AddressSanitizer: SEGV in get near [@ mozilla::dom::FragmentOrElement::SetInnerHTMLInternal]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
People
(Reporter: jkratzer, Assigned: smaug)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 7d47e7fa2489.
==19393==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f615bf45dc0 bp 0x7ffcbbff6070 sp 0x7ffcbbff5ea0 T0)
==19393==The signal is caused by a READ memory access.
==19393==Hint: address points to the zero page.
#0 0x7f615bf45dbf in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
#1 0x7f615bf45dbf in operator mozilla::dom::NodeInfo * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:281
#2 0x7f615bf45dbf in NodeInfo /builds/worker/workspace/build/src/dom/base/nsINode.h:644
#3 0x7f615bf45dbf in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:2051
#4 0x7f615d8b5066 in mozilla::dom::ShadowRoot_Binding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ShadowRoot*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ShadowRootBinding.cpp:215:9
#5 0x7f615f2c6fa8 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3106:8
#6 0x7f6166baad20 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#7 0x7f6166baad20 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#8 0x7f6166bafd7d in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:10
#9 0x7f6166bafd7d in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606
#10 0x7f6166bafd7d in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:744
#11 0x7f6167229ee3 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2879:8
#12 0x7f61672229c1 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2908:14
#13 0x7f6166b85d0d in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:283:10
#14 0x7f6166b85d0d in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:268
#15 0x7f6166b85d0d in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2845
#16 0x7f6166b74f58 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#17 0x7f6166bab693 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#18 0x7f6166bad312 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#19 0x7f616781c008 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2636:10
#20 0x7f615e8c4570 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#21 0x7f615fb9d3f2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#22 0x7f615fb9d3f2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1039
#23 0x7f615fb9f4ae in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
#24 0x7f615fb7fce1 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#25 0x7f615fb7fce1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#26 0x7f615fb7df16 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#27 0x7f615fb84c4e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1046:11
#28 0x7f615fb8c94b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#29 0x7f615c261084 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1023:17
#30 0x7f615bb127f6 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4062:28
#31 0x7f615bb1256e in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4032:10
#32 0x7f615bea53a2 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:5005:3
#33 0x7f615bfb077b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#34 0x7f615bfb077b in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#35 0x7f615bfb077b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#36 0x7f6157988185 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#37 0x7f61579c8141 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#38 0x7f61579cfd64 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#39 0x7f6158d3439f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#40 0x7f6158c0d51e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#41 0x7f6158c0d51e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#42 0x7f6158c0d51e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#43 0x7f61622b40f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#44 0x7f61668c663e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#45 0x7f6158c0d51e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#46 0x7f6158c0d51e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#47 0x7f6158c0d51e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#48 0x7f61668c57ac in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#49 0x5609a993172e in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#50 0x5609a993172e in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#51 0x7f617bad1b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
|
||
Comment 2•5 years ago
|
||
So this is a bit nasty... We're adopting a subtree that contains a shadow host, we over-recurse and thus fail, so we call BlastSubtreeToPieces, which unlinks the shadow host <-> shadow root.
But JS still has a reference to the shadowRoot, and can call stuff that assumes that there's a host...
We could of course try to bail out from all the methods that assume there's a non-null host (and make the WebIDL getter nullable), but that may not be great...
Maybe there are not that many, and the style system ones should be ok because they're always connected, and you cannot make a shadow root connected on its own without a host...
Any other ideas Olli?
|
||
Comment 3•5 years ago
|
||
We could reduce the likelihood of this being a problem by not unlinking the host <-> root link if they're same-Realm (so both got reparented or both didn't get reparented).
We might also be able to prevent the over-recursion problem if adoption queued up a list of things to reparent and then we reparented them iteratively, at constant stack depth, but then failures might lead to mismatches between the reflector and the owner document.
Or we could just stop reparenting on adopt. :(
|
||
Updated•5 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
Hey Jason,
Please update the resolution or the affected flags for this issue when you have the time. Thank you!
|
Reporter | |
Comment 5•3 years ago
•
|
||
I am still able to reproduce this issue using the attached testcase under mozilla-central rev fc74eb2c7b84 (built with --enable-address-sanitizer --enable-fuzzing).
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.
|
||
Updated•2 years ago
|
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
|
||
Comment 12•2 years ago
|
||
Sorry, there was a problem with the detection of inactive users. I see we're still waiting on an answer from smaug for comment 7, so I won't reassign the bug to him but wait for his reply.
|
||
Comment 13•1 year ago
|
||
Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/3ded8c52-73ca-459a-87a1-069980230205#tab-bugzilla
|
||
Comment 14•1 year ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 15•11 months ago
|
||
Actually, in the over-recurse case, It is probably quite fine to crash a content process. Other option is to leave the process into some weird state.
Or, at least this is a low priority bug
The crash reports linked to this bug are all about some other issues, so clearing the signature.
Description
•