MOZ_Crash in RestyleManager::ContentStateChanged() when setting designMode
Categories
(Core :: Layout, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | fixed |
People
(Reporter: tarafans7, Assigned: emilio)
Details
(Keywords: regression)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Steps to reproduce:
I used ffpuppet to reproduce the bug with the PoC attached against the ASAN nightly build.
Log:
==17938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f14163942e6 bp 0x7ffdb14370f0 sp 0x7ffdb1436fa0 T0)
==17938==The signal is caused by a WRITE memory access.
==17938==Hint: address points to the zero page.
#0 0x7f14163942e5 in mozilla::RestyleManager::ContentStateChanged(nsIContent*, mozilla::EventStates) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3173:3
#1 0x7f1416393a05 in mozilla::PresShell::ContentStateChanged(mozilla::dom::Document*, nsIContent*, mozilla::EventStates) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4236:37
#2 0x7f1411ecd75d in mozilla::dom::Document::ContentStateChanged(nsIContent*, mozilla::EventStates) /builds/worker/checkouts/gecko/dom/base/Document.cpp:7479:3
#3 0x7f1411f2f009 in mozilla::dom::Element::UpdateState(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:290:14
#4 0x7f141453bbf6 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2704:45
#5 0x7f1414506404 in SetValue /builds/worker/checkouts/gecko/dom/html/TextControlState.h:225:12
#6 0x7f1414506404 in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /builds/worker/checkouts/gecko/dom/html/TextControlState.cpp:2495:26
#7 0x7f14168848fb in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/forms/nsTextControlFrame.cpp:145:23
#8 0x7f141659a74f in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6256:20
#9 0x7f1416596c73 in DoRemoveFrame /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.h:528:5
#10 0x7f1416596c73 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5572:5
#11 0x7f141642cb01 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7577:5
#12 0x7f1416421bbc in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8587:7
#13 0x7f14163c5fa0 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1518:25
#14 0x7f14163d023c in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3066:9
#15 0x7f1416390fb2 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3145:3
#16 0x7f1416390fb2 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4115:39
#17 0x7f1411eea93d in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1453:5
#18 0x7f1411eea93d in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10087:16
#19 0x7f141455d604 in nsGenericHTMLElement::GetFormControlFrame(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:879:23
#20 0x7f1414563e7d in nsGenericHTMLFormElement::PreHandleEvent(mozilla::EventChainVisitor&) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:1867:49
#21 0x7f14141c211d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1004:20
#22 0x7f14121d669e in FocusBlurEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:2403:12
#23 0x7f1411c18f43 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5407:15
#24 0x7f1411ea8b75 in mozilla::dom::Document::EditingStateChanged() /builds/worker/checkouts/gecko/dom/base/Document.cpp:5469:5
#25 0x7f1411ea804c in mozilla::dom::Document::SetDesignMode(nsTSubstring<char16_t> const&, mozilla::Maybe<nsIPrincipal> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4104:10
#26 0x7f1411ea7d1d in mozilla::dom::Document::SetDesignMode(nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4089:3
#27 0x7f141365e68f in mozilla::dom::Document_Binding::set_designMode(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3375:24
#28 0x7f1413af749d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3153:8
#29 0x7f14198762c7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
#30 0x7f14198762c7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
#31 0x7f1419877f7a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#32 0x7f14198781f9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#33 0x7f1419879e12 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:786:10
#34 0x7f1419e24e17 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2799:8
#35 0x7f1419e23dbc in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2828:14
#36 0x7f141988fd60 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:283:10
#37 0x7f1419a819ca in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/proxy/BaseProxyHandler.cpp:166:14
#38 0x7f1413b21699 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/checkouts/gecko/dom/bindings/DOMJSProxyHandler.cpp:243:10
#39 0x7f1419a9460d in setInternal /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:382:19
#40 0x7f1419a9460d in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:390:10
#41 0x7f1419d5a6e8 in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/JSObject.cpp:1244:10
#42 0x7f141988fd38 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:280:12
#43 0x7f1419859e13 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:272:10
#44 0x7f1419859e13 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2785:12
#45 0x7f14198448d3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
#46 0x7f14198763aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:13
#47 0x7f1419877f7a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#48 0x7f14198781f9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#49 0x7f1419a007c2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2798:10
#50 0x7f14136087a8 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#51 0x7f141420c377 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#52 0x7f141420a550 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#53 0x7f14141d0b7e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1079:22
#54 0x7f14141d263e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#55 0x7f14141bf1cf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#56 0x7f14141bd721 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#57 0x7f14141c21f9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#58 0x7f141644c18e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1158:7
#59 0x7f1418c33143 in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6072:20
#60 0x7f1418c3234e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5855:7
#61 0x7f1418c3567f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#62 0x7f1410caa720 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
#63 0x7f1410ca950c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:907:14
#64 0x7f1410ca5ecc in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:727:9
#65 0x7f1410ca97c6 in ChildDoneWithOnload /builds/worker/workspace/obj-build/dist/include/nsDocLoader.h:241:5
#66 0x7f1410ca97c6 in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:801:14
#67 0x7f1410ca5ed7 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:729:9
#68 0x7f1410ca8203 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:615:5
#69 0x7f1410ca909c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#70 0x7f140f0df88b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:611:22
#71 0x7f140f0e2507 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#72 0x7f1411ef07af in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10778:18
#73 0x7f1411ea712c in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10710:9
#74 0x7f1411ecbb1c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7376:3
#75 0x7f1411f9bc54 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1158:12
#76 0x7f1411f9bc54 in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:12
#77 0x7f1411f9bc54 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1210:13
#78 0x7f140ee2d3ad in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:282:20
#79 0x7f140ee60ece in nsThread::ProcessNextEvent(bool, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#80 0x7f140ee6b95c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#81 0x7f140fed386a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#82 0x7f140fe003f7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#83 0x7f140fe003f7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#84 0x7f140fe003f7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#85 0x7f1415ea2f08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#86 0x7f1419652ec6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#87 0x7f140fe003f7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#88 0x7f140fe003f7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#89 0x7f140fe003f7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#90 0x7f1419652581 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#91 0x5587723f1fbb in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#92 0x5587723f1fbb in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#93 0x7f142dae9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#94 0x558772347998 in _start (/home/wen/firefox/firefox+0x9d998)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3173:3 in mozilla::RestyleManager::ContentStateChanged(nsIContent*, mozilla::EventStates)
==17938==ABORTING
Actual results:
Firefox crashed.
Expected results:
Nothing should happen.
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
Judging by the line number, this is crashing on: MOZ_DIAGNOSTIC_ASSERT(!mInStyleRefresh);
Any ideas, Emilio?
I'm not sure if this is a sec issue or not.
|
Assignee | |
Comment 3•4 years ago
|
||
Not a security issue, but a correctness issue.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 4•4 years ago
|
||
Instead of at a later point. This prevents stuff getting out of sync during that
time, which can cause assertions to fire.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b33280bc324f Make SetContentEditable update element state right when it changes. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/22565 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
|
||
Updated•4 years ago
|
Description
•