Closed Bug 1534346 Opened 5 years ago Closed 5 years ago

Assertion failure: sele->IsMalformed() (Script wasn't marked as malformed.), at /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:525

Categories

(Core :: DOM: HTML Parser, defect, P2)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: hsivonen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase.html
70 bytes, text/html
Details
Bug 1534346 - Mark malformed SVG scripts as malformed for real.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f4c23517cec8.

Assertion failure: sele->IsMalformed() (Script wasn't marked as malformed.), at /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:525

rax = 0x0000561399fd9e40 rdx = 0x0000000000000000
rcx = 0x00007f98c20c90a5 rbx = 0x00007f98b549d400
rsi = 0x00007f98cef6f8b0 rdi = 0x00007f98cef6e680
rbp = 0x00007ffdd4440810 rsp = 0x00007ffdd4440750
r8 = 0x00007f98cef6f8b0 r9 = 0x00007f98d00cc740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffdd44407c8 r13 = 0x00007f98ce9f5cd0
r14 = 0x00007ffdd44407b8 r15 = 0x00007f98b549e398
rip = 0x00007f98bd2f6b91
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|nsHtml5TreeOpExecutor::RunFlushLoop()|hg:hg.mozilla.org/mozilla-central:mfbt/RefPtr.h:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|295|0x0
0|1|libxul.so|nsHtml5ExecutorReflusher::Run()|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|68|0x10
0|2|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|295|0x15
0|3|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|1179|0x15
0|4|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|482|0x11
0|5|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|88|0xa
0|6|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|315|0x17
0|7|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|308|0x8
0|8|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|137|0xd
0|9|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|911|0x11
0|10|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|238|0x5
0|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|315|0x17
0|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|308|0x8
0|13|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|749|0xc
0|14|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|49|0x14
0|15|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|265|0x11
0|16|libc-2.27.so||||0x21b97
0|17|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:f4c23517cec8626038a915bfe3bc7c0e1f6af55d|184|0x5

Flags: in-testsuite?

Henri, mind checking this assertion failure?

Flags: needinfo?(hsivonen)

This was supposed to be taken care of by https://searchfox.org/mozilla-central/rev/89414a1df52d06cfc35529afb9a5a8542a6e4270/parser/html/nsHtml5TreeBuilder.cpp#4094 (bug 1515066). I'll take a look why this case is different.

The fix for bug 1515066 was incomplete. Should have landed the original testcase as crashtest instead of relying on the more elaborate but different WPT test.

Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ea504b586d74
Mark malformed SVG scripts as malformed for real. r=alchen
Priority: -- → P2

https://hg.mozilla.org/mozilla-central/rev/ea504b586d74

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
status-firefox66: --- → wontfix
status-firefox67: --- → wontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: