Closed Bug 1406109 Opened 8 years ago Closed 8 years ago

stylo: Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions) in [@ nsINode::ParseSelectorList]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- fixed

People

(Reporter: tsmith, Assigned: heycam)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

test_case.html
219 bytes, text/html
Details
Bug 1406109 - Return early after selector parsing failure in matches().
59 bytes, text/x-review-board-request
emilio
: review+
Details
Attached file test_case.html
Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions), at /src/obj-firefox/dist/include/mozilla/ErrorResult.h:455 #0 mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::AssignErrorCode(nsresult) /src/obj-firefox/dist/include/mozilla/ErrorResult.h:453:5 #1 nsINode::ParseSelectorList(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2747:7 #2 mozilla::dom::Element::Closest(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/Element.cpp:3473:37 #3 mozilla::dom::ElementBinding::closest(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/ElementBinding.cpp:1281:59 #4 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3053:13 #5 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/js/src/jscntxtinlines.h:293:15 #6 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:16 #7 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #8 Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3085:18 #9 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:435:12 #10 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:513:15 #11 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:540:12 #12 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:559:10 #13 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2975:12 #14 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #15 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #16 mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215:12 #17 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1112:51 #18 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1283:20 #19 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:313:17 #20 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16 #21 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:822:9 #22 nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1081:7 #23 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:7760:21 #24 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7558:7 #25 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7455:13 #26 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1320:3 #27 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:861:14 #28 nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:750:9 #29 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:632:5 #30 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:488:14 #31 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28 #32 nsDocument::DoUnblockOnload() /src/dom/base/nsDocument.cpp:9354:18 #33 nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9276:9 #34 nsDocument::DispatchContentLoadedEvents() /src/dom/base/nsDocument.cpp:5627:3 #35 mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192:13 #36 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1039:14 #37 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:524:10 #38 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #39 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10 #40 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3 #41 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #42 nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #43 XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4694:22 #44 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4858:8 #45 XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4953:21 #46 do_main(int, char**, char**) /src/browser/app/nsBrowserApp.cpp:231:22 #47 main /src/browser/app/nsBrowserApp.cpp:304:16 #48 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #49 _start (firefox+0x41eae4)
Flags: in-testsuite?
Only reproduces with Stylo enabled. INFO: Last good revision: 00f3a339b1976a9942a7ef04c9ac6a9d4204aee8 INFO: First bad revision: c2c0d2ea67d187709e26e629d8b7d0b0045416b4 INFO: Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=00f3a339b1976a9942a7ef04c9ac6a9d4204aee8&tochange=c2c0d2ea67d187709e26e629d8b7d0b0045416b4
Blocks: 1404897
Has Regression Range: --- → yes
status-firefox56: --- → unaffected
status-firefox57: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(emilio)
Priority: -- → P2
Summary: Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions) in [@ nsINode::ParseSelectorList] → stylo: Assertion failure: !IsDOMException() (Don't overwrite DOM exceptions) in [@ nsINode::ParseSelectorList]
Taking, I think we just need to return early if parsing failed.
Assignee: nobody → cam
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
In particular, if you do a cache lookup, and get a hit, but *list is false, then you need to return null immediately after throwing on aRv, in both nsINode::ParseServoSelectorList and nsINode::ParseSelectorList.
Comment on attachment 8915850 [details] Bug 1406109 - Return early after selector parsing failure in matches(). https://reviewboard.mozilla.org/r/187094/#review192118 ::: dom/base/crashtests/1406109-1.html:5 (Diff revision 1) > +<html> > +<head> > +<script> > +function jsfuzzer() { > + try { a.webkitMatchesSelector("1"); } catch(e) { } Please use the unprefixed API here, just to make this more future-proof.
Comment on attachment 8915850 [details] Bug 1406109 - Return early after selector parsing failure in matches(). https://reviewboard.mozilla.org/r/187094/#review192136 Gah, nice catch. r=me, with Boris' comments addressed.
Attachment #8915850 - Flags: review?(emilio) → review+
Well, I should've caught it in review. :-)
Pushed by cmccormack@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e42d927d6bb2 Return early after selector parsing failure in matches(). r=emilio
https://hg.mozilla.org/mozilla-central/rev/e42d927d6bb2
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox58: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: