserApp.cpp:236:22 #50 0x4eb643 in main src/browser/app/nsBrowserApp.cpp:309 #51 0x7f5b36eb982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #52 0x41d198 in _start (/home/user/workspace/browsers/m-c-1503498612-asan-opt/firefox+0x41d198)
Flags: in-testsuite?
Attached file log_2.txt
I'm going to mark this as s-s for now because I have a suspicion that this may also show up as a more serious bug.
Group: dom-core-security
Tyson's worried there's a UAF in play here, and the null deref is timing dependent but it could be worse. Need a regression window for this so we can get the right dev involved.
Flags: needinfo?(twsmith)
Keywords: csectype-nullptrregressionwindow-wanted
Flags: needinfo?(twsmith)
INFO: Last good revision: 602e1a2a4f88e263b8eed094c49701fb3ff19a8b INFO: First bad revision: ee7f89afcbff5f4783bbbf5218fd57e3de4383c5 INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=602e1a2a4f88e263b8eed094c49701fb3ff19a8b&tochange=ee7f89afcbff5f4783bbbf5218fd57e3de4383c5
Blocks: 1348073
status-firefox55: --- → unaffected
status-firefox56: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(m_kato)
Keywords: regressionwindow-wantedregression
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
I need check whether focus node is nullptr.
Attachment #8900975 - Flags: review?(bugs)
Attachment #8900975 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/f35bce2a5feb
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Group: dom-core-security → core-security-release
https://hg.mozilla.org/integration/mozilla-inbound/rev/1d25638f204d
Group: core-security-release
Flags: in-testsuite? → in-testsuite+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: