1742734 - use-after-poison [@ nsCaret::GetGeometryForFrame]

Status: RESOLVED WORKSFORME

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20211115-0ea31fd939c8 (--enable-address-sanitizer --enable-fuzzing)

Requires pref layout.accessiblecaret.enabled=true.

I think this is caught via frame-poisoning but the address seems a bit off.

rax = 0x7ffffffff0de7fff in https://crash-stats.mozilla.org/report/index/a4fad86a-77ca-4ccb-bcf3-7411f0211124

==339821==ERROR: AddressSanitizer: use-after-poison on address 0x6250002541d8 at pc 0x7f6f089dc981 bp 0x7ffe51b882f0 sp 0x7ffe51b882e8
READ of size 8 at 0x6250002541d8 thread T0 (Isolated Web Co)
    #0 0x7f6f089dc980 in nsCaret::GetGeometryForFrame(nsIFrame*, int, int*) src/layout/base/nsCaret.cpp:247:25
    #1 0x7f6f088daffd in mozilla::AccessibleCaret::SetPosition(nsIFrame*, int) src/layout/base/AccessibleCaret.cpp:244:7
    #2 0x7f6f088e2c54 in operator() src/layout/base/AccessibleCaretManager.cpp:330:44
    #3 0x7f6f088e2c54 in mozilla::AccessibleCaretManager::UpdateCaretsForSelectionMode(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) src/layout/base/AccessibleCaretManager.cpp:351:7
    #4 0x7f6f088e1c85 in mozilla::AccessibleCaretManager::UpdateCarets(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) src/layout/base/AccessibleCaretManager.cpp:210:7
    #5 0x7f6f088e1967 in mozilla::AccessibleCaretManager::OnSelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short) src/layout/base/AccessibleCaretManager.cpp:171:3
    #6 0x7f6f03c605f4 in mozilla::dom::Selection::NotifySelectionListeners() src/dom/base/Selection.cpp:3146:10
    #7 0x7f6f08b94a06 in nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType) src/layout/generic/nsFrameSelection.cpp:2157:16
    #8 0x7f6f03c696b9 in mozilla::dom::Selection::EndBatchChanges(short) src/dom/base/Selection.cpp:3174:21
    #9 0x7f6f03c6b020 in mozilla::dom::SelectionBatcher::~SelectionBatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Selection.h:954:19
    #10 0x7f6f03c65fd5 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) src/dom/base/Selection.cpp:3467:1
    #11 0x7f6f03c65ae9 in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) src/dom/base/Selection.cpp:2655:3
    #12 0x7f6f089f3eef in nsDocumentViewer::SelectAll() src/layout/base/nsDocumentViewer.cpp:2454:14
    #13 0x7f6f03d8c55b in nsSelectionCommand::DoCommand(char const*, nsISupports*) src/dom/base/nsGlobalWindowCommands.cpp:654:10
    #14 0x7f6f05f7d93d in nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:138:26
    #15 0x7f6f05f7d644 in nsBaseCommandController::DoCommand(char const*) src/dom/commandhandler/nsBaseCommandController.cpp:114:24
    #16 0x7f6f05f81148 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:193:22
    #17 0x7f6f03abeaa9 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5389:25
    #18 0x7f6f053c1b2c in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3772:36
    #19 0x7f6f05873b9d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
    #20 0x7f6f0d118ca1 in CallJSNative src/js/src/vm/Interpreter.cpp:388:13
    #21 0x7f6f0d118ca1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
    #22 0x7f6f0d1051e4 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
    #23 0x7f6f0d1051e4 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
    #24 0x7f6f0d0ea011 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
    #25 0x7f6f0d118ddc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
    #26 0x7f6f0d11af2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
    #27 0x7f6f0d38e59d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
    #28 0x7f6f0548d309 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #29 0x7f6f06083354 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #30 0x7f6f06082e10 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1117:43
    #31 0x7f6f060844bc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1314:17
    #32 0x7f6f0607262e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
    #33 0x7f6f060710b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:586:14
    #34 0x7f6f060750b5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
    #35 0x7f6f0607a5c9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #36 0x7f6f03dbc45a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1357:17
    #37 0x7f6f06092033 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:180:13
    #38 0x7f6f060040b0 in mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:69:12
    #39 0x7f6f03848124 in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5671:17
    #40 0x7f6f037b45c9 in mozAutoDocUpdate::~mozAutoDocUpdate() src/dom/base/mozAutoDocUpdate.h:36:7
    #41 0x7f6f03b3af4a in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2416:1
    #42 0x7f6f03b3a816 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:951:12
    #43 0x7f6f03b3a816 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) src/dom/base/Element.cpp:1449:14
    #44 0x7f6f0543fb15 in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:1522:24
    #45 0x7f6f05873b9d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
    #46 0x7f6f0d118ca1 in CallJSNative src/js/src/vm/Interpreter.cpp:388:13
    #47 0x7f6f0d118ca1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
    #48 0x7f6f0d1051e4 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
    #49 0x7f6f0d1051e4 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
    #50 0x7f6f0d0ea011 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
    #51 0x7f6f0d118ddc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
    #52 0x7f6f0d11af2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
    #53 0x7f6f0d38e59d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
    #54 0x7f6f0548a74f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
    #55 0x7f6f060bd733 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #56 0x7f6f060bbc64 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
    #57 0x7f6f06082ea8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1123:22
    #58 0x7f6f060844bc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1314:17
    #59 0x7f6f0607262e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
    #60 0x7f6f06070e3d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
    #61 0x7f6f060750b5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
    #62 0x7f6f089eb97f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1087:7
    #63 0x7f6f0c1df093 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6333:20
    #64 0x7f6f0c1de38b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5722:7
    #65 0x7f6f0c1e035f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #66 0x7f6f0299a130 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1376:3
    #67 0x7f6f02998d44 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:974:14
    #68 0x7f6f02995572 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:793:9
    #69 0x7f6f02997735 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:676:5
    #70 0x7f6f0c2185eb in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13585:23
    #71 0x7f6f00746cde in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:614:22
    #72 0x7f6f00749723 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:518:10
    #73 0x7f6f03664a4e in imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:372:15
    #74 0x7f6f0366c7a9 in imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1005:7
    #75 0x7f6f03627c05 in operator() src/image/ProgressTracker.cpp:351:13
    #76 0x7f6f03627c05 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) src/image/ProgressTracker.cpp:281:9
    #77 0x7f6f036258f9 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:350:5
    #78 0x7f6f035c9573 in operator() src/image/ProgressTracker.cpp:369:5
    #79 0x7f6f035c9573 in Read<(lambda at src/image/ProgressTracker.cpp:368:19)> src/image/CopyOnWrite.h:155:12
    #80 0x7f6f035c9573 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:368:14
    #81 0x7f6f035d50cb in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1609:28
    #82 0x7f6f035e001d in NotifyForLoadEvent src/image/RasterImage.cpp:937:3
    #83 0x7f6f035e001d in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsISupports*, nsresult, bool) src/image/RasterImage.cpp:919:3
    #84 0x7f6f0365e92b in imgRequest::OnStopRequest(nsIRequest*, nsresult) src/image/imgRequest.cpp:732:16
    #85 0x7f6f02813d75 in nsJARChannel::OnStopRequest(nsIRequest*, nsresult) src/modules/libjar/nsJARChannel.cpp:1230:16
    #86 0x7f6f028191ac in non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsresult) src/modules/libjar/nsJARChannel.cpp
    #87 0x7f6f00742fdb in nsInputStreamPump::OnStateStop() src/netwerk/base/nsInputStreamPump.cpp:636:16
    #88 0x7f6f0074152e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:381:21
    #89 0x7f6f0033c906 in nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:94:20
    #90 0x7f6f004082f2 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
    #91 0x7f6f003cd7cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
    #92 0x7f6f003cad28 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
    #93 0x7f6f003cb439 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
    #94 0x7f6f00411931 in operator() src/xpcom/threads/TaskController.cpp:124:37
    #95 0x7f6f00411931 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
    #96 0x7f6f003edbb7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
    #97 0x7f6f003f90ac in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #98 0x7f6f018eecaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #99 0x7f6f0176e481 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #100 0x7f6f0176e481 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #101 0x7f6f0176e481 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #102 0x7f6f08372477 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #103 0x7f6f0ce368ef in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #104 0x7f6f0176e481 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #105 0x7f6f0176e481 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #106 0x7f6f0176e481 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #107 0x7f6f0ce35b22 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #108 0x55688ab16ced in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #109 0x55688ab17118 in main src/browser/app/nsBrowserApp.cpp:327:18
    #110 0x7f6f1ed670b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #111 0x55688aa65db9 in _start (/home/user/workspace/browsers/m-c-20211123215113-fuzzing-asan-opt/firefox+0x5cdb9)

0x6250002541d8 is located 4312 bytes inside of 8192-byte region [0x625000253100,0x625000255100)
allocated by thread T0 (Isolated Web Co) here:
==339821==WARNING: Symbolizer buffer too small
==339821==WARNING: Symbolizer buffer too small
    #0 0x55688aae238d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x7f6f003a6fb0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7f6f08a69f1d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7f6f08a69f1d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7f6f08a69f1d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7f6f08ad7bb5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7f6f08ad7bb5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7f6f08ad7bb5 in operator new src/layout/generic/ViewportFrame.cpp:36:1
    #8 0x7f6f08ad7bb5 in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:33:10
    #9 0x7f6f089b261b in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2535:7
    #10 0x7f6f08915a8a in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1843:36
    #11 0x7f6f03d06a6b in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:871:30
    #12 0x7f6f02be2c39 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:827:18
    #13 0x7f6f02bed9ba  (/home/user/workspace/browsers/m-c-20211123215113-fuzzing-asan-opt/libxul.so+0x81579ba)
    #14 0x7f6f02be1957  (/home/user/workspace/browsers/m-c-20211123215113-fuzzing-asan-opt/libxul.so+0x814b957)
    #15 0x7f6f02be0b96 in umberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #16 0x7f6f02be0b96 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #17 0x7f6f02be0b96 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #18 0x7f6f02be0b96 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 6ul, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #19 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #20 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #21 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #22 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #23 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #24 0x7f6f02be77a7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #25 0x7f6f02be77a7 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:852:12
    #26 0x7f6f02be77a7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1209:21
    #27 0x7f6f003bb70f in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:172:18
    #28 0x7f6f004082f2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:144:20
    #29 0x7f6f003cd7cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
    #30 0x7f6f003cad28 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
    #31 0x7f6f003cb439 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
    #32 0x7f6f00411931 in operator() src/xpcom/threads/TaskController.cpp:124:37
    #33 0x7f6f00411931 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:531:5
    #34 0x7f6f003edbb7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
    #35 0x7f6f003f90ac in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
    #36 0x7f6f018eecaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #37 0x7f6f0176e481 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #38 0x7f6f0176e481 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #39 0x7f6f0176e481 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #40 0x7f6f08372477 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #41 0x7f6f0ce368ef in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
    #42 0x7f6f0176e481 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #43 0x7f6f0176e481 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #44 0x7f6f0176e481 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #45 0x7f6f0ce35b22 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #46 0x55688ab16ced in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #47 0x55688ab17118 in main src/browser/app/nsBrowserApp.cpp:327:18
    #48 0x7f6f1ed670b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/yn-qV8RV2fsA3gefe64FqQ/index.html

Comment 2

[Daniel Veditz [:dveditz]]

This pref is enabled by default for folks with a touchscreen

This is touching an nsIFrame when it crashed on a frame-poisoning address so it may be relatively benign, but the stack doesn't seem typical for a framepoisoning crash.

Comment 3

[Andrew McCreight [:mccr8]]

TYLin, is this something you could look at? It seems to involve AccessibleCaret. Thanks.

Comment 4

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

Sure, I can take a look. (Keeping the needinfo as a reminder.)

Comment 5

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

AccessibleCaretManager is registered as a selection change listener. When it updates itself to reflect the selection change, it is trying to find the frame from the current DOM node & offset in the current selection range in [1], but the primary frame associated from the node & offset is already poisoned.

Before the use-after-poison happens, I see a log in my local build

Don't know how to set selection back past frame boundary

printed by Selection::DeleteFromDocument [2]. The test can hit this log without turning on AccessibleCaret, so I feel there is something fishy ...

Hsin-Yi, do you have any team member who is familiar with the selection change in DOM and can take a look?

[1] https://searchfox.org/mozilla-central/rev/125116c312b0a9c438d44e16011b116950caf17e/layout/base/AccessibleCaretManager.cpp#1076-1093
[2] https://searchfox.org/mozilla-central/rev/125116c312b0a9c438d44e16011b116950caf17e/dom/base/Selection.cpp#3232-3242

Comment 6

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

FWIW, I build my asan Firefox build using this guide. https://firefox-source-docs.mozilla.org/tools/sanitizer/asan.html

Comment 7

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Mirko, can you please take a look? Thank you.

Comment 8

[Mirko Brodesser (:mbrodesser-Igalia)]

Thanks for the analysis so far, :TYLin.

(In reply to Ting-Yu Lin [:TYLin] (UTC-8) from comment #5)

AccessibleCaretManager is registered as a selection change listener. When it updates itself to reflect the selection change, it is trying to find the frame from the current DOM node & offset in the current selection range in [1], but the primary frame associated from the node & offset is already poisoned.

Before the use-after-poison happens, I see a log in my local build

Don't know how to set selection back past frame boundary

printed by Selection::DeleteFromDocument [2].

Yes, presumably that's the problem here.
Unfortunately I'm not very familiar with that part of Selection code. I just moved it; the printf stems from the year 2000, see https://searchfox.org/mozilla-central/rev/fe41923bf8e4450d71284620c04ffa10ceb2d4e4/layout/generic/nsFrameSelection.cpp#2764-2776.

The test can hit this log without turning on AccessibleCaret,

Does it also lead to a crash in that case?

so I feel there is something fishy ...

I agree. Presumably the case mentioned in "FIXME" needs to be implemented.
Off the top of my head I don't know how to do that and given my other duties I might not be able to do it this year.
Will keep the ni?-request.

Hsin-Yi, do you have any team member who is familiar with the selection change in DOM and can take a look?

[1] https://searchfox.org/mozilla-central/rev/125116c312b0a9c438d44e16011b116950caf17e/layout/base/AccessibleCaretManager.cpp#1076-1093
[2] https://searchfox.org/mozilla-central/rev/125116c312b0a9c438d44e16011b116950caf17e/dom/base/Selection.cpp#3232-3242

Comment 9

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

Thank you for the reply, Mirko.

AccessibleCaretManager is registered as a selection change listener.

Sorry that this statement is technically not true after Bug 1487591. The bug made Selection own a pointer to AccessibleCaretEventHub, and Selection can notify the selection change directly in https://searchfox.org/mozilla-central/rev/468a65168dd0bc3c7d602211a566c16e66416cce/dom/base/Selection.cpp#3167-3170.

Does it also lead to a crash in that case?

Nope. The AddressSanitizer doesn't complain if I disable AccessibleCaret.

Bottom line: I think this is a safe crash because the frame is being poisoned, and given that the testcase is discovered by the fuzzer, we probably won't encounter this bug on real sites.

Comment 10

[Tyson Smith [:tsmith]]

(In reply to Ting-Yu Lin [:TYLin] (UTC-8) (Away Dec 24 - Jan 3) from comment #9)

Bottom line: I think this is a safe crash because the frame is being poisoned, and given that the testcase is discovered by the fuzzer, we probably won't encounter this bug on real sites.

Looking at crash stats it seem this is being hit in the wild. I do see some poison addresses in some results but not all.

Comment 11

[Mirko Brodesser (:mbrodesser-Igalia)]

Given my other tasks, I won't have time to look at this issue soon.

Comment 12

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Looking at the crash volume and comment 9, i wonder if this is still a S2. If yes, what's the next step?

Comment 13

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

There are only 9 reports of nsCaret::GetGeometryForFrame crash signatures over the last three months (2021-10-05 to 2022-01-05). I agree with Tyson in comment 10 that it is being hit in the wild, but it is not so frequent imho. Also, some of the callstacks are related to IME, not AccessibleCaret, so it would be nice to debug a bit deeper from my comment 5 at some point to find the root cause. For now, let's lower the priority to S3 and keep tracking this.

Comment 14

[Olli Pettay [:smaug][bugs@pettay.fi]]

masayuki, do you think you had a bit time to take a look at this? If not, needinfo me, and I'll try to take a look. I wonder if we should have a WeakFrame check somewhere or something

Comment 15

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(sickish, maybe slower respose)]

Sure. With quick look the code, I guess nsTextFrame::CountGraphemeClusters() changes the DOM tree, that's called in this stack.

1. nsLayoutUtils::GetFontMetricsForFrame
2. nsLayoutUtils::GetInflatedFontMetricsForFrame
3. nsCaret::GetGeometryForFrame

Comment 16

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(sickish, maybe slower respose)]

Oops, it's wrong. AppendTo means appending to given string, not updating the DOM tree. (I'm sometimes confused at this name.)

Comment 17

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(sickish, maybe slower respose)]

Hmm, I don't reproduce the crash with local asan builds (opt/debug with/without fuzzing) on Linux. Therefore, I try to investigate whether there are some mutations in AccessibleCaretManager::UpdateCaretsForSelectionMode. Then, I see mutations with nsMutationGuard in following points:

• https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaretManager.cpp#330,337,342

In AccessibleCaret::SetPosition, the DOM mutation occurs here:

• https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaret.cpp#280

So, currently, mutations happen only of the accessible caret contents which should not be notified web apps. And I don't see any mutation notifications of MutationObserver nor legacy DOM events.

smaug: Do you know some changes around DOM mutation notifications in this about one year? It might be that this has already been fixed.

Comment 18

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(sickish, maybe slower respose)]

(About the crash in ContentEventHandler, it seems that there is a bug in nsCaret because ContentEventHandler uses only Selection objects at accessing nsCaret::GetGeometry.)

Comment 19

[Olli Pettay [:smaug][bugs@pettay.fi]]

I'm not aware of any changes to mutation notifications (other than some performance improvements, but those shouldn't affect this).

https://crash-stats.mozilla.org/report/index/0b546004-4b5d-4fae-9759-91d910230106 is a recent crash

Oh, if https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaretManager.cpp#330,337,342 changes DOM, what guarantees startFrame and endFrame are still alive in
https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaretManager.cpp#369
And even before.. the lambda 'updateSingleCaret' is called twice. First lambda may already change DOM and don't we then crash when it is called the second time (assuming we do crash still)?

Should startFrame and endFrame be stored as AutoWeakFrames and then check whether they are still alive after possible DOM mutations?

Comment 20

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

I cannot reproduce the bug using artifact asan-build, either.

Oh, if https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaretManager.cpp#330,337,342 changes DOM, what guarantees startFrame and endFrame are still alive in
https://searchfox.org/mozilla-central/rev/08362489086b10de96e7a199b267ea5504c01583/layout/base/AccessibleCaretManager.cpp#369
And even before.. the lambda 'updateSingleCaret' is called twice. First lambda may already change DOM and don't we then crash when it is called the second time (assuming we do crash still)?

The updateSingleCaret lambda calls AccessibleCaret::SetPosition -> AccessibleCaret::SetCaretElementStyle -> dom::Element::SetAttr. It changes element's style attribute, but is it possible that Element::SetAttr invalidates startFrame and endFrame somehow? Or put the question in this way, does Element::SetAttr trigger synchronous layout flush?

Should startFrame and endFrame be stored as AutoWeakFrames and then check whether they are still alive after possible DOM mutations?

This sounds like a good idea. If we can have a test to cover the change, better.

Comment 21

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

Hi Tyson, when you're back from PTO, if you see fuzzer discovers a new testcase, could you attach it here?

Comment 22

[Tyson Smith [:tsmith]]

I am no longer able to reproduce the issue. It was last reported by fuzzer targeting m-c 20220213-5e8914a02c20.

Any idea what might have fixed this? or should we mark it as WFM instead?

Comment 23

[Ting-Yu Lin [:TYLin] (PST, UTC-8) (Away, back on Mar 24)]

There is no AccessibleCaret changes recently, so I don't have any idea which bug fixed this. I'm ok to resolve this as WORKSFORME, but I'll leave the final decision to Masayuki since he was assigned to this issue.

Comment 24

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(sickish, maybe slower respose)]

Yeah, let's close this as WFM. (The editor module keeps being redesigned a lot. Therefore, I cannot guess which type of change causes fixing this since the test case is really complicated (runs some paths).)

Comment 25

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (WORKSFORME).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.