Closed Bug 1441619 Opened 2 years ago Closed 1 year ago

Crash near null [@ get]

Categories

(Core :: DOM: Editor, defect, P2, critical)

52 Branch
Desktop
All
defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr52 --- affected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Found while fuzzing esr52 rev fe9968b35619.  Currently reducing the testcase and will update shortly.

=================================================================
==24583==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f2526449418 bp 0x7fff83f5f670 sp 0x7fff83f5f670 T0)
    #0 0x7f2526449417 in get /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:283:27
    #1 0x7f2526449417 in operator-> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:320
    #2 0x7f2526449417 in NodeType /home/worker/workspace/build/src/dom/base/nsINode.h:566
    #3 0x7f2526449417 in mozilla::EditorBase::IsTextNode(nsINode*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3654
    #4 0x7f25264be9e9 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, mozilla::HTMLEditRules::TouchContent) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:5620:12
    #5 0x7f25264b24b9 in GetNodesFromSelection /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6112:17
    #6 0x7f25264b24b9 in mozilla::HTMLEditRules::WillAlign(mozilla::dom::Selection&, nsAString_internal const&, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:4526
    #7 0x7f252649bc4b in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:632:14
    #8 0x7f2526530eca in mozilla::HTMLEditor::Align(nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2266:17
    #9 0x7f2526610814 in nsAlignCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:962:10
    #10 0x7f252660ab90 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
    #11 0x7f2527a840c3 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsControllerCommandTable.cpp:162:10
    #12 0x7f2527a7aeee in DoCommandWithParams /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:152:10
    #13 0x7f2527a7aeee in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:140
    #14 0x7f2527a811ba in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsCommandManager.cpp:212:10
    #15 0x7f2524e1dbc5 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3257:10
    #16 0x7f252429adf4 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:829:15
    #17 0x7f25246376a9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
    #18 0x7f252a9c7085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #19 0x7f252a9c7085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #20 0x7f252a9a748f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #21 0x7f252a9a748f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #22 0x7f252a98c64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #23 0x7f252a9c9572 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
    #24 0x7f2529c194d2 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
    #25 0x7f2529c1792c in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12
    #26 0x7f24daf4c699  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:283:27 in get
==24583==ABORTING
Attached file trigger.html
Flags: in-testsuite?
Version: 59 Branch → 52 Branch
Priority: -- → P3
Priority: P3 → P2
This issue still occurs in v52.9.0esr using the trigger.html attached file, but it does not occur on either of the newer versions (Latest ESR v60.3.0esr, Firefox Release v63.0.3, Firefox Beta v64.0 or Nightly v66.0a1).

Does this issue still need to be addressed, considering that the official ESR is now v60.3.0esr?
Flags: needinfo?(jkratzer)
Keywords: testcase-wanted
OS: Unspecified → All
Hardware: Unspecified → Desktop
Flags: needinfo?(jkratzer) → needinfo?(m_kato)
(In reply to Bodea Daniel [:danibodea] from comment #2)
> This issue still occurs in v52.9.0esr using the trigger.html attached file,
> but it does not occur on either of the newer versions (Latest ESR
> v60.3.0esr, Firefox Release v63.0.3, Firefox Beta v64.0 or Nightly v66.0a1).
> 
> Does this issue still need to be addressed, considering that the official
> ESR is now v60.3.0esr?

We added a lot of fix for GetNodesForOperation, so think that this issue is already fixed.  But we should add crash test to our tree.
Flags: needinfo?(m_kato)
Assignee: nobody → m_kato
The latest version of Gecko doesn't crash by this HTML, but I would like to add
this for feature.
https://hg.mozilla.org/mozilla-central/rev/87079a2e372b
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.