Closed
Bug 1428062
Opened 7 years ago
Closed 4 years ago
Near null crash [@ GetPreviousSibling]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox59 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(1 file)
881 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev f78a83244fbe.
==5814==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7fca2177a081 bp 0x7fff920c5280 sp 0x7fff920c4ec0 T0)
==5814==The signal is caused by a READ memory access.
==5814==Hint: address points to the zero page.
#0 0x7fca2177a080 in GetPreviousSibling /builds/worker/workspace/build/src/dom/base/nsINode.h:1430:51
#1 0x7fca2177a080 in nsINode::CompareDocumentPosition(nsINode&) const /builds/worker/workspace/build/src/dom/base/nsINode.cpp:914
#2 0x7fca21268ed1 in nsContentUtils::PositionIsBefore(nsINode*, nsINode*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:2785:19
#3 0x7fca21555b09 in mozilla::dom::ShadowRoot::InsertSheet(mozilla::StyleSheet*, nsIContent*) /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:256:9
#4 0x7fca25bb5f7c in mozilla::css::Loader::LoadInlineStyle(nsIContent*, nsTSubstring<char16_t> const&, nsIPrincipal*, unsigned int, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::net::ReferrerPolicy, mozilla::dom::Element*, nsICSSLoaderObserver*, bool*, bool*) /builds/worker/workspace/build/src/layout/style/Loader.cpp:1945:23
#5 0x7fca218469ab in nsStyleLinkElement::DoUpdateStyleSheet(nsIDocument*, mozilla::dom::ShadowRoot*, nsICSSLoaderObserver*, bool*, bool*, bool) /builds/worker/workspace/build/src/dom/base/nsStyleLinkElement.cpp:551:7
#6 0x7fca21847d95 in nsStyleLinkElement::UpdateStyleSheetInternal(nsIDocument*, mozilla::dom::ShadowRoot*, bool) /builds/worker/workspace/build/src/dom/base/nsStyleLinkElement.cpp:344:10
#7 0x7fca24c5c0df in mozilla::dom::SVGStyleElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/svg/SVGStyleElement.cpp:89:3
#8 0x7fca2147370a in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2097:14
#9 0x7fca23ee066a in nsGenericHTMLElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:538:20
#10 0x7fca2147337f in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2087:37
#11 0x7fca23ee066a in nsGenericHTMLElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:538:20
#12 0x7fca23ea7b69 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/HTMLSharedElement.cpp:260:25
#13 0x7fca2166b73d in nsDocument::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:2065:14
#14 0x7fca23f4757d in nsHTMLDocument::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:198:1
#15 0x7fca1e2bbda4 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3396:26
#16 0x7fca1e2beadd in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3764:24
#17 0x7fca1e2c2720 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4310:21
#18 0x7fca2179627c in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1505:3
#19 0x7fca212c57bb in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1299:3
#20 0x7fca1e457bc1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#21 0x7fca1febc05d in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1948:12
#22 0x7fca1febc05d in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
#23 0x7fca1febc05d in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
#24 0x7fca1fec28f4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
#25 0x7fca2a198694 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#26 0x7fca2a198694 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#27 0x7fca2a1836c6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#28 0x7fca2a1836c6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
#29 0x7fca2a16a060 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#30 0x7fca2a198bcc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#31 0x7fca2a1996f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#32 0x7fca2ac959e1 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2970:12
#33 0x7fca1fdd2bc2 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
#34 0x7fca2a198694 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#35 0x7fca2a198694 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#36 0x7fca2a1836c6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#37 0x7fca2a1836c6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
#38 0x7fca2a16a060 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#39 0x7fca2a19b631 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
#40 0x7fca2a19bdcf in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
#41 0x7fca2acad2f6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4712:12
#42 0x7fca217ad356 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
#43 0x7fca255f6ed1 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2310:25
#44 0x7fca255f12c9 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1952:10
#45 0x7fca255d6637 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1650:10
#46 0x7fca255d25c7 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
#47 0x7fca205918f6 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:226:18
#48 0x7fca205918f6 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
#49 0x7fca2058ad7d in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
#50 0x7fca20596c7b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
#51 0x7fca1e405300 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
#52 0x7fca1e42bb3d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#53 0x7fca1e4475f0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
#54 0x7fca1f2d87ea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#55 0x7fca1f22c189 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#56 0x7fca1f22c189 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#57 0x7fca1f22c189 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#58 0x7fca2578499a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#59 0x7fca29eaca0b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
#60 0x7fca1f22c189 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#61 0x7fca1f22c189 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#62 0x7fca1f22c189 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#63 0x7fca29eac3fd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#64 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#65 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#66 0x7fca3d45282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Comment 1•7 years ago
|
||
Ben or Jessica, do you think this is ShadowRoot-related?
Flags: needinfo?(jjong)
Flags: needinfo?(btian)
Comment 2•7 years ago
|
||
Hmm, looks like it is.
Hi Emilio, is `sheetOwningNode` [1] being null during nsDocument/SVGStyleElement::UnbindFromTree expected?
(Note that the test calls window.location.reload() and it crashes after running a little while)
[1] https://searchfox.org/mozilla-central/rev/03877052c151a8f062eea177f684a2743cd7b1d5/dom/base/ShadowRoot.cpp#255
Flags: needinfo?(jjong) → needinfo?(emilio)
Comment 3•7 years ago
|
||
That should never be null, but looks like this runs after cycle collection unlinking... Maybe we should just null-check it wit a comment saying that it can run during unlink, I should think about it... That code running after unlink is kinda annoying, because that can itself create more links.
Flags: needinfo?(emilio)
Comment 4•7 years ago
|
||
Err, more cycles I mean.
Updated•7 years ago
|
Flags: needinfo?(btian)
Updated•7 years ago
|
Priority: -- → P2
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Reporter | ||
Updated•4 years ago
|
Attachment #8939864 -
Attachment description: trigger.html → testcase
Comment 5•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210223085042-916497e295fe
mozilla-central 20200225042307-7d59549f2fda
Whiteboard: [bugmon:confirmed]
Comment 6•4 years ago
|
||
This seems to have been fixed somewhere more than a year ago.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•