Open Bug 1399739 Opened 3 years ago Updated 1 year ago

crash near null in [@ ResetAutoDirection]

Categories

(Core :: DOM: Core & HTML, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox57 --- affected

People

(Reporter: tsmith, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(3 files)

Attached file test_case.html
This crash can be a bit of a pain to reproduce, it may take 10x tries or more.

Reproduced with m-c 20170913-c15e2f280729

==2052==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f76321b0370 bp 0x7ffcb5f71cd0 sp 0x7ffcb5f71bc0 T0)
==2052==The signal is caused by a READ memory access.
    #0 0x7f76321b036f in nsCheapSet<nsPtrHashKey<mozilla::dom::Element> >::EnumerateEntries(nsCheapSetOperator (*)(nsPtrHashKey<mozilla::dom::Element>*, void*), void*) /src/xpcom/ds/nsCheapSets.h:75:13
    #1 0x7f763214ce7f in ResetAutoDirection /src/dom/base/DirectionalityUtils.cpp:578:15
    #2 0x7f763214ce7f in mozilla::nsTextNodeDirectionalityMap::ResetTextNodeDirection(nsTextNode*, nsTextNode*) /src/dom/base/DirectionalityUtils.cpp:620
    #3 0x7f763252f7e7 in nsTextNode::UnbindFromTree(bool, bool) /src/dom/base/nsTextNode.cpp:155:3
    #4 0x7f763247adeb in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /src/dom/base/nsINode.cpp:1941:9
    #5 0x7f763219d6d3 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /src/dom/base/FragmentOrElement.cpp:1369:5
    #6 0x7f76323a1e0a in nsDOMAttributeMap::BlastSubtreeToPieces(nsINode*) /src/dom/base/nsDocument.cpp:7844:12
    #7 0x7f763230a06e in nsIDocument::AdoptNode(nsINode&, mozilla::ErrorResult&) /src/dom/base/nsDocument.cpp:8003:5
    #8 0x7f76323a2070 in nsDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) /src/dom/base/nsDocument.cpp:7857:34
    #9 0x7f763247817e in AdoptNodeIntoOwnerDoc(nsINode*, nsINode*) /src/dom/base/nsINode.cpp:1532:16
    #10 0x7f763247d54f in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2439:14
    #11 0x7f7632b94c51 in InsertBefore /src/dom/base/nsINode.h:1840:12
    #12 0x7f7632b94c51 in AppendChild /src/dom/base/nsINode.h:1844
    #13 0x7f7632b94c51 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:885
    #14 0x7f7633ea48a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3050:13
    #15 0x7f763a4f6e54 in CallJSNative /src/js/src/jscntxtinlines.h:293:15
    #16 0x7f763a4f6e54 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495
    #17 0x7f763a4f7942 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10
    #18 0x7f763b2010ee in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/Wrapper.cpp:175:12
    #19 0x7f763b1c3b99 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #20 0x7f763b1e1143 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/js/src/proxy/Proxy.cpp:497:21
    #21 0x7f763b1e3b07 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /src/js/src/proxy/Proxy.cpp:757:12
    #22 0x7f763a4f729c in CallJSNative /src/js/src/jscntxtinlines.h:293:15
    #23 0x7f763a4f729c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:477
    #24 0x7f763a4e09ef in CallFromStack /src/js/src/vm/Interpreter.cpp:546:12
    #25 0x7f763a4e09ef in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
    #26 0x7f763a4c7f7b in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12
    #27 0x7f763a4f6fec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15
    #28 0x7f763a72b4ac in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:2589:14
    #29 0x7f75e89c5306  (<unknown module>)
Flags: in-testsuite?
smaug, you recently changed something near mozilla::nsTextNodeDirectionalityMap::ResetTextNodeDirection .. any thoughts?
Flags: needinfo?(bugs)
Assignee: nobody → bugs
Priority: -- → P1
This is super hard to reproduce.
I got the stack once yesterday, but unfortunately closed the debug session.
Today even after hundreds of reloads, haven't managed to reproduce.
Tyson, any chance you could try to come up with easier to reproduce testcase?
The key here is to move elements from one document to another and having RTL text somewhere there.

I keep going through the code. I do have a hunch what could cause this.
Flags: needinfo?(bugs) → needinfo?(twsmith)
Hmm, maybe I have a patch, but no way to verify it fixes this.
Attached file launcher.html
Try using this along with test_case.html. I will also include a prefs file. It will just keep opening the test case. I could repro in under 10 seconds with this using a m-c ASan opt build.
Flags: needinfo?(twsmith)
Attached file prefs.js
( I still haven't managed to see the crash again. )
Even with the prefs.js I can't reproduce in debug build.
(running the test files from file:/// since the prefs.js seems to somehow break network connections because of proxy stuff)
(I do have the basic idea how this could happen, but I'm missing some step in my head ;) )
This bug was both found and reproduced while the browser process automation was handled by ffpuppet[1] so let's try that.

My local STR are:
0) grab a build from TC[2]
1) collect attachments (prefs.js, launcher.html and test_case.html) and make sure launcher.html and test_case.html are side by side.
2) run: python -m ffpuppet <firefox_bin> -p <prefs.js file> -d -l <where to save logs> -u launcher.html


[1] https://github.com/MozillaSecurity/ffpuppet
[2] https://tools.taskcluster.net/index/artifacts/gecko.v2.mozilla-central.latest.firefox/linux64-asan-opt
Priority: P1 → P3
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.