Closed
Bug 1399739
Opened 8 years ago
Closed 4 years ago
crash near null in [@ ResetAutoDirection]
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | affected |
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(3 files)
This crash can be a bit of a pain to reproduce, it may take 10x tries or more.
Reproduced with m-c 20170913-c15e2f280729
==2052==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f76321b0370 bp 0x7ffcb5f71cd0 sp 0x7ffcb5f71bc0 T0)
==2052==The signal is caused by a READ memory access.
#0 0x7f76321b036f in nsCheapSet<nsPtrHashKey<mozilla::dom::Element> >::EnumerateEntries(nsCheapSetOperator (*)(nsPtrHashKey<mozilla::dom::Element>*, void*), void*) /src/xpcom/ds/nsCheapSets.h:75:13
#1 0x7f763214ce7f in ResetAutoDirection /src/dom/base/DirectionalityUtils.cpp:578:15
#2 0x7f763214ce7f in mozilla::nsTextNodeDirectionalityMap::ResetTextNodeDirection(nsTextNode*, nsTextNode*) /src/dom/base/DirectionalityUtils.cpp:620
#3 0x7f763252f7e7 in nsTextNode::UnbindFromTree(bool, bool) /src/dom/base/nsTextNode.cpp:155:3
#4 0x7f763247adeb in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /src/dom/base/nsINode.cpp:1941:9
#5 0x7f763219d6d3 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /src/dom/base/FragmentOrElement.cpp:1369:5
#6 0x7f76323a1e0a in nsDOMAttributeMap::BlastSubtreeToPieces(nsINode*) /src/dom/base/nsDocument.cpp:7844:12
#7 0x7f763230a06e in nsIDocument::AdoptNode(nsINode&, mozilla::ErrorResult&) /src/dom/base/nsDocument.cpp:8003:5
#8 0x7f76323a2070 in nsDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) /src/dom/base/nsDocument.cpp:7857:34
#9 0x7f763247817e in AdoptNodeIntoOwnerDoc(nsINode*, nsINode*) /src/dom/base/nsINode.cpp:1532:16
#10 0x7f763247d54f in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2439:14
#11 0x7f7632b94c51 in InsertBefore /src/dom/base/nsINode.h:1840:12
#12 0x7f7632b94c51 in AppendChild /src/dom/base/nsINode.h:1844
#13 0x7f7632b94c51 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:885
#14 0x7f7633ea48a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3050:13
#15 0x7f763a4f6e54 in CallJSNative /src/js/src/jscntxtinlines.h:293:15
#16 0x7f763a4f6e54 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495
#17 0x7f763a4f7942 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10
#18 0x7f763b2010ee in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/Wrapper.cpp:175:12
#19 0x7f763b1c3b99 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
#20 0x7f763b1e1143 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/js/src/proxy/Proxy.cpp:497:21
#21 0x7f763b1e3b07 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /src/js/src/proxy/Proxy.cpp:757:12
#22 0x7f763a4f729c in CallJSNative /src/js/src/jscntxtinlines.h:293:15
#23 0x7f763a4f729c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:477
#24 0x7f763a4e09ef in CallFromStack /src/js/src/vm/Interpreter.cpp:546:12
#25 0x7f763a4e09ef in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
#26 0x7f763a4c7f7b in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12
#27 0x7f763a4f6fec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15
#28 0x7f763a72b4ac in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:2589:14
#29 0x7f75e89c5306 (<unknown module>)
Flags: in-testsuite?
|
||
Comment 1•8 years ago
|
||
smaug, you recently changed something near mozilla::nsTextNodeDirectionalityMap::ResetTextNodeDirection .. any thoughts?
Flags: needinfo?(bugs)
|
|
||
Updated•8 years ago
|
Assignee: nobody → bugs
Priority: -- → P1
|
Assignee | |
Comment 2•8 years ago
|
||
This is super hard to reproduce.
I got the stack once yesterday, but unfortunately closed the debug session.
Today even after hundreds of reloads, haven't managed to reproduce.
Tyson, any chance you could try to come up with easier to reproduce testcase?
The key here is to move elements from one document to another and having RTL text somewhere there.
I keep going through the code. I do have a hunch what could cause this.
Flags: needinfo?(bugs) → needinfo?(twsmith)
|
|
Assignee | |
Comment 3•8 years ago
|
||
Hmm, maybe I have a patch, but no way to verify it fixes this.
|
Reporter | |
Comment 4•8 years ago
|
||
Try using this along with test_case.html. I will also include a prefs file. It will just keep opening the test case. I could repro in under 10 seconds with this using a m-c ASan opt build.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 5•8 years ago
|
||
|
|
Assignee | |
Comment 6•8 years ago
|
||
( I still haven't managed to see the crash again. )
|
|
Assignee | |
Comment 7•8 years ago
|
||
Even with the prefs.js I can't reproduce in debug build.
(running the test files from file:/// since the prefs.js seems to somehow break network connections because of proxy stuff)
|
|
Assignee | |
Comment 8•8 years ago
|
||
(I do have the basic idea how this could happen, but I'm missing some step in my head ;) )
|
|
Reporter | |
Comment 9•8 years ago
|
||
This bug was both found and reproduced while the browser process automation was handled by ffpuppet[1] so let's try that.
My local STR are:
0) grab a build from TC[2]
1) collect attachments (prefs.js, launcher.html and test_case.html) and make sure launcher.html and test_case.html are side by side.
2) run: python -m ffpuppet <firefox_bin> -p <prefs.js file> -d -l <where to save logs> -u launcher.html
[1] https://github.com/MozillaSecurity/ffpuppet
[2] https://tools.taskcluster.net/index/artifacts/gecko.v2.mozilla-central.latest.firefox/linux64-asan-opt
|
|
||
Updated•8 years ago
|
Priority: P1 → P3
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Comment 10•4 years ago
|
||
Hi Tyson,
Could you please check if this is still reproducible and update the flags if so or close this bug otherwise? Thanks!
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 11•4 years ago
|
||
I am unable to reproduce this with the attached test case.
This was last reported by fuzzers running m-c 20191003-4a20e73bd624.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•