Closed Bug 1441404 Opened 6 years ago Closed 6 years ago

UBSan: null pointer passed as argument 2, which is declared to never be null [@ nsTextFragment::Append]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(2 files)

testcase.html
338 bytes, text/html
Details
append_null.diff
683 bytes, patch
baku
: review+
Details | Diff | Splinter Review
Attached file testcase.html 
Found with mozilla-central changeset: 405244:6d72eade26af

src/dom/base/nsTextFragment.cpp:405:35: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
    #0 0x7fb55d674fd1 in nsTextFragment::Append(char16_t const*, unsigned int, bool, bool) src/dom/base/nsTextFragment.cpp:405:5
    #1 0x7fb55d60e89a in nsGenericDOMDataNode::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) src/dom/base/nsGenericDOMDataNode.cpp:329:13
    #2 0x7fb55d60eee8 in nsGenericDOMDataNode::DeleteData(unsigned int, unsigned int) src/dom/base/nsGenericDOMDataNode.cpp:251:10
    #3 0x7fb55db562cf in DeleteData src/dom/base/nsGenericDOMDataNode.h:204:10
    #4 0x7fb55db562cf in mozilla::dom::CharacterDataBinding::deleteData(JSContext*, JS::Handle<JSObject*>, nsGenericDOMDataNode*, JSJitMethodCallArgs const&) src/objdir-ff-ubsan/dom/bindings/CharacterDataBinding.cpp:281
    #5 0x7fb55e06c11b in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3031:13
    #6 0x7fb5630f029c in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
    #7 0x7fb5630f029c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
    #8 0x7fb5630f09c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
    #9 0x7fb5630e9ffe in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
    #10 0x7fb5630e9ffe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3092
    #11 0x7fb5630d3f76 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
    #12 0x7fb5630f0369 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
    #13 0x7fb5630f09c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
    #14 0x7fb5630f0a77 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
    #15 0x7fb5636ff90d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3028:12
    #16 0x7fb55de28065 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:260:37
    #17 0x7fb55e344c77 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #18 0x7fb55e3382df in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215:12
    #19 0x7fb55e322c90 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:51
    #20 0x7fb55e3237c4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1286:20
    #21 0x7fb55e31b96f in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16
    #22 0x7fb55e31cec7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:915:9
    #23 0x7fb55f4bd3d9 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1068:7
    #24 0x7fb562996a3f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7303:21
    #25 0x7fb56299555d in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7096:7
    #26 0x7fb5629979ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #27 0x7fb55cad89a2 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
    #28 0x7fb55cad8595 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
    #29 0x7fb55cad745e in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9
    #30 0x7fb55cad7fae in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
    #31 0x7fb55cad848c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #32 0x7fb55b6274d4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #33 0x7fb55d5ac7fb in nsDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8432:18
    #34 0x7fb55d5a2cdb in nsDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5363:3
    #35 0x7fb55d5ebfa6 in applyImpl<nsDocument, void (nsDocument::*)()> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1149:12
    #36 0x7fb55d5ebfa6 in apply<nsDocument, void (nsDocument::*)()> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1155
    #37 0x7fb55d5ebfa6 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200
    #38 0x7fb55b5074d4 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:413:25
    #39 0x7fb55b5235c2 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #40 0x7fb55b53f330 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
    #41 0x7fb55bfcc72b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #42 0x7fb55bef3b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
    #43 0x7fb55bef3b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7fb55f06e996 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #45 0x7fb562eb2694 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #46 0x7fb55bef3b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
    #47 0x7fb55bef3b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #48 0x7fb562eb22c0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #49 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #50 0x42d358 in main src/browser/app/nsBrowserApp.cpp:280:18
    #51 0x7fb581b571c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #52 0x407159 in _start (firefox+0x407159)
Flags: in-testsuite?
Olli, since you touched src/dom/base/nsTextFragment.cpp:405:35 last, maybe you can have a look.
Flags: needinfo?(bugs)
I don't understand what
"src/dom/base/nsTextFragment.cpp:405:35: runtime error: null pointer passed as argument 2, which is declared to never be null"
means. 
Per C standard it isn't error, just undefined.


Looks like we've had the same issue for ages, since bug 330872
http://52.25.115.98/viewvc/main/mozilla/content/base/src/nsTextFragment.cpp?annotate=1.27#l309
Flags: needinfo?(bugs)
Assignee: nobody → bugs
Attached patch append_null.diffSplinter Review 
Appending zero length string isn't exactly useful.
Attachment #8962724 - Flags: review?(amarchesini)
remote: 
remote: Follow the progress of your build on Treeherder:
remote:   https://treeherder.mozilla.org/#/jobs?repo=try&revision=48020ad02e018bb3eb7c0f135986a41c5533f3e3
remote: recorded changegroup in replication log in 0.085s
Attachment #8962724 - Flags: review?(amarchesini) → review+
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7d9e36d70c3e
return early when appending null string to a text fragment, r=baku
https://hg.mozilla.org/mozilla-central/rev/7d9e36d70c3e
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: