Closed
Bug 1453196
Opened 5 years ago
Closed 5 years ago
Crash [@ GetBoolFlag]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev a8061a09cd70.
==20764==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f5765c3c78f bp 0x7ffeff688fd0 sp 0x7ffeff688f80 T0)
==20764==The signal is caused by a READ memory access.
==20764==Hint: address points to the zero page.
#0 0x7f5765c3c78e in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1625:12
#1 0x7f5765c3c78e in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:630
#2 0x7f5765c3c78e in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:710
#3 0x7f5765c3c78e in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9146
#4 0x7f5765c508a8 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#5 0x7f5765c3d08e in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9194:16
#6 0x7f5765c4e8f8 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#7 0x7f5765b9fdda in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4540:22
#8 0x7f5760dc3df9 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:232:3
#9 0x7f5760c80010 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1670:5
#10 0x7f5760ad7b01 in mozilla::dom::FragmentOrElement::RemoveChildAt_Deprecated(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1216:5
#11 0x7f5760d61d6a in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1983:18
#12 0x7f5760d5e92c in InsertBefore /builds/worker/workspace/build/src/dom/base/nsINode.h:1821:12
#13 0x7f5760d5e92c in AppendChild /builds/worker/workspace/build/src/dom/base/nsINode.h:1825
#14 0x7f5760d5e92c in ConvertNodesOrStringsIntoNode(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, nsIDocument*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1449
#15 0x7f5760d5fa93 in nsINode::Append(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1633:5
#16 0x7f5762a27b5e in mozilla::dom::DocumentBinding::append(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:13290:9
#17 0x7f5763273db1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3191:13
#18 0x7f5769b899a7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#19 0x7f5769b899a7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#20 0x7f5769b74461 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#21 0x7f5769b74461 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#22 0x7f5769b5a8aa in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#23 0x7f5769b89725 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#24 0x7f5769b8a9a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#25 0x7f576a6ac07d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
#26 0x7f57629bd15f in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
#27 0x7f57639a8c51 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#28 0x7f57639a8c51 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1120
#29 0x7f57639aa515 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1292:20
#30 0x7f5763994817 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
#31 0x7f57639985b7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:933:9
#32 0x7f576399a8cc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1012:12
#33 0x7f5760d5d398 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1084:5
#34 0x7f57608a6b24 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4480:28
#35 0x7f57608a68e4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4448:10
#36 0x7f5760c8ffa8 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5219:3
#37 0x7f5760da7344 in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
#38 0x7f5760da7344 in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170
#39 0x7f5760da7344 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215
#40 0x7f575da63ba1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#41 0x7f575da834f8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#42 0x7f575da9f930 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#43 0x7f575e973fba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#44 0x7f575e8c3d89 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#45 0x7f575e8c3d89 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#46 0x7f575e8c3d89 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#47 0x7f57655e2bda in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#48 0x7f57698a4f5b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#49 0x7f575e8c3d89 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#50 0x7f575e8c3d89 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#51 0x7f575e8c3d89 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#52 0x7f57698a4922 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#53 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#54 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#55 0x7f577d96a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
Assignee | |
Comment 1•5 years ago
|
||
Looks like there's mathml code assuming it's not the root of the document, lol.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
| Comment hidden (mozreview-request) |
|
||
Comment 3•5 years ago
|
||
| mozreview-review | ||
Comment on attachment 8968000 [details] Bug 1453196: Fix MathML reframing code when the root is a MathML element. https://reviewboard.mozilla.org/r/236682/#review243490 ::: layout/base/nsCSSFrameConstructor.cpp:9074 (Diff revision 1) > + frame = parent; > + aContent = frame->GetContent(); So this is going to stop at the first scrollframe it reaches, even if that scrollframe is attached to mathml bits, right? So we can in fact get the blowup we're trying to avoid with the "right" frametree. Seems to me like we should walk the DOM tree (possibly composed), not the frame tree.
Attachment #8968000 -
Flags: review?(bzbarsky) → review-
| Comment hidden (mozreview-request) |
|
|
||
Comment 5•5 years ago
|
||
| mozreview-review | ||
Comment on attachment 8968000 [details] Bug 1453196: Fix MathML reframing code when the root is a MathML element. https://reviewboard.mozilla.org/r/236682/#review246552 ::: commit-message-2625c:3 (Diff revision 2) > +Bug 1453196: Fix MathML reframing code when the root is a MathML element. r?bz > + > +I thought of just adding the relevant null-check, but I think walking the frame This commit message no longer matches the code. Please fix.
Attachment #8968000 -
Flags: review?(bzbarsky) → review+
| Comment hidden (mozreview-request) |
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/3d562de35a8d Fix MathML reframing code when the root is a MathML element. r=bz
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/3d562de35a8d
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Updated•5 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•