1655992 - Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:582

Status: RESOLVED WORKSFORME

(Core :: DOM: Editor, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 3059084abf6e (built with --enable-debug).

Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:582

==17315==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd978da7217 bp 0x7ffd209d82b0 sp 0x7ffd209d82a0 T17315)
==17315==The signal is caused by a WRITE memory access.
==17315==Hint: address points to the zero page.
    #0 0x7fd978da7216 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h
    #1 0x7fd979c08892 in nsRange::ExcludeNonSelectableNodes(nsTArray<RefPtr<nsRange> >*) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:3021:5
    #2 0x7fd979b02f17 in mozilla::dom::Selection::IsUserSelectionCollapsed(nsRange const&, nsTArray<RefPtr<nsRange> >&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:822:3
    #3 0x7fd979b032c1 in mozilla::dom::Selection::AddRangesForUserSelectableNodes(nsRange*, int*, mozilla::dom::Selection::DispatchSelectstartEvent) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:866:9
    #4 0x7fd979b07fa2 in AddRangesForSelectableNodes /builds/worker/checkouts/gecko/dom/base/Selection.cpp:925:12
    #5 0x7fd979b07fa2 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1913:14
    #6 0x7fd979b0ab6f in AddRangeAndSelectFramesAndNotifyListeners /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1872:10
    #7 0x7fd979b0ab6f in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3407:3
    #8 0x7fd979b0a9cc in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2648:3
    #9 0x7fd97c52b046 in mozilla::HTMLEditor::SelectAllInternal() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:3939:22
    #10 0x7fd97c4937c0 in mozilla::EditorBase::SelectAll() /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:1072:17
    #11 0x7fd97c4ab991 in mozilla::SelectAllCommand::DoCommand(mozilla::Command, mozilla::TextEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/EditorCommands.cpp:655:29
    #12 0x7fd979a359e8 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:4917:26
    #13 0x7fd97ab1eeb2 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3469:36
    #14 0x7fd97aeca221 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3220:13
    #15 0x7fd97dd3f671 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
    #16 0x7fd97dd3eee9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
    #17 0x7fd97dd409af in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #18 0x7fd97dd341db in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:644:10
    #19 0x7fd97dd341db in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3312:16
    #20 0x7fd97dd2abe6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
    #21 0x7fd97dd3ee46 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #22 0x7fd97dd409af in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #23 0x7fd97dd40b8f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
    #24 0x7fd97de50e67 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
    #25 0x7fd97abbfc68 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
    #26 0x7fd97b293a91 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
    #27 0x7fd97b292bc5 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #28 0x7fd97b2761ee in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1088:22
    #29 0x7fd97b276e43 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #30 0x7fd97b26c704 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
    #31 0x7fd97b26c704 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #32 0x7fd97b26bca1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #33 0x7fd97b26e869 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #34 0x7fd97c063f8d in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() /builds/worker/checkouts/gecko/dom/smil/SMILTimedElement.cpp:97:12
    #35 0x7fd977b00152 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #36 0x7fd977b061a4 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #37 0x7fd977b03f6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #38 0x7fd977b02d54 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #39 0x7fd977b02f46 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #40 0x7fd977b0ab66 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #41 0x7fd977b0ab66 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #42 0x7fd977b1e909 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #43 0x7fd977b2442a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #44 0x7fd97843058f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #45 0x7fd9783a1843 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #46 0x7fd9783a175d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #47 0x7fd9783a175d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #48 0x7fd97c3e9f48 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #49 0x7fd97dbfca93 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #50 0x7fd978431357 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #51 0x7fd9783a1843 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #52 0x7fd9783a175d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #53 0x7fd9783a175d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #54 0x7fd97dbfc587 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #55 0x55ab8e348fb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #56 0x55ab8e348fb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #57 0x7fd9930f1b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

UndefinedBehaviorSanitizer can not provide additional info.

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 3059084abf6e9e96f9f1a80997da2139b0f5afee (20200729094932)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 61c35792ca7021377e42150db54b3935b0fd3c40 (20201025214116)
End: 836fa52c68009f707198c75c3a4478ed290c339f (20201025193409)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=61c35792ca7021377e42150db54b3935b0fd3c40&tochange=836fa52c68009f707198c75c3a4478ed290c339f
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Jens Stutte [:jstutte]]

Seems to be solved by bug 1672786.