AddressSanitizer: stack-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404 in __asan::GetCurrentThread()
Categories
(Core :: DOM: Editor, defect, P1)
Tracking
()
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
414 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta-
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 420e18a75314.
==25827==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7f1ffff8 (pc 0x55786b6e45f1 bp 0x000000000053 sp 0x7fff7f200000 T0)
#0 0x55786b6e45f0 in __asan::GetCurrentThread() /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404
#1 0x55786b68e0af in __tls_get_addr /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5108:3
#2 0x7f9648f3b042 in _$LT$core..cell..Cell$LT$T$GT$$GT$::get::h3d7388ced6d8decf /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libcore/cell.rs:249:16
#3 0x7f9648f3b042 in _$LT$std..thread..local..fast..Key$LT$T$GT$$GT$::get::h9a4f441257a47656 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:375
#4 0x7f9648f3b042 in style::sharing::SHARING_CACHE_KEY::__getit::h39eb9af1526d9223 /builds/worker/workspace/build/src/<::std::thread::local::__thread_local_inner macros>:23
#5 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h245fabef33f11428 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:297
#6 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::he5f0be01b5c3942a /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:246
#7 0x7f9648f3b042 in _$LT$style..sharing..StyleSharingCache$LT$E$GT$$GT$::new::ha71dd31374b7d3d5 /builds/worker/workspace/build/src/servo/components/style/sharing/mod.rs:541
#8 0x7f9649001941 in _$LT$style..context..ThreadLocalStyleContext$LT$E$GT$$GT$::new::h8e0fc5583d2364df /builds/worker/workspace/build/src/servo/components/style/context.rs:783:27
#9 0x7f9649001941 in Servo_ResolveStyleLazily /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:4914
#10 0x7f964282efd3 in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1094:10
#11 0x7f964286b5d3 in nsComputedDOMStyle::DoGetComputedStyleNoFlush(mozilla::dom::Element*, nsAtom*, mozilla::PresShell*, nsComputedDOMStyle::StyleType) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:573:17
#12 0x7f96424454b6 in GetComputedStyleNoFlush /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.h:95:12
#13 0x7f96424454b6 in mozilla::EditorBase::IsPreformatted(nsINode*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3718
#14 0x7f96426eeafe in mozilla::WSRunObject::GetRuns() /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:880:10
#15 0x7f96424a441c in mozilla::WSRunObject::WSRunObject(mozilla::HTMLEditor*, nsINode*, int) /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.h:173:9
#16 0x7f964251b664 in mozilla::HTMLEditRules::CheckForInvisibleBR(mozilla::dom::Element&, mozilla::HTMLEditRules::BRLocation, int) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6477:15
#17 0x7f96425109c3 in mozilla::HTMLEditRules::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:3339:9
#18 0x7f96424bda93 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2748:32
#19 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#20 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#21 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#22 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#23 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#24 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#25 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#26 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#27 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#28 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#29 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#30 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#31 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#32 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#33 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#34 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#35 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#36 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#37 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#38 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#39 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#40 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#41 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#42 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#43 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#44 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#45 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#46 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#47 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#48 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#49 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
#50 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
...truncated...
Assignee | ||
Comment 1•6 years ago
|
||
Could you use preformat block when you write log? (i.e., back quote * 3 before first line and after last line) If so, the lines won't be wrapped and it should be easier to read.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
WSRunObject
scans previous and next node of given point/range without
checking editing host boundary. Therefore, its methods may return non-editable
nodes or editable nodes in another editing host. In such cases, HTMLEditRules
is confused.
This patch makes it store editing host at initialization and it check the
boundary. However, the former cost may appear in score of some benchmark
tests, but we shouldn't allow attackers to use this entrance.
Comment 5•5 years ago
|
||
bugherder |
Assignee | ||
Comment 6•5 years ago
|
||
Comment on attachment 9067323 [details]
Bug 1547897 - Make WSRunObject stop scanning outside of editing host
Beta/Release Uplift Approval Request
- User impact if declined: Attackers can crash our user's tab with the simple testcase.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just make some points of helper classes of
HTMLEditor
stop touching outside focused editing host (editinghost means element hascontenteditable
attribute). So, shouldn't affect to the path handling editing action normally. - String changes made/needed: none
Comment 7•5 years ago
|
||
Comment on attachment 9067323 [details]
Bug 1547897 - Make WSRunObject stop scanning outside of editing host
unless we have evidence of this being an issue in the wild I'd prefer to let it ride the trains.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Description
•