Closed Bug 1547990 Opened 6 years ago Closed 4 years ago

AddressSanitizer: stack-overflow [@ mozilla::dom::ShadowRoot::Bind]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
1.13 KB, text/html
Details

Testcase found while fuzzing mozilla-central rev 7c41e561912d.

==11276==ERROR: AddressSanitizer: stack-overflow on address 0x7fff5df3bff8 (pc 0x7f0538756104 bp 0x7fff5df3c000 sp 0x7fff5df3c000 T0)
    #0 0x7f0538756103 in nsIContent::AddRef() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:161
    #1 0x7f0533f682d2 in nsCOMPtr_base::assign_with_AddRef(nsISupports*) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:38:5
    #2 0x7f053876fbd3 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:672:5
    #3 0x7f053876fbd3 in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1622
    #4 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #5 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #6 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #7 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #8 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #9 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #10 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #11 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #12 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #13 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #14 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #15 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #16 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #17 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #18 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #19 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #20 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #21 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #22 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #23 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #24 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #25 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #26 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #27 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #28 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #29 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #30 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #31 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #32 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #33 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #34 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #35 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #36 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #37 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #38 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #39 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #40 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #41 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #42 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #43 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #44 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #45 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #46 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #47 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
    #48 0x7f0538770bfa in mozilla::dom::Element::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/Element.cpp:1769:22
    #49 0x7f053c901794 in nsGenericHTMLElement::BindToTree(mozilla::dom::Document*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:423:33
    #50 0x7f05388d418b in mozilla::dom::ShadowRoot::Bind() /builds/worker/workspace/build/src/dom/base/ShadowRoot.cpp:135:26
Flags: in-testsuite?
Flags: needinfo?(bugs)
Priority: -- → P2

Hi Jason, could you attach the testcase? Thanks.

Flags: needinfo?(jkratzer)
Flags: needinfo?(bugs)
Attached file testcase.html

My apologies. Attached here.

Flags: needinfo?(jkratzer)

The test script recursively creates a shadow dom and goes into an infinite loop.
I got the same result on other Browsers.

I can no longer reproduce this issue on mozilla-central rev fc74eb2c7b84. I think we can safely close this issue.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: