AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:267:27 in get

RESOLVED FIXED in Firefox 67

Status

()

defect
--
critical
RESOLVED FIXED
2 months ago
2 months ago

People

(Reporter: jkratzer, Assigned: emilio)

Tracking

(Blocks 1 bug, {crash, regression, testcase})

unspecified
mozilla67
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 wontfix, firefox67 fixed)

Details

Attachments

(4 attachments)

(Reporter)

Description

2 months ago

Testcase found while fuzzing mozilla-central rev c89f024c023f.

Steps to reproduce:

  1. Start local webserver in testcase directory (python -m SimpleHTTPServer)
  2. Navigate to http://localhost:8000/harness.html

==6218==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f84ed18903c bp 0x7ffc1da70950 sp 0x7ffc1da70940 T0)
==6218==The signal is caused by a READ memory access.
==6218==Hint: address points to the zero page.
#0 0x7f84ed18903b in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:267:27
#1 0x7f84ed18903b in operator mozilla::dom::Selection * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:280
#2 0x7f84ed18903b in nsFrameSelection::GetSelection(mozilla::SelectionType) const /builds/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:1373
#3 0x7f84ea525f79 in nsTextInputSelectionImpl::SetCaretReadOnly(bool) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:497:28
#4 0x7f84ec775722 in mozilla::EditorBase::Init(mozilla::dom::Document&, mozilla::dom::Element*, nsISelectionController*, unsigned int, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:300:24
#5 0x7f84eca0f24a in mozilla::TextEditor::Init(mozilla::dom::Document&, mozilla::dom::Element*, nsISelectionController*, unsigned int, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:136:31
#6 0x7f84ea5326a4 in nsTextEditorState::PrepareEditor(nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1348:25
#7 0x7f84ed46c2b7 in nsTextControlFrame::EnsureEditorInitialized() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:300:28
#8 0x7f84ed47a45e in nsTextControlFrame::EditorInitializer::Run() /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:1339:11
#9 0x7f84e60156f7 in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5263:15
#10 0x7f84ecd2dc55 in ~nsAutoScriptBlocker /builds/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3584:28
#11 0x7f84ecd2dc55 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4123
#12 0x7f84e9ef3bd8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:573:5
#13 0x7f84e9ef3bd8 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5439
#14 0x7f84e9ef3bd8 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:636
#15 0x7f84ecd5fd68 in mozilla::PresShell::EventHandler::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7814:19
#16 0x7f84ecd5d738 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6705:30
#17 0x7f84ecd5b019 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6514:12
#18 0x7f84ecd5aa68 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6442:23
#19 0x7f84ec4ca874 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:755:14
#20 0x7f84ec4ca214 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1070:9
#21 0x7f84ec571d7d in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:380:37
#22 0x7f84e562778a in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:528:21
#23 0x7f84ebb8d22c in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1609:10
#24 0x7f84ebb8d22c in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1548
#25 0x7f84ebb8e45f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1521:3
#26 0x7f84ebb8e750 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1486:8
#27 0x7f84ebb8e750 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp
#28 0x7f84e41a3ce5 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3750:20
#29 0x7f84e36538c3 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5534:28
#30 0x7f84e332d179 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#31 0x7f84e3328f7a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#32 0x7f84e332b181 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#33 0x7f84e332bf47 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#34 0x7f84e2057685 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#35 0x7f84e2096f11 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#36 0x7f84e209f31d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#37 0x7f84e333657f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#38 0x7f84e320f6be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#39 0x7f84e320f6be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#40 0x7f84e320f6be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#41 0x7f84ec5c3873 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#42 0x7f84f0afbd6e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#43 0x7f84e320f6be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#44 0x7f84e320f6be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#45 0x7f84e320f6be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#46 0x7f84f0afaec3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#47 0x55847a3ca874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#48 0x55847a3ca874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#49 0x7f85056deb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
(Reporter)

Comment 1

2 months ago
Posted file harness.html
(Reporter)

Comment 2

2 months ago
Posted file step_1.html
(Reporter)

Comment 3

2 months ago
Posted file step_0.html
(Assignee)

Updated

2 months ago
Flags: needinfo?(emilio)
Component: Inspector: Layout → Layout
Product: DevTools → Core
(Assignee)

Updated

2 months ago
Assignee: nobody → emilio
Flags: needinfo?(emilio)
(Assignee)

Comment 4

2 months ago

You can mess up stuff pretty badly if that happens, and we want to do this
anyway for the shared UA sheet stuff, so...

Comment 5

2 months ago
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b56791a96f96
Don't allow InspectorUtils to mess up with our UA sheets. r=heycam

Comment 6

2 months ago
Backout by opoprus@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/def4c8434246
Backed out changeset b56791a96f96 for crashtest on test_parsingMode.html on a CLOSED TREE

Comment 7

2 months ago

Backed out changeset b56791a96f96 (bug 1533424) for crashtest on test_parsingMode.html on a CLOSED TREE

Backout: https://hg.mozilla.org/integration/autoland/rev/def4c84342462fb2b23a7a3940f7cfcad919dcd6

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=superseded%2Ctestfailed%2Cbusted%2Cexception%2Crunnable&revision=b56791a96f96525d2d4fbec907f6c7c58a9e3dcc&selectedJob=232675157

Failure log: 15:06:13 INFO - TEST-START | dom/tests/mochitest/chrome/test_parsingMode.html
15:06:13 INFO - GECKO(5300) | ++DOMWINDOW == 169 (000002266A6C5800) [pid = 8256] [serial = 242] [outer = 00000226666E2980]
15:06:13 INFO - TEST-INFO | started process screenshot
15:06:13 INFO - TEST-INFO | screenshot: exit 0
15:06:13 INFO - Buffered messages logged at 15:06:13
15:06:13 INFO - TEST-PASS | dom/tests/mochitest/chrome/test_parsingMode.html | about:PreferenceStyleSheet has agent mode
15:06:13 INFO - TEST-PASS | dom/tests/mochitest/chrome/test_parsingMode.html | agent sheet has expected mode
15:06:13 INFO - Buffered messages finished
15:06:13 INFO - TEST-UNEXPECTED-FAIL | dom/tests/mochitest/chrome/test_parsingMode.html | uncaught exception - NoModificationAllowedError: Modifications are not allowed for this document at run@chrome://mochitests/content/chrome/dom/tests/mochitest/chrome/test_parsingMode.html:45:22
15:06:13 INFO - onload@chrome://mochitests/content/chrome/dom/tests/mochitest/chrome/test_parsingMode.html:1:1
15:06:13 INFO -
15:06:13 INFO - simpletestOnerror@chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:1665:24
15:06:13 INFO - OnErrorEventHandlerNonNull*@chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:1645:1
15:06:13 INFO - GECKO(5300) | JavaScript error: chrome://mochitests/content/chrome/dom/tests/mochitest/chrome/test_parsingMode.html, line 45: NoModificationAllowedError: Modifications are not allowed for this document
15:06:13 INFO - GECKO(5300) | MEMORY STAT | vsize 2103187MB | vsizeMaxContiguous 65112299MB | residentFast 370MB | heapAllocated 139MB
15:06:13 INFO - TEST-OK | dom/tests/mochitest/chrome/test_parsingMode.html | took 154ms

Flags: needinfo?(emilio)

Comment 8

2 months ago

Also there was some Bc failures on browser_raceWithTabs.js

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=232680424&repo=autoland&lineNumber=4480

(Assignee)

Updated

2 months ago
Duplicate of this bug: 1534754

Comment 10

2 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
(Assignee)

Updated

2 months ago
Flags: needinfo?(emilio)
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.