Closed Bug 1534394 Opened 9 months ago Closed 7 months ago

Crash [@get] near [@mozilla::WSRunObject::GetWSNodes()]

Categories

(Core :: DOM: Editor, defect, P2, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f4c23517cec8.

==16647==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fe186eebfe9 bp 0x7ffc33a01590 sp 0x7ffc33a01200 T0)
==16647==The signal is caused by a READ memory access.
==16647==Hint: address points to the zero page.
#0 0x7fe186eebfe8 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:267:27
#1 0x7fe186eebfe8 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:297
#2 0x7fe186eebfe8 in NodeType /builds/worker/workspace/build/src/dom/base/nsINode.h:638
#3 0x7fe186eebfe8 in IsText /builds/worker/workspace/build/src/dom/base/nsINode.h:494
#4 0x7fe186eebfe8 in GetAsText /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Text.h:43
#5 0x7fe186eebfe8 in mozilla::WSRunObject::GetWSNodes() /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:656
#6 0x7fe186f121fd in WSRunObject /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:88:3
#7 0x7fe186f121fd in mozilla::WSRunObject::WSRunObject<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::HTMLEditor*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:74
#8 0x7fe186cd4688 in mozilla::HTMLEditRules::WillInsertText(mozilla::EditSubAction, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>, int) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:1482:21
#9 0x7fe186cd18c0 in mozilla::HTMLEditRules::WillDoAction(mozilla::EditSubActionInfo&, bool
, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:676:14
#10 0x7fe186ecc6e6 in mozilla::TextEditor::InsertTextAsSubAction(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:1030:24
#11 0x7fe186ed2d72 in mozilla::TextEditor::InsertTextAsAction(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:995:17
#12 0x7fe186c7a2a4 in mozilla::InsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /builds/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp:925:20
#13 0x7fe184321c50 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:155:26
#14 0x7fe184319868 in DoCommandWithParams /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:138:25
#15 0x7fe184319868 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp
#16 0x7fe18431d9b8 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:197:29
#17 0x7fe1849c147d in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2593:18
#18 0x7fe18367a96e in mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:619:21
#19 0x7fe183c1fa21 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#20 0x7fe18b297db7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#21 0x7fe18b297db7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#22 0x7fe18b27f4b7 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#23 0x7fe18b27f4b7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#24 0x7fe18b262898 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#25 0x7fe18b298726 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#26 0x7fe18b29a372 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#27 0x7fe18be95c19 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#28 0x7fe18322c2e9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#29 0x7fe184481ff2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#30 0x7fe184481ff2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener
, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1038
#31 0x7fe184484623 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1237:17
#32 0x7fe1844647a0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#33 0x7fe1844647a0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#34 0x7fe1844629c8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#35 0x7fe184469613 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1048:11
#36 0x7fe187311b77 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1102:7
#37 0x7fe18a1556ec in nsDocShell::EndPageLoad(nsIWebProgress
, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6560:21
#38 0x7fe18a154818 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6361:7
#39 0x7fe18a15a387 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#40 0x7fe17efb4d55 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
#41 0x7fe17efb393c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:872:14
#42 0x7fe17efadf71 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:710:9
#43 0x7fe17efb1b90 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
#44 0x7fe17efb3464 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#45 0x7fe17c77b557 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#46 0x7fe1807d6fda in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7727:18
#47 0x7fe1807d6fda in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7659
#48 0x7fe1807d5a3f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4804:3
#49 0x7fe1808d973b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#50 0x7fe1808d973b in apply<mozilla::dom::Document, void (mozilla::dom::Document::
)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#51 0x7fe1808d973b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#52 0x7fe17c4bc6a5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#53 0x7fe17c4fbf31 in nsThread::ProcessNextEvent(bool, bool
) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1179:14
#54 0x7fe17c50433d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#55 0x7fe17d7a8c1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#56 0x7fe17d67d4ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#57 0x7fe17d67d4ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#58 0x7fe17d67d4ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#59 0x7fe186a7c353 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#60 0x7fe18afb943e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#61 0x7fe17d67d4ce in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#62 0x7fe17d67d4ce in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#63 0x7fe17d67d4ce in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#64 0x7fe18afb8593 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#65 0x55698c5fd874 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#66 0x55698c5fd874 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#67 0x7fe19fc0ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Crash Signature: [@ mozilla::WSRunObject::GetWSNodes ]
Priority: -- → P2
Assignee: nobody → masayuki
Status: NEW → ASSIGNED

Oddly, WSRunObject::InsertText() returns NS_OK even when
HTMLEditor::InsertTextWithTransaction() returns error. However,
it fails if insertion point is not editable like <noscript> element.
In such case, aPointAfterInsertedString isn't modified and its caller,
HTMLEditRules::WillInsertText() keep handling inserting remaining text
with non-positioned EditorDOMPoint. Therefore, at the next time,
WSRunObject fails to do anything since it requires positioned
EditorDOMPoint.

For making uplift safer, this patch makes WSRunObject::InsertText() set
aPointAfterInsertedString by itself when
HTMLEditor::InsertTextWithTransaction() returns error.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/0475e2855e5c
Make WSRunObject::InsertText() set aPointAfterInsertedString by itself when HTMLEditor::InsertTextWithTransaction() returns error r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Comment on attachment 9066685 [details]
Bug 1534394 - Make WSRunObject::InsertText() set aPointAfterInsertedString by itself when HTMLEditor::InsertTextWithTransaction() returns error

Beta/Release Uplift Approval Request

  • User impact if declined: May meet the crash if attacker tries to crash a tab of our users.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just copies expected result in WSRunObject::InsertText().
  • String changes made/needed: none
Attachment #9066685 - Flags: approval-mozilla-beta?

Comment on attachment 9066685 [details]
Bug 1534394 - Make WSRunObject::InsertText() set aPointAfterInsertedString by itself when HTMLEditor::InsertTextWithTransaction() returns error

approved for 68.0b5

Attachment #9066685 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite? → in-testsuite+
Regressions: 1555640
Depends on: 1558249
No longer depends on: 1558249
Regressions: 1558249
You need to log in before you can comment on or make changes to this bug.