Open Bug 1705796 Opened 26 days ago Updated 12 days ago

Crash in [@ nsINode::AddMutationObserver] from nsAttributeTextNode::BindToTree

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

People

(Reporter: kashav, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/ddde10c1-6b0e-462d-a8d1-bddc40210410

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 8 frames of crashing thread:

0 XUL nsINode::AddMutationObserver dom/base/nsINode.h:1064
1 XUL nsAttributeTextNode::BindToTree dom/base/nsTextNode.cpp:207
2 XUL nsINode::InsertChildBefore dom/base/nsINode.cpp:1550
3 XUL nsINode::ReplaceOrInsertBefore dom/base/nsINode.cpp:2721
4 XUL nsRange::CloneContents dom/base/nsRange.cpp:2156
5 XUL mozilla::dom::Range_Binding::cloneContents dom/bindings/RangeBinding.cpp:869
6 XUL bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3233
7  @0x206845a304d8 

First seen in Release 87: https://crash-stats.mozilla.org/report/index/ddde10c1-6b0e-462d-a8d1-bddc40210410, and a couple in yesterday's Nightly: https://crash-stats.mozilla.org/report/index/f5b7b2f1-19ab-4a69-a5fa-b3d210210416.

This looks like we're moving anonymous text nodes around with the selection API... It seems like something fuzzers may have found?

Flags: needinfo?(jkratzer)
Summary: Crash in [@ nsINode::AddMutationObserver] → Crash in [@ nsINode::AddMutationObserver] from nsAttributeTextNode::BindToTree

:emilio, could this be the same issue as bug 1616846?

Flags: needinfo?(jkratzer)

Just to clarify, that testcase in that bug produces the following stack when run on a debug build:

    #0 0x7f44a69f242d in nsAttributeTextNode::BindToTree(mozilla::dom::BindContext&, nsINode&) /builds/worker/checkouts/gecko/dom/base/nsTextNode.cpp:198:3
    #1 0x7f44a6bce1cf in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1549:23
    #2 0x7f44a6bd31ce in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2719:14
    #3 0x7f44a6c04341 in nsRange::CloneContents(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp
    #4 0x7f44a723f60f in mozilla::dom::Range_Binding::cloneContents(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/RangeBinding.cpp:870:83
    #5 0x7f44a7df737d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3232:13
    #6 0x7f44aae5a0d0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #7 0x7f44aae5983c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #8 0x7f44aae5b049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #9 0x7f44aae4fca5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:10
    #10 0x7f44aae4fca5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3248:16
    #11 0x7f44aae47295 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
    #12 0x7f44aae59859 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
    #13 0x7f44aae5b049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #14 0x7f44aae5b26f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #15 0x7f44ab3e20cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10

That looks very similar bug and since it is using chrome only API to access something which web pages can't access, this might not be very high priority. Unless this blocks fuzzing some other areas in the code base.
(I am surprised that the whole InspectorUtils is exposed to fuzzer)

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.