Closed Bug 1486488 Opened Last year Closed Last year

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsINode.h:1596:12 in GetBoolFlag

Categories

(Core :: SVG, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 190b827aaa2b.

==28127==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f7cfbc96659 bp 0x7fff92bc13b0 sp 0x7fff92bc1370 T0)
==28127==The signal is caused by a READ memory access.
==28127==Hint: address points to the zero page.
    #0 0x7f7cfbc96658 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1596:12
    #1 0x7f7cfbc96658 in IsInComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:651
    #2 0x7f7cfbc96658 in nsSMILTimeValueSpec::ResolveReferences(nsIContent*) /builds/worker/workspace/build/src/dom/smil/nsSMILTimeValueSpec.cpp:99
    #3 0x7f7cfbca4eb6 in nsSMILTimedElement::BindToTree(nsIContent*) /builds/worker/workspace/build/src/dom/smil/nsSMILTimedElement.cpp:1228:23
    #4 0x7f7cfb558069 in mozilla::dom::SVGAnimationElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/svg/SVGAnimationElement.cpp:188:19
    #5 0x7f7cf6865783 in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1412:23
    #6 0x7f7cf697f150 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2503:14
    #7 0x7f7cf74fc77d in ReplaceChild /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1803:12
    #8 0x7f7cf74fc77d in mozilla::dom::Node_Binding::replaceChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:1016
    #9 0x7f7cf97e3c49 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
    #10 0x7f7d00ad50eb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:449:15
    #11 0x7f7d00ad50eb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:537
    #12 0x7f7d00abea33 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:12
    #13 0x7f7d00abea33 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3242
    #14 0x7f7d00aa45be in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:429:12
    #15 0x7f7d00ad5bfe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:561:15
    #16 0x7f7d00ad7992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:607:10
    #17 0x7f7d0158ccfd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2921:12
    #18 0x7f7cf8de30fa in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #19 0x7f7cfa0a6a5e in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #20 0x7f7cfa0a3f27 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #21 0x7f7cfa057bc7 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
    #22 0x7f7cfa059cc7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #23 0x7f7cfa03d789 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #24 0x7f7cfa03d789 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
    #25 0x7f7cfa03ba43 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
    #26 0x7f7cfa04222e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
    #27 0x7f7cfcc9942f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1169:7
    #28 0x7f7cffa0ad9c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7055:21
    #29 0x7f7cffa05a2a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6848:7
    #30 0x7f7cffa0f6a7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #31 0x7f7cf4faa885 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
    #32 0x7f7cf4fa94ac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:856:14
    #33 0x7f7cf4fa4fb1 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:745:9
    #34 0x7f7cf4fa7a98 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
    #35 0x7f7cf4fa8fd4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #36 0x7f7cf2a83387 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #37 0x7f7cf689dc47 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8295:18
    #38 0x7f7cf689dc47 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8217
    #39 0x7f7cf6877520 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5089:3
    #40 0x7f7cf69de5eb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1168:12
    #41 0x7f7cf69de5eb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #42 0x7f7cf69de5eb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1219
    #43 0x7f7cf27de1c2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #44 0x7f7cf281b110 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1167:14
    #45 0x7f7cf2823e25 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #46 0x7f7cf3a026ae in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #47 0x7f7cf39042fc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #48 0x7f7cf39042fc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #49 0x7f7cf39042fc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #50 0x7f7cfc4232d6 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #51 0x7f7d007ae21e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #52 0x7f7cf39042fc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #53 0x7f7cf39042fc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #54 0x7f7cf39042fc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #55 0x7f7d007ad2d5 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #56 0x4f5b01 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #57 0x4f5b01 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #58 0x7f7d15974b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #59 0x424edc in _start (/home/forb1dden/builds/mc-asan/firefox+0x424edc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsINode.h:1596:12 in GetBoolFlag
==28127==ABORTING
Flags: in-testsuite?
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
This is a regression from bug 1450250, which removed a if (!GetCx()) early
return in this function.

That early return was wrong, both because it prevented elements that were in
shadow trees from targeting other elements, but also because that check was not
present in AfterSetAttr, which means that dynamic updates to the attribute would
work.

Pass the SVGAnimationElement itself to resolve references. That's what we do for
attribute mutations, and also it's the same behavior we have, since the ID
lookup IDTracker does only depends on containing shadow root and containing
document, and that's invariant between a kid and it's DOM parent.

Some other code has been updated to take references instead of pointers so the
null-safety of those methods is explicit.
Comment on attachment 9004272 [details]
Bug 1486488 - Don't assume that SVGAnimationElement has a parent on bind.

Daniel Holbert [:dholbert] has approved the revision.
Attachment #9004272 - Flags: review+
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/e36b98a79cd8
Don't assume that SVGAnimationElement has a parent on bind. r=dholbert
https://hg.mozilla.org/mozilla-central/rev/e36b98a79cd8
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Blocks: 1450250
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.