1577191 - Crash [@ decltype (static_cast<mozilla::dom::Element*>(&{parm#1})) mozilla::dom::Element::FromNode<nsINode>]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: test_0921.html

Testcase found while fuzzing mozilla-central rev 546d1fd47c9a.

rax = 0x0000000000000000   rdx = 0x00007f33786a4530
rcx = 0x0000000000000000   rbx = 0x00007f337869b040
rsi = 0x0000000000000001   rdi = 0x0000000000000000
rbp = 0x00007ffdcb960290   rsp = 0x00007ffdcb960228
r8 = 0x00007f3378660f70    r9 = 0x00007f33a888d0e0
r10 = 0x0000000000000000   r11 = 0x0000000000000001
r12 = 0x0000000000000001   r13 = 0x0000000000000001
r14 = 0x0000000000000001   r15 = 0x00007f33a718ca28
rip = 0x00007f3396f4db3b
OS|Linux|0.0.0 Linux 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x1c|0
0|0|libxul.so|decltype (static_cast<mozilla::dom::Element*>(&{parm#1})) mozilla::dom::Element::FromNode<nsINode>(nsINode&)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.h:546d1fd47c9a48b6919848b2c6f28359460731eb|185|0x0
0|1|libxul.so|mozilla::dom::Element::UnbindFromTree(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|1805|0xe
0|2|libxul.so|nsXULElement::UnbindFromTree(bool)|hg:hg.mozilla.org/mozilla-central:dom/xul/nsXULElement.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|758|0xc
0|3|libxul.so|nsXBLBinding::UnbindAnonymousContent(mozilla::dom::Document*, nsIContent*, bool)|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|191|0xf
0|4|libxul.so|nsXBLBinding::~nsXBLBinding()|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|103|0x20
0|5|libxul.so|nsXBLBinding::cycleCollection::DeleteCycleCollectable(void*)|hg:hg.mozilla.org/mozilla-central:dom/xbl/nsXBLBinding.h:546d1fd47c9a48b6919848b2c6f28359460731eb|52|0x14
0|6|libxul.so|SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2429|0xd
0|7|libxul.so|SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2459|0xc
0|8|libxul.so|void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|941|0x12
0|9|libxul.so|nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|2624|0xf
0|10|libxul.so|AsyncFreeSnowWhite::Run()|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSRuntime.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|146|0x8
0|11|libxul.so|IdleRunnableWrapper::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|331|0x11
0|12|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|1225|0x15
0|13|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|486|0x11
0|14|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|88|0xa
0|15|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:546d1fd47c9a48b6919848b2c6f28359460731eb|315|0x17
0|16|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:546d1fd47c9a48b6919848b2c6f28359460731eb|290|0x8
0|17|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|137|0xd
0|18|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|276|0xe
0|19|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4573|0x11
0|20|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4711|0x8
0|21|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|4792|0x5
0|22|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|213|0x22
0|23|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:546d1fd47c9a48b6919848b2c6f28359460731eb|295|0xf
0|24|libc-2.27.so||||0x21b97
0|25|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:546d1fd47c9a48b6919848b2c6f28359460731eb|184|0x5

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Fixed already in the last patch of bug 1554498 (on autoland now). These crashes were all over the place in ccov builds, I still can't believe the patch got through autoland as it did.

Comment 2

[Ryan VanderMeulen [:RyanVM]]

I'm thinking it might be good to land the testcase here still if it allows us to catch the issue faster than the once-daily (or thereabouts) ccov builds.

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1577191 - Crashtest.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Done :)

Comment 5

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8e5bc0fc04e2
Crashtest.

Comment 6

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/8e5bc0fc04e2

Comment 7

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/releases/mozilla-beta/rev/8e5bc0fc04e2