AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 in MOZ_Crash(char const*, int, char const*)

RESOLVED FIXED in Firefox 67

Status

()

defect
P2
critical
RESOLVED FIXED
3 months ago
a month ago

People

(Reporter: jkratzer, Assigned: emilio)

Tracking

(Blocks 2 bugs, {crash, regression, testcase})

unspecified
mozilla67
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox66 wontfix, firefox67 fixed)

Details

(Whiteboard: [fuzzblocker])

Attachments

(2 attachments)

Reporter

Description

3 months ago
Posted file testcase.html

Testcase found while fuzzing mozilla-central rev 54ed5eac2abc. Testcase bisects back further than a year.

==13603==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7faf092dca0e bp 0x7ffc51dd4df0 sp 0x7ffc51dd4df0 T0)
==13603==The signal is caused by a WRITE memory access.
==13603==Hint: address points to the zero page.
#0 0x7faf092dca0d in MOZ_Crash(char const*, int, char const*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:314:3
#1 0x7faf092dc9ca in GeckoCrash /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5048:3
#2 0x7faf0b37fa6b in gkrust_shared::panic_hook::h52bbb762d79fe552 /builds/worker/workspace/build/src/toolkit/library/rust/shared/lib.rs:234:8
#3 0x7faf0b37f998 in core::ops::function::Fn::call::h0946f1cfb28cacc2 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libcore/ops/function.rs:78:4
#4 0x7faf0bb31701 in std::panicking::rust_panic_with_hook::h8cbdfe43764887be /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:495:16
#5 0x7faf0bb3144d in std::panicking::continue_panic_fmt::h3d3c5a833c00a5e1 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:398:4
#6 0x7faf0bb41235 in rust_begin_unwind /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:325:4
#7 0x7faf0bb44bdb in core::panicking::panic_fmt::h4d67173bc68f6d5a /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libcore/panicking.rs:95:13
#8 0x7faf0bb4a661 in core::option::expect_failed::h2f881c519f1d8001 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libcore/option.rs:1008:4
#9 0x7faf0ba65f14 in _$LT$core..option..Option$LT$T$GT$$GT$::expect::hcabb2b4cc1b406e9 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libcore/option.rs:322:20
#10 0x7faf0ba65f14 in $LT$style..stylesheets..rule_parser..TopLevelRuleParser$LT$$u27$a$GT$$u20$as$u20$cssparser..rules_and_declarations..AtRuleParser$LT$$u27$i$GT$$GT$::rule_without_block::h704a4485c2762845 /builds/worker/workspace/build/src/servo/components/style/stylesheets/rule_parser.rs:256
#11 0x7faf0ba65f14 in cssparser::rules_and_declarations::parse_at_rule::h4f4623769a1e4659 /builds/worker/workspace/build/src/third_party/rust/cssparser/src/rules_and_declarations.rs:464
#12 0x7faf0b81587a in cssparser::rules_and_declarations::parse_one_rule::
$u7b$$u7b$closure$u7d$$u7d$::hef9c31541773fc40 /builds/worker/workspace/build/src/third_party/rust/cssparser/src/rules_and_declarations.rs:439:12
#13 0x7faf0b81587a in cssparser::parser::Parser::parse_entirely::hea501365c5af071f /builds/worker/workspace/build/src/third_party/rust/cssparser/src/parser.rs:596
#14 0x7faf0b81587a in cssparser::rules_and_declarations::parse_one_rule::h0b750eed467b1d53 /builds/worker/workspace/build/src/third_party/rust/cssparser/src/rules_and_declarations.rs:420
#15 0x7faf0b81587a in style::stylesheets::CssRule::parse::h150b736b39254c44 /builds/worker/workspace/build/src/servo/components/style/stylesheets/mod.rs:290
#16 0x7faf0b81587a in _$LT$servo_arc..RawOffsetArc$LT$style..shared_lock..Locked$LT$style..stylesheets..rule_list..CssRules$GT$$GT$$u20$as$u20$style..stylesheets..rule_list..CssRulesHelpers$GT$::insert_rule::hfbb730023013aa49 /builds/worker/workspace/build/src/servo/components/style/stylesheets/rule_list.rs:172
#17 0x7faf0b81587a in Servo_CssRules_InsertRule /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:1886
#18 0x7faf0535f1ad in mozilla::ServoCSSRuleList::InsertRule(nsTSubstring<char16_t> const&, unsigned int) /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:165:7
#19 0x7faf0537d0e8 in InsertRuleInternal /builds/worker/workspace/build/src/layout/style/StyleSheet.cpp:1107:20
#20 0x7faf0537d0e8 in mozilla::StyleSheet::InsertRule(nsTSubstring<char16_t> const&, unsigned int, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/StyleSheet.cpp:485
#21 0x7faf006a82aa in mozilla::dom::CSSStyleSheet_Binding::insertRule(JSContext*, JS::Handle<JSObject*>, mozilla::StyleSheet*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSSStyleSheetBinding.cpp:210:25
#22 0x7faf01f52171 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#23 0x7faf095bf687 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:13
#24 0x7faf095bf687 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
#25 0x7faf095a6d80 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
#26 0x7faf095a6d80 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3056
#27 0x7faf095896a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:420:10
#28 0x7faf095bfff6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560:13
#29 0x7faf095c1c42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:8
#30 0x7faf0a1c4c49 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#31 0x7faf0155ea39 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#32 0x7faf027b4742 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#33 0x7faf027b4742 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener
, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1038
#34 0x7faf027b6d73 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1237:17
#35 0x7faf02796ef0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#36 0x7faf02796ef0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#37 0x7faf02795118 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#38 0x7faf0279bd63 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1048:11
#39 0x7faf027a3af6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports
, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#40 0x7faefeeafca4 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1024:17
#41 0x7faefe7c3b1c in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4054:28
#42 0x7faefe7c388e in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4024:10
#43 0x7faefeb0769a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4679:3
#44 0x7faefec0be4b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#45 0x7faefec0be4b in apply<mozilla::dom::Document, void (mozilla::dom::Document::
)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#46 0x7faefec0be4b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#47 0x7faefa807ac5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#48 0x7faefa847351 in nsThread::ProcessNextEvent(bool, bool
) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#49 0x7faefa84f75d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#50 0x7faefbae95af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#51 0x7faefb9c127e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#52 0x7faefb9c127e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#53 0x7faefb9c127e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#54 0x7faf04da4883 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#55 0x7faf092e04be in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#56 0x7faefb9c127e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#57 0x7faefb9c127e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#58 0x7faefb9c127e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#59 0x7faf092df613 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#60 0x565361b16874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#61 0x565361b16874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#62 0x7faf1df12b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Reporter

Comment 1

2 months ago

This issue is being triggered quite frequently during CSS fuzzing. :svoisen, would it be possible to get this assigned?

Flags: needinfo?(svoisen)
Assignee

Comment 2

2 months ago

I'll take a look, it's the same issue as bug 1535426, I just don't know why the assertion message is not here.

Flags: needinfo?(svoisen) → needinfo?(emilio)
Assignee

Updated

2 months ago
Duplicate of this bug: 1535426
Assignee

Comment 4

2 months ago

This should unblock the fuzzers for now, though it's not the ideal solution.

It's the only reasonably easy solution to unblock them though, I think.

We should probably always keep track of the document a stylesheet was associated
with. We'll need that for constructible stylesheets anyway.

That requires some though on how to get the cycle-collection and such right,
though, and I wouldn't be able to write or land that ASAP.

Assignee

Updated

2 months ago
Blocks: 1535456
Assignee

Updated

2 months ago
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Assignee

Comment 5

2 months ago

Filed bug 1535456 for the proper fix, which is non-trivial.

Comment 6

2 months ago
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5ce27c44f79e
Avoid crashing when calling insertRule("@import ...") on a detached sheet. r=heycam
Priority: -- → P2

Comment 7

2 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Flags: in-testsuite? → in-testsuite+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee

Comment 9

2 months ago

That is a completely different bug. MOZ_Crash can appear on a lot of different crashes, so on its own is useless. Please file a new bug for that. That particular crash is in mozilla::dom::PWebAuthnTransactionParent, so should be in Core :: DOM : Security.

Status: REOPENED → RESOLVED
Last Resolved: 2 months ago2 months ago
Resolution: --- → FIXED
Comment hidden (Intermittent Failures Robot)
Comment hidden (Intermittent Failures Robot)
You need to log in before you can comment on or make changes to this bug.