Crash in [@ nsINode::AddMutationObserver] from nsAttributeTextNode::BindToTree
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: u608768, Unassigned)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
9.39 KB,
text/plain
|
Details |
Crash report: https://crash-stats.mozilla.org/report/index/ddde10c1-6b0e-462d-a8d1-bddc40210410
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 8 frames of crashing thread:
0 XUL nsINode::AddMutationObserver dom/base/nsINode.h:1064
1 XUL nsAttributeTextNode::BindToTree dom/base/nsTextNode.cpp:207
2 XUL nsINode::InsertChildBefore dom/base/nsINode.cpp:1550
3 XUL nsINode::ReplaceOrInsertBefore dom/base/nsINode.cpp:2721
4 XUL nsRange::CloneContents dom/base/nsRange.cpp:2156
5 XUL mozilla::dom::Range_Binding::cloneContents dom/bindings/RangeBinding.cpp:869
6 XUL bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3233
7 @0x206845a304d8
First seen in Release 87: https://crash-stats.mozilla.org/report/index/ddde10c1-6b0e-462d-a8d1-bddc40210410, and a couple in yesterday's Nightly: https://crash-stats.mozilla.org/report/index/f5b7b2f1-19ab-4a69-a5fa-b3d210210416.
Comment 1•3 years ago
|
||
This looks like we're moving anonymous text nodes around with the selection API... It seems like something fuzzers may have found?
Comment 2•3 years ago
|
||
:emilio, could this be the same issue as bug 1616846?
Comment hidden (obsolete) |
Comment 4•3 years ago
|
||
Just to clarify, that testcase in that bug produces the following stack when run on a debug build:
#0 0x7f44a69f242d in nsAttributeTextNode::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/base/nsTextNode.cpp:198:3
#1 0x7f44a6bce1cf in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1549:23
#2 0x7f44a6bd31ce in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2719:14
#3 0x7f44a6c04341 in nsRange::CloneContents(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp
#4 0x7f44a723f60f in mozilla::dom::Range_Binding::cloneContents(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/RangeBinding.cpp:870:83
#5 0x7f44a7df737d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3232:13
#6 0x7f44aae5a0d0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
#7 0x7f44aae5983c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
#8 0x7f44aae5b049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#9 0x7f44aae4fca5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:10
#10 0x7f44aae4fca5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3248:16
#11 0x7f44aae47295 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
#12 0x7f44aae59859 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
#13 0x7f44aae5b049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#14 0x7f44aae5b26f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
#15 0x7f44ab3e20cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10
Comment 5•3 years ago
|
||
That looks very similar bug and since it is using chrome only API to access something which web pages can't access, this might not be very high priority. Unless this blocks fuzzing some other areas in the code base.
(I am surprised that the whole InspectorUtils is exposed to fuzzer)
Updated•3 years ago
|
Description
•