Closed Bug 1440809 Opened 2 years ago Closed 2 years ago

crash near null in [@ GetBoolFlag | nsINode::SubtreeRoot]

Categories

(Core :: DOM: Events, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: tsmith, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files, 1 obsolete file)

Attached file testcase.html
==22381==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f4b5c02625d bp 0x7ffdb4dba250 sp 0x7ffdb4dba250 T0)
==22381==The signal is caused by a READ memory access.
==22381==Hint: address points to the zero page.
    #0 0x7f4b5c02625c in GetBoolFlag /src/dom/base/nsINode.h:1704:12
    #1 0x7f4b5c02625c in IsInUncomposedDoc /src/dom/base/nsINode.h:578
    #2 0x7f4b5c02625c in nsINode::SubtreeRoot() const /src/dom/base/nsINode.cpp:295
    #3 0x7f4b5bd898d3 in nsIContent::GetEventTargetParent(mozilla::EventChainPreVisitor&) /src/dom/base/FragmentOrElement.cpp:1139:54
    #4 0x7f4b60112a39 in nsXULElement::GetEventTargetParent(mozilla::EventChainPreVisitor&) /src/dom/xul/nsXULElement.cpp:1374:29
    #5 0x7f4b5e896417 in mozilla::EventTargetChainItem::GetEventTargetParent(mozilla::EventChainPreVisitor&) /src/dom/events/EventDispatcher.cpp:425:22
    #6 0x7f4b5e89a091 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:876:19
    #7 0x7f4b5e89ce1c in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:994:12
    #8 0x7f4b5bc1d53d in nsGlobalWindowInner::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsGlobalWindowInner.cpp:4381:17
    #9 0x7f4b5e8baf91 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /src/dom/events/EventTarget.cpp:102:9
    #10 0x7f4b5dc9685b in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/EventTargetBinding.cpp:987:21
    #11 0x7f4b5dc93504 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1169:13
    #12 0x7f4b64e9449e in CallJSNative /src/js/src/vm/JSContext-inl.h:290:15
    #13 0x7f4b64e9449e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:468
    #14 0x7f4b64e7be7b in CallFromStack /src/js/src/vm/Interpreter.cpp:523:12
    #15 0x7f4b64e7be7b in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3093
    #16 0x7f4b64e5e9f4 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:418:12
    #17 0x7f4b64e94297 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:490:15
    #18 0x7f4b64e95003 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:536:10
    #19 0x7f4b65a9b51f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3031:12
    #20 0x7f4b5db352af in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #21 0x7f4b5e8abe33 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #22 0x7f4b5e8abe33 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1108
    #23 0x7f4b5e8ad56e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1286:20
    #24 0x7f4b5e896dc7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:527:16
    #25 0x7f4b5e89ab23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:915:9
    #26 0x7f4b5bb582a9 in nsContentUtils::MaybeFireNodeRemoved(nsINode*, nsINode*, nsIDocument*) /src/dom/base/nsContentUtils.cpp:4904:5
    #27 0x7f4b5c04982b in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2114:7
    #28 0x7f4b5c7dfba3 in InsertBefore /src/obj-firefox/dist/include/nsINode.h:1928:12
    #29 0x7f4b5c7dfba3 in AppendChild /src/obj-firefox/dist/include/nsINode.h:1932
    #30 0x7f4b5c7dfba3 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:945
    #31 0x7f4b5e3f37e1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3031:13
    #32 0x7f4b64e9449e in CallJSNative /src/js/src/vm/JSContext-inl.h:290:15
    #33 0x7f4b64e9449e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:468
    #34 0x7f4b64e7be7b in CallFromStack /src/js/src/vm/Interpreter.cpp:523:12
    #35 0x7f4b64e7be7b in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3093
    #36 0x7f4b64e5e9f4 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:418:12
    #37 0x7f4b64e94297 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:490:15
    #38 0x7f4b64e95003 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:536:10
    #39 0x7f4b65a9b51f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3031:12
    #40 0x7f4b5db352af in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #41 0x7f4b5e8abe33 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #42 0x7f4b5e8abe33 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1108
    #43 0x7f4b5e8ad56e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1286:20
    #44 0x7f4b5e8970c7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:559:14
    #45 0x7f4b5e89ab23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:915:9
    #46 0x7f4b5bb582a9 in nsContentUtils::MaybeFireNodeRemoved(nsINode*, nsINode*, nsIDocument*) /src/dom/base/nsContentUtils.cpp:4904:5
    #47 0x7f4b5c04982b in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2114:7
    #48 0x7f4b5c7dfba3 in InsertBefore /src/obj-firefox/dist/include/nsINode.h:1928:12
    #49 0x7f4b5c7dfba3 in AppendChild /src/obj-firefox/dist/include/nsINode.h:1932
    #50 0x7f4b5c7dfba3 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:945
    #51 0x7f4b5e3f37e1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3031:13
    #52 0x7f4b64e9449e in CallJSNative /src/js/src/vm/JSContext-inl.h:290:15
    #53 0x7f4b64e9449e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:468
    #54 0x7f4b64e7be7b in CallFromStack /src/js/src/vm/Interpreter.cpp:523:12
    #55 0x7f4b64e7be7b in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3093
    #56 0x7f4b64e5e9f4 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:418:12
    #57 0x7f4b64e94297 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:490:15
    #58 0x7f4b64e95003 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:536:10
    #59 0x7f4b65a9b51f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3031:12
    #60 0x7f4b5db352af in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #61 0x7f4b5e8abe33 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #62 0x7f4b5e8abe33 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1108
    #63 0x7f4b5e8ad56e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1286:20
    #64 0x7f4b5e896dc7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:527:16
    #65 0x7f4b5e89ab23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:915:9
    #66 0x7f4b5e89ce1c in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:994:12
    #67 0x7f4b5c044684 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1270:5
    #68 0x7f4b5e8273d3 in mozilla::AsyncEventDispatcher::Run() /src/dom/events/AsyncEventDispatcher.cpp:70:12
    #69 0x7f4b5bb60ccf in nsContentUtils::RemoveScriptBlocker() /src/dom/base/nsContentUtils.cpp:5783:15
    #70 0x7f4b5bf50657 in nsDocument::EndUpdate(unsigned int) /src/dom/base/nsDocument.cpp:5138:3
    #71 0x7f4b5ecbe26c in nsHTMLDocument::EndUpdate(unsigned int) /src/dom/html/nsHTMLDocument.cpp:2271:15
    #72 0x7f4b5bd47c01 in ~mozAutoDocUpdate /src/dom/base/mozAutoDocUpdate.h:40:18
    #73 0x7f4b5bd47c01 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /src/dom/base/Element.cpp:2635
    #74 0x7f4b5ec75cc8 in SetAttr /src/obj-firefox/dist/include/mozilla/dom/Element.h:890:12
    #75 0x7f4b5ec75cc8 in SetAttr /src/obj-firefox/dist/include/mozilla/dom/Element.h:885
    #76 0x7f4b5ec75cc8 in nsDOMStringMap::NamedSetter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/html/nsDOMStringMap.cpp:112
    #77 0x7f4b5d9c98bc in mozilla::dom::DOMStringMapBinding::DOMProxyHandler::setCustom(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, bool*) const /src/obj-firefox/dom/bindings/DOMStringMapBinding.cpp:557:11
    #78 0x7f4b5e3fef39 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /src/dom/bindings/DOMJSProxyHandler.cpp:207:8
    #79 0x7f4b65be20bb in setInternal /src/js/src/proxy/Proxy.cpp:403:21
    #80 0x7f4b65be20bb in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/js/src/proxy/Proxy.cpp:413
    #81 0x7f4b64eadb64 in SetProperty /src/js/src/vm/NativeObject.h:1645:16
    #82 0x7f4b64eadb64 in SetObjectElementOperation /src/js/src/vm/Interpreter.cpp:1610
    #83 0x7f4b64eadb64 in js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::Handle<JSScript*>, unsigned char*) /src/js/src/vm/Interpreter.cpp:4647
    #84 0x7f4b6510a891 in js::jit::DoSetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetElem_Fallback*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:877:14
    #85 0x1064cc67d954  (<unknown module>)
Flags: in-testsuite?
Looks like a regression from bug 1413102.

#1  0x00007f216f04a2b8 in nsIContent::GetEventTargetParent (this=0x7f216730fe50, aVisitor=...) at dom/base/FragmentOrElement.cpp:1106
1106                    this, targetInKnownToBeHandledScope->SubtreeRoot())) {
(rr) p targetInKnownToBeHandledScope
$1 = {
  mRawPtr = 0x0
}
Blocks: 1413102
Component: DOM → DOM: Events
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
Flags: needinfo?(bugs)
Assignee: nobody → bugs
Flags: needinfo?(bugs)
Based on stack trace I assume this is non-e10s. Trying to figure out how to disable e10s.
(In reply to Olli Pettay [:smaug] from comment #2)
> Based on stack trace I assume this is non-e10s. Trying to figure out how to
> disable e10s.

We have been using the following prefs to disable e10s:
browser.tabs.remote.autostart = false
browser.tabs.remote.autostart.1 = false
browser.tabs.remote.autostart.2 = false
this is related to the spec issue https://github.com/whatwg/dom/issues/580
This should be actually ok here, to fix the crash.
The spec is unclear when it comes to window as initial target and such, and we're clearly missing wpt tests, but those should get added once the spec is fixed.
Attachment #8954984 - Flags: review?(masayuki)
Comment on attachment 8954984 [details] [diff] [review]
retargeting_crash_when_crossing_chrome_boundary_non_e10s.diff

Fine, but please add comment to explain that checking "targetInKnownToBeHandledScope" avoids calling nsContentUtils::ContentIsShadowIncludingDescendantOf() with window object because if this is not enough of causes other bug in the future, the other developers can check what this check tries to do.
Attachment #8954984 - Flags: review?(masayuki) → review+
Well, the null check there is to prevent targetInKnownToBeHandledScope->Subtree() call, less so about 
ContentIsShadowIncludingDescendantOf.
But I'll add a comment.
Attached patch +comment (obsolete) — Splinter Review
Attached patch +commentSplinter Review
Attachment #8955073 - Attachment is obsolete: true
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/89c8025537a5
ensure we don't try to treat non-DOM-Node event targets as such, r=masayuki
https://hg.mozilla.org/mozilla-central/rev/89c8025537a5
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.