Closed Bug 1645109 Opened 6 months ago Closed 6 months ago

Crash [@ mozilla::dom::Document::Sanitize()]

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox79 --- verified

People

(Reporter: jkratzer, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 10ad7868f3ca.

==26994==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f4812d82d3b bp 0x7ffc14bebf10 sp 0x7ffc14bebf10 T0)
==26994==The signal is caused by a READ memory access.
==26994==Hint: address points to the zero page.
    #0 0x7f4812d82d3a in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f4812d82d3a in operator mozilla::dom::NodeInfo * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
    #2 0x7f4812d82d3a in NodeInfo /builds/worker/checkouts/gecko/dom/base/nsINode.h:709:60
    #3 0x7f4812d82d3a in decltype(static_cast<mozilla::dom::HTMLFormElement*>(&(fp))) mozilla::dom::HTMLFormElement::FromNode<nsIContent>(nsIContent&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLFormElement.h:44:3
    #4 0x7f481414940c in FromNode<nsIContent> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLFormElement.h:44:3
    #5 0x7f481414940c in mozilla::dom::Document::Sanitize() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10258:29
    #6 0x7f4818d09f75 in nsDocumentViewer::Destroy() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1734:18
    #7 0x7f4818d1954a in nsDocumentViewer::Show() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2105:17
    #8 0x7f4818db26a8 in nsPresContext::EnsureVisible() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:1627:25
    #9 0x7f4818c4ec46 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3850:54
    #10 0x7f4818c52983 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9801:5
    #11 0x7f4818c5115d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4229:11
    #12 0x7f4818be0d07 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2068:20
    #13 0x7f4818bee646 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #14 0x7f4818bee646 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:350:7
    #15 0x7f4818bee245 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #16 0x7f4818bfd5e2 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:819:5
    #17 0x7f4818bfd5e2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:737:16
    #18 0x7f4818bfcbbf in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:639:7
    #19 0x7f4818beb632 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:20
    #20 0x7f4810194102 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1236:14
    #21 0x7f481019ecfc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
    #22 0x7f481151d60f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #23 0x7f48113fcb87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7f48113fcb87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #25 0x7f48113fcb87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #26 0x7f4818746b78 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #27 0x7f481c2f81a6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #28 0x7f48113fcb87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f48113fcb87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #30 0x7f48113fcb87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #31 0x7f481c2f778f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #32 0x565285b14793 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x565285b14793 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #34 0x7f4834006b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200611093454-10ad7868f3ca.
Failed to bisect testcase (Start build crashes!):
> Start: 4a63f0a3a1f26e2a377ffbd477ba050e16577445 (20190613035031)
> End: c7dbcbcbb07745ad124640bc639c86a251c66300 (20200611040433)
> BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)

That code currently isn't dealing with namespaces, so OrNull variant should be used. (Or GetElementsByTagName call changed).
But the testcase isn't using form element from non-xhtml. hmm..

I haven't managed to reproduce yet using a debug build.

(In reply to Olli Pettay [:smaug] from comment #3)

That code currently isn't dealing with namespaces, so OrNull variant should be used. (Or GetElementsByTagName call changed).
But the testcase isn't using form element from non-xhtml. hmm..

How so? The OrNull means whether the argument can be null, the return value can always be null if the namespace is not HTML, so that code looks ok... However, can Reset() somehow end up running script or mutating the DOM?

Yes, Reset triggeringing mutation may cause null item.

Assignee: nobody → bugs
Status: NEW → ASSIGNED
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5014307f3e9
handle the case when contentlist is modified while iterating it, r=emilio
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200615092624-f05a0084c5f2.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.