Closed Bug 1449601 Opened 2 years ago Closed 2 years ago

Crash [@ nsFind::PeekNextChar]

Categories

(Toolkit :: Find Toolbar, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: jkratzer, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 5bf126434fac.

==18450==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6efe4c7c8a bp 0x7fff665a0a50 sp 0x7fff665a08e0 T0)
==18450==The signal is caused by a READ memory access.
==18450==Hint: address points to the zero page.
    #0 0x7f6efe4c7c89 in nsFind::PeekNextChar(nsRange*, nsRange*, nsRange*) /builds/worker/workspace/build/src/toolkit/components/find/nsFind.cpp:799:36
    #1 0x7f6efe4ca580 in nsFind::Find(char16_t const*, nsIDOMRange*, nsIDOMRange*, nsIDOMRange*, nsIDOMRange**) /builds/worker/workspace/build/src/toolkit/components/find/nsFind.cpp:1269:24
    #2 0x7f6efe4cec77 in nsWebBrowserFind::SearchInFrame(nsPIDOMWindowOuter*, bool, bool*) /builds/worker/workspace/build/src/toolkit/components/find/nsWebBrowserFind.cpp:745:14
    #3 0x7f6efe4cd9f0 in nsWebBrowserFind::FindNext(bool*) /builds/worker/workspace/build/src/toolkit/components/find/nsWebBrowserFind.cpp:246:10
    #4 0x7f6ef5a67c60 in nsGlobalWindowOuter::FindOuter(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:6461:20
    #5 0x7f6ef76bd43f in mozilla::dom::WindowBinding::find(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:5257:21
    #6 0x7f6ef76abdf2 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:16134:13
    #7 0x7f6efec9da2e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #8 0x7f6efec9da2e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #9 0x7f6efec86eed in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #10 0x7f6efec86eed in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #11 0x7f6efec68324 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #12 0x7f6efec9d827 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #13 0x7f6efec9e593 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #14 0x7f6eff8fd9fa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3002:12
    #15 0x7f6ef7aaf86e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #16 0x7f6ef8af6f69 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #17 0x7f6ef8af6f69 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #18 0x7f6ef8abf97c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1090:51
    #19 0x7f6ef8ac11f5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1259:20
    #20 0x7f6ef8aaba67 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
    #21 0x7f6ef8aaf803 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:917:9
    #22 0x7f6efad9a798 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1068:7
    #23 0x7f6efdf1149b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7300:21
    #24 0x7f6efdf0d609 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7093:7
    #25 0x7f6efdf1519f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #26 0x7f6ef49f6577 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
    #27 0x7f6ef49f55fa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
    #28 0x7f6ef49f21d5 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9
    #29 0x7f6ef49f21ee in ChildDoneWithOnload /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.h:204:9
    #30 0x7f6ef49f21ee in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:750
    #31 0x7f6ef49f419c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
    #32 0x7f6ef49f51bc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #33 0x7f6ef2d967aa in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #34 0x7f6ef5e35333 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8356:18
    #35 0x7f6ef5e35333 in nsUnblockOnloadEvent::Run() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8307
    #36 0x7f6ef2ba4fd4 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:415:25
    #37 0x7f6ef2bc4738 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #38 0x7f6ef2be0aa0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #39 0x7f6ef3aa8bfa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #40 0x7f6ef39f8b49 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #41 0x7f6ef39f8b49 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #42 0x7f6ef39f8b49 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #43 0x7f6efa6ef65a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #44 0x7f6efe988c9b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #45 0x7f6ef39f8b49 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #46 0x7f6ef39f8b49 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #47 0x7f6ef39f8b49 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #48 0x7f6efe98867a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #49 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #50 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #51 0x7f6f12f3482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Debug builds report the following assertion:

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL nsCOMPtr with operator->().), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:808
Hey Boris do you know who would be able to have a look at this? It is the most frequent crash seen by our DOM fuzzers at the moment.
Flags: needinfo?(bzbarsky)
Whiteboard: [fuzzblocker]
I'm probably as good a person to look at this as anyone, given this is find code.  Especially since I broke it.  ;)

That said, I can only reproduce the assert if I toggle the "security.data_uri.unique_opaque_origin" pref to non-default false.  I assume that's part of the fuzzing profile?  It would be good to mention that, or attach the relevant prefs.js file on fuzzbugs.

Anyway, this is a regression from bug 1447889: mIterNode is null, and we used to just handle that in GetBlockParent by having it return failure, but now we try to AsDOMNode() it and crash.  Fix coming up.
Blocks: 1447889
Flags: needinfo?(bzbarsky)
Keywords: regression
MozReview-Commit-ID: 2buTShJNqFp
Attachment #8965544 - Flags: review?(nika)
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Comment on attachment 8965544 [details] [diff] [review]
Stop dereferencing a null mIterNode in find code

Review of attachment 8965544 [details] [diff] [review]:
-----------------------------------------------------------------

This is a good example of one of the reasons I'm not a huge fan of infallible conversions being methods rather than static functions :-/

Thanks!
Attachment #8965544 - Flags: review?(nika) → review+
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/51b8010d7a28
Stop dereferencing a null mIterNode in find code.  r=mystor
https://hg.mozilla.org/mozilla-central/rev/51b8010d7a28
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.