Closed Bug 1525162 Opened 5 years ago Closed 5 years ago

crash near null in [@ nsClipboardCommand::IsCommandEnabled]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- verified

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files, 1 obsolete file)

testcase.html
555 bytes, text/html
Details
Bug 1525162 - Make nsClipboardCommand::IsCommandEnabled() check whether window has document before accessing the document
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html (obsolete) — 
==9629==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000318 (pc 0x7f73d87bbce5 bp 0x7ffcc330aef0 sp 0x7ffcc330ae20 T0)
==9629==The signal is caused by a READ memory access.
==9629==Hint: address points to the zero page.
    #0 0x7f73d87bbce4 in IsHTMLOrXHTML src/obj-firefox/dist/include/mozilla/dom/Document.h:2098:39
    #1 0x7f73d87bbce4 in nsClipboardCommand::IsCommandEnabled(char const*, nsISupports*, bool*) src/dom/base/nsGlobalWindowCommands.cpp:487
    #2 0x7f73dbf0c0d7 in nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, bool*) src/dom/commandhandler/nsControllerCommandTable.cpp:92:26
    #3 0x7f73dbf03855 in nsBaseCommandController::IsCommandEnabled(char const*, bool*) src/dom/commandhandler/nsBaseCommandController.cpp:94:25
    #4 0x7f73d88fd7c3 in nsWindowRoot::GetEnabledDisabledCommandsForControllers(nsIControllers*, nsTHashtable<nsCharPtrHashKey>&, nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) src/dom/base/nsWindowRoot.cpp:236:25
    #5 0x7f73d88fe46b in nsWindowRoot::GetEnabledDisabledCommands(nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&) src/dom/base/nsWindowRoot.cpp:262:5
    #6 0x7f73d82a764f in (anonymous namespace)::ChildCommandDispatcher::Run() src/dom/base/nsGlobalWindowOuter.cpp:6445:12
    #7 0x7f73d8117337 in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5213:15
    #8 0x7f73dc59ade5 in ~nsAutoScriptBlocker src/obj-firefox/dist/include/nsContentUtils.h:3550:28
    #9 0x7f73dc59ade5 in nsHTMLDocument::EditingStateChanged() src/dom/html/nsHTMLDocument.cpp:2378
    #10 0x7f73d87e4f13 in ~mozAutoDocUpdate src/dom/base/mozAutoDocUpdate.h:34:18
    #11 0x7f73d87e4f13 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2403
    #12 0x7f73d9406276 in InsertBefore src/obj-firefox/dist/include/nsINode.h:1684:12
    #13 0x7f73d9406276 in AppendChild src/obj-firefox/dist/include/nsINode.h:1687
    #14 0x7f73d9406276 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:1021
    #15 0x7f73db810878 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3138:13
    #16 0x7f73e34ebe3d in CallJSNative src/js/src/vm/Interpreter.cpp:441:13
    #17 0x7f73e34ebe3d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:533
    #18 0x7f73e34d5776 in CallFromStack src/js/src/vm/Interpreter.cpp:592:10
    #19 0x7f73e34d5776 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3068
    #20 0x7f73e34b8a9d in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:421:10
    #21 0x7f73e34ec7e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:13
    #22 0x7f73e34ee462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:604:8
    #23 0x7f73e407c8e6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2620:10
    #24 0x7f73dae25729 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
    #25 0x7f73dc0b9529 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #26 0x7f73dc0b67b9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
    #27 0x7f73dc069a0a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1054:51
    #28 0x7f73dc06bfe3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1249:17
    #29 0x7f73dc04bde0 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
    #30 0x7f73dc04bde0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:351
    #31 0x7f73dc04a008 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:553:16
    #32 0x7f73dc050c53 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1044:11
    #33 0x7f73d87f751b in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:1934:12
    #34 0x7f73d8117fb6 in AddScriptRunner src/dom/base/nsContentUtils.cpp:5278:13
    #35 0x7f73d8117fb6 in nsContentUtils::AddScriptRunner(nsIRunnable*) src/dom/base/nsContentUtils.cpp:5284
    #36 0x7f73d8778647 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2082:5
    #37 0x7f73d87763e7 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, mozilla::dom::Document*, nsISupports*, unsigned int, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2050:3
    #38 0x7f73d8768ef7 in nsFocusManager::Blur(nsPIDOMWindowOuter*, nsPIDOMWindowOuter*, bool, bool, nsIContent*) src/dom/base/nsFocusManager.cpp:1693:7
    #39 0x7f73d877064b in nsFocusManager::WindowLowered(mozIDOMWindowProxy*) src/dom/base/nsFocusManager.cpp:749:23
    #40 0x7f73e2b087d8 in nsWebBrowser::FocusDeactivate() src/toolkit/components/browser/nsWebBrowser.cpp:1375:9
    #41 0x7f73ddbe4a8a in mozilla::dom::TabChild::RecvDeactivate() src/dom/ipc/TabChild.cpp:1344:16
    #42 0x7f73d57a52fb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:8808:20
    #43 0x7f73d5447049 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2160:21
    #44 0x7f73d54429ca in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2087:9
    #45 0x7f73d5444bd1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1936:3
    #46 0x7f73d5445a97 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1967:13
    #47 0x7f73d41a0f96 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1162:14
    #48 0x7f73d41a8d5d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #49 0x7f73ddae9b64 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1103:24)> src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #50 0x7f73ddae9b64 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) src/dom/ipc/ContentChild.cpp:1103
    #51 0x7f73ddbdb005 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) src/dom/ipc/TabChild.cpp:921:14
    #52 0x7f73e314ad28 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:752:24
    #53 0x7f73e314fe23 in OpenWindow2 src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:364:10
    #54 0x7f73e314fe23 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #55 0x7f73d828fc60 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) src/dom/base/nsGlobalWindowOuter.cpp:7175:21
    #56 0x7f73d828e3f9 in OpenJS src/dom/base/nsGlobalWindowOuter.cpp:5681:10
    #57 0x7f73d828e3f9 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5653
    #58 0x7f73d820a2e5 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3713:3
    #59 0x7f73da898398 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:2866:44
    #60 0x7f73db812635 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3138:13
    #61 0x7f73e34ebe3d in CallJSNative src/js/src/vm/Interpreter.cpp:441:13
    #62 0x7f73e34ebe3d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:533
    #63 0x7f73e34d5776 in CallFromStack src/js/src/vm/Interpreter.cpp:592:10
    #64 0x7f73e34d5776 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3068
    #65 0x7f73e34b8a9d in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:421:10
    #66 0x7f73e34ec7e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:13
    #67 0x7f73e34ee462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:604:8
    #68 0x7f73e407c8e6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2620:10
    #69 0x7f73db038689 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
    #70 0x7f73d822c9f9 in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #71 0x7f73d822ae22 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) src/dom/base/nsGlobalWindowInner.cpp:6050:17
    #72 0x7f73d8653ea4 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) src/dom/base/TimeoutManager.cpp:917:44
    #73 0x7f73d86527cf in mozilla::dom::TimeoutExecutor::MaybeExecute() src/dom/base/TimeoutExecutor.cpp:177:11
    #74 0x7f73d865786c in Notify src/dom/base/TimeoutExecutor.cpp:241:5
    #75 0x7f73d865786c in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) src/dom/base/TimeoutExecutor.cpp
    #76 0x7f73d41885f9 in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:562:40
    #77 0x7f73d41879d5 in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:260:11
    #78 0x7f73d41c1aa2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() src/xpcom/threads/ThrottledEventQueue.cpp:230:22
    #79 0x7f73d41c1517 in mozilla::ThrottledEventQueue::Inner::Executor::Run() src/xpcom/threads/ThrottledEventQueue.cpp:76:15
    #80 0x7f73d4160c25 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #81 0x7f73d41a0f96 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1162:14
    #82 0x7f73d41a8d5d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #83 0x7f73d545045f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #84 0x7f73d533cfce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #85 0x7f73d533cfce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #86 0x7f73d533cfce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #87 0x7f73de621463 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #88 0x7f73e320bcee in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #89 0x7f73d533cfce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #90 0x7f73d533cfce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #91 0x7f73d533cfce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #92 0x7f73e320ae43 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
    #93 0x55771bf5d874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #94 0x55771bf5d874 in main src/browser/app/nsBrowserApp.cpp:265
Flags: in-testsuite?

Hi Masayuki, can you please take a look?

Flags: needinfo?(masayuki)

Hmm, oddly, your test is green on tryserver... Does it cause the crash randomly?

Flags: needinfo?(masayuki) → needinfo?(twsmith)

The crash is reliable but it appears the pref "dom.disable_open_during_load=false" is preventing this test from triggering it.

Flags: needinfo?(twsmith)
Attached file testcase.html

Simplified the test a bit more.

Attachment #9041319 - Attachment is obsolete: true
Priority: -- → P2

Hmm... Still cannot reproduce it on tryserver... Okay, I'll write a patch without test.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED

nsClipboardCommand::IsCommandEnabled() accesses document without null-check.
That must be the cause of the reported crash. This patch just adds the check.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/2f15c7ef4a7f
Make nsClipboardCommand::IsCommandEnabled() check whether window has document before accessing the document r=smaug

https://hg.mozilla.org/mozilla-central/rev/2f15c7ef4a7f

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
status-firefox65: --- → wontfix
status-firefox66: --- → wontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite? → in-testsuite-
Flags: qe-verify+

I’ve reproduced this crash with Fx 67.0a1 (2019-02-04) on Windows 10 x64.
The issue is verified fixed with Fx 68.0a1 (2019-05-08) and Fx 67.0b18 on Windows 10 x64, macOS 10.13 and Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
status-firefox67: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: