Closed Bug 1746295 Opened 3 years ago Closed 3 years ago

Crash near null in [@ mozilla::TextEditor::SetTextWithoutTransaction]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1734507
Tracking Flags:
Tracking Status
firefox96 --- affected
firefox97 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Arai-san's analysis
38.02 KB, text/plain
Details

Found while fuzzing m-c 20211114-dcfdc1fc2cec (--enable-address-sanitizer --enable-fuzzing)

Unfortunately the testcase does not reduce well.

A Pernosco session is available here: https://pernos.co/debug/mXHslZo-D1gR72J572tufA/index.html

==20055==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fdf0077ef24 bp 0x7ffed1864dd0 sp 0x7ffed1864c20 T0)
==20055==The signal is caused by a READ memory access.
==20055==Hint: address points to the zero page.
    #0 0x7fdf0077ef24 in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48
    #1 0x7fdf0077ef24 in operator nsIContent * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:859:33
    #2 0x7fdf0077ef24 in GetNextSibling /builds/worker/workspace/obj-build/dist/include/nsINode.h:1553:47
    #3 0x7fdf0077ef24 in mozilla::TextEditor::SetTextWithoutTransaction(nsTSubstring<char16_t> const&) /gecko/editor/libeditor/TextEditSubActionHandler.cpp:573:20
    #4 0x7fdf00781faf in mozilla::TextEditor::SetTextAsSubAction(nsTSubstring<char16_t> const&) /gecko/editor/libeditor/TextEditor.cpp:363:31
    #5 0x7fdf00781b95 in mozilla::TextEditor::SetTextAsAction(nsTSubstring<char16_t> const&, mozilla::EditorBase::AllowBeforeInputEventCancelable, nsIPrincipal*) /gecko/editor/libeditor/TextEditor.cpp:337:8
    #6 0x7fdefe4a3a9d in mozilla::TextControlState::SetValueWithTextEditor(mozilla::AutoTextControlHandlingState&) /gecko/dom/html/TextControlState.cpp:2819:29
    #7 0x7fdefe4a2f40 in mozilla::TextControlState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /gecko/dom/html/TextControlState.cpp:2696:10
    #8 0x7fdefe470f2f in SetValue /gecko/dom/html/TextControlState.h:282:12
    #9 0x7fdefe470f2f in mozilla::dom::HTMLTextAreaElement::SetValueInternal(nsTSubstring<char16_t> const&, mozilla::EnumSet<mozilla::TextControlState::ValueSetterOption, unsigned int> const&) /gecko/dom/html/HTMLTextAreaElement.cpp:272:16
    #10 0x7fdefe47a932 in mozilla::dom::HTMLTextAreaElement::SetValueFromSetRangeText(nsTSubstring<char16_t> const&) /gecko/dom/html/HTMLTextAreaElement.cpp:662:10
    #11 0x7fdefe47a00a in mozilla::TextControlState::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&, mozilla::Maybe<unsigned int> const&, mozilla::Maybe<unsigned int> const&) /gecko/dom/html/TextControlState.cpp:2314:40
    #12 0x7fdefe479a81 in mozilla::dom::HTMLTextAreaElement::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&) /gecko/dom/html/HTMLTextAreaElement.cpp:653:11
    #13 0x7fdefd8ad2c8 in mozilla::dom::HTMLTextAreaElement_Binding::setRangeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLTextAreaElementBinding.cpp:1919:28
    #14 0x7fdefd912c5d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3300:13
    #15 0x7fdf05176ff1 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:387:13
    #16 0x7fdf05176ff1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:474:12
    #17 0x7fdf0516363d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:538:10
    #18 0x7fdf0516363d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3242:16
    #19 0x7fdf051486a1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:356:13
    #20 0x7fdf0517712c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:506:13
    #21 0x7fdf0517927b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:551:8
    #22 0x7fdf053ec40d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #23 0x7fdefd52c409 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #24 0x7fdefe122d94 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #25 0x7fdefe122850 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1117:43
    #26 0x7fdefe123efc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1314:17
    #27 0x7fdefe11206e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
    #28 0x7fdefe110af2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:586:14
    #29 0x7fdefe114af5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
    #30 0x7fdefe11a009 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #31 0x7fdefbe5d51a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1357:17
    #32 0x7fdefe131a73 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:180:13
    #33 0x7fdefe0a3990 in mozilla::AsyncEventDispatcher::Run() /gecko/dom/events/AsyncEventDispatcher.cpp:69:12
    #34 0x7fdefb8e92c4 in nsContentUtils::RemoveScriptBlocker() /gecko/dom/base/nsContentUtils.cpp:5671:17
    #35 0x7fdefbb74d68 in mozilla::dom::Document::EndUpdate() /gecko/dom/base/Document.cpp:7795:3
    #36 0x7fdefb855726 in mozAutoDocUpdate::~mozAutoDocUpdate() /gecko/dom/base/mozAutoDocUpdate.h:34:18
    #37 0x7fdefbbdbfda in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /gecko/dom/base/Element.cpp:2419:1
    #38 0x7fdefbbdb8a6 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:951:12
    #39 0x7fdefbbdb8a6 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /gecko/dom/base/Element.cpp:1452:14
    #40 0x7fdefd4dec15 in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:1522:24
    #41 0x7fdefd912c5d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3300:13
    #42 0x7fdf05176ff1 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:387:13
    #43 0x7fdf05176ff1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:474:12
    #44 0x7fdf0516363d in CallFromStack /gecko/js/src/vm/Interpreter.cpp:538:10
    #45 0x7fdf0516363d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3242:16
    #46 0x7fdf051486a1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:356:13
    #47 0x7fdf0517712c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:506:13
    #48 0x7fdf0517927b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:551:8
    #49 0x7fdf053ec40d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #50 0x7fdefd52984f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
    #51 0x7fdefe15d173 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #52 0x7fdefe15b6a4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
    #53 0x7fdefe1228e8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1123:22
    #54 0x7fdefe123efc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1314:17
    #55 0x7fdefe11206e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
    #56 0x7fdefe11087d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
    #57 0x7fdefe114af5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
    #58 0x7fdf00a7943f in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1087:7
    #59 0x7fdf0423f253 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6333:20
    #60 0x7fdf0423e54b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5722:7
    #61 0x7fdf0424051f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
    #62 0x7fdefaa8eaa0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1376:3
    #63 0x7fdefaa8d6b4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:974:14
    #64 0x7fdefaa89ee2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:793:9
    #65 0x7fdefaa8c0a5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:676:5
    #66 0x7fdf0427875b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13586:23
    #67 0x7fdef88589ae in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
    #68 0x7fdef885b3f3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:518:10
    #69 0x7fdefb705b0e in imgRequestProxy::RemoveFromLoadGroup() /gecko/image/imgRequestProxy.cpp:372:15
    #70 0x7fdefb70d869 in imgRequestProxy::OnLoadComplete(bool) /gecko/image/imgRequestProxy.cpp:1005:7
    #71 0x7fdefb6c8cc5 in operator() /gecko/image/ProgressTracker.cpp:351:13
    #72 0x7fdefb6c8cc5 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /gecko/image/ProgressTracker.cpp:281:9
    #73 0x7fdefb6c69b9 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:350:5
    #74 0x7fdefb66a633 in operator() /gecko/image/ProgressTracker.cpp:369:5
    #75 0x7fdefb66a633 in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:368:19)> /gecko/image/CopyOnWrite.h:155:12
    #76 0x7fdefb66a633 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:368:14
    #77 0x7fdefb67618b in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::OrientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /gecko/image/RasterImage.cpp:1609:28
    #78 0x7fdefb6810dd in NotifyForLoadEvent /gecko/image/RasterImage.cpp:937:3
    #79 0x7fdefb6810dd in mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsISupports*, nsresult, bool) /gecko/image/RasterImage.cpp:919:3
    #80 0x7fdefb6ff9eb in imgRequest::OnStopRequest(nsIRequest*, nsresult) /gecko/image/imgRequest.cpp:732:16
    #81 0x7fdefa90a085 in nsJARChannel::OnStopRequest(nsIRequest*, nsresult) /gecko/modules/libjar/nsJARChannel.cpp:1230:16
    #82 0x7fdefa90f4bc in non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsresult) /gecko/modules/libjar/nsJARChannel.cpp
    #83 0x7fdef8854cab in nsInputStreamPump::OnStateStop() /gecko/netwerk/base/nsInputStreamPump.cpp:636:16
    #84 0x7fdef88531fe in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /gecko/netwerk/base/nsInputStreamPump.cpp:381:21
    #85 0x7fdef844f9c6 in nsInputStreamReadyEvent::Run() /gecko/xpcom/io/nsStreamUtils.cpp:94:20
    #86 0x7fdef851abf2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
    #87 0x7fdef84e05bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
    #88 0x7fdef84ddb18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
    #89 0x7fdef84de229 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
    #90 0x7fdef8524231 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
    #91 0x7fdef8524231 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
    #92 0x7fdef8500917 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
    #93 0x7fdef850ba3c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #94 0x7fdef99ea92f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #95 0x7fdef986a2d1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #96 0x7fdef986a2d1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #97 0x7fdef986a2d1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #98 0x7fdf003fdaf7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #99 0x7fdf04e94e6f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
    #100 0x7fdef986a2d1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #101 0x7fdef986a2d1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #102 0x7fdef986a2d1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #103 0x7fdf04e940a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #104 0x55a965f52ced in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #105 0x55a965f53118 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
    #106 0x7fdf16dbb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #107 0x55a965ea1db9 in _start (/home/worker/builds/m-c-20211114093049-fuzzing-asan-opt/firefox+0x5cdb9)
Crash Signature: [@ mozilla::TextEditor::SetTextWithoutTransaction ]

Masayuki landed patches last month that may help here.
Let's monitor for one more month before we downgrade or close this.

At this moment, no other actions we can take as no tests to reproduce this.

Hmm, the last crash report is 97.0.1 which is after I fixed bug 1734507. Unfortunately, the crash report points end of the method. Therefore, I cannot know where is the actual crash point.

Could somebody points the line from the raw information?

{
    "crash_info": {
        "address": "0x0000010000000010",
        "assertion": null,
        "crashing_thread": 0,
        "type": "EXCEPTION_ACCESS_VIOLATION_READ"
    },
    "crashing_thread": {
        "frame_count": 19,
        "frames": [
            {
                "file": "hg:hg.mozilla.org/releases/mozilla-release:editor/libeditor/TextEditSubActionHandler.cpp:0f0ba6e8029d8148743c4aa50c2be4c4c643f8a4",
                "frame": 0,
                "function": "mozilla::TextEditor::SetTextWithoutTransaction(nsTSubstring<char16_t> const&)",
                "function_offset": "0x0000000000000189",
                "line": 594,
                "missing_symbols": false,
                "module": "xul.dll",
                "module_offset": "0x0000000001b1ca09",
                "offset": "0x00007ffdb6daca09",
                "registers": {
                    "r10": "0x00000fffb6d74d38",
                    "r11": "0x0000023f71274190",
                    "r12": "0x0000023f705c94c8",
                    "r13": "0x0003001100000000",
                    "r14": "0x0000004e5c1f11f0",
                    "r15": "0x0000000000000009",
                    "r8": "0x0000000000000010",
                    "r9": "0x00007ffe06041b28",
                    "rax": "0x0000010000000000",
                    "rbp": "0x0000004e5c1f1020",
                    "rbx": "0x0000000000000000",
                    "rcx": "0x0000023f705c94c8",
                    "rdi": "0x0000023f7081bd80",
                    "rdx": "0x0000023f6800de10",
                    "rip": "0x00007ffdb6daca09",
                    "rsi": "0x0000023f7081be00",
                    "rsp": "0x0000004e5c1f0fc0"
                },
                "trust": "context"
            },
            {
                "file": "hg:hg.mozilla.org/releases/mozilla-release:editor/libeditor/TextEditor.cpp:0f0ba6e8029d8148743c4aa50c2be4c4c643f8a4",
                "frame": 1,
                "function": "mozilla::TextEditor::SetTextAsSubAction(nsTSubstring<char16_t> const&)",
                "function_offset": "0x00000000000001e2",
                "line": 363,
                "missing_symbols": false,
                "module": "xul.dll",
                "module_offset": "0x0000000001b1d2f2",
                "offset": "0x00007ffdb6dad2f2",
                "trust": "cfi"
            },
Group: dom-core-security

My initial guess is that the string we pass to the methods here
https://hg.mozilla.org/releases/mozilla-release/file/0f0ba6e8029d8148743c4aa50c2be4c4c643f8a4/dom/html/TextControlState.cpp#l2847
is somehow deleted, and then when
https://hg.mozilla.org/releases/mozilla-release/file/0f0ba6e8029d8148743c4aa50c2be4c4c643f8a4/editor/libeditor/TextEditSubActionHandler.cpp#l582 goes out of scope at the end of the method, we crash, because the string buffer is bogus or something.

I didn't check the pernosco session.

Attached file Arai-san's analysis

Arai-san tried to investigate the crash. This is the memo at that time.

At releasing RefPtr<Text> textNode which is done immediately after destroyed nsAutoString sanitizedValue(aValue) crashes.

TextControlState::SetValue creates AutoTextControlHandlingState in the stack, which stores everything which are/will be handled. Therefore, the setting string should be held by AutoTextControlHandlingState while TextEditor::SetTextAsAction handles setting the given value.

I guess, the string set by TextEditor::HandleNewLinesInStringForSingleLineEditor is broken and the destructor of nsAutoString sanitizedValue is confused. If aValue of TextEditor::SetTextWithoutTransaction, it may help to debug this.

I read the minidump for the crash report of 97.0.1 with VC++. However, the detail is not stored in it. If we can believe the string's mData and mLength, it's not sanitized. So it's refers the value coming from AutoTextControlHandlingState::mSettingValue, so, it should be alive at the crash timing. VC++ shows the crash occurs at releasing the text node instead.

>	[Inline Frame] xul.dll!mozilla::RefPtrTraits<mozilla::dom::Text>::Release(mozilla::dom::Text * aPtr) Line 50	C++
 	[Inline Frame] xul.dll!RefPtr<mozilla::dom::Text>::ConstRemovingRefPtrTraits<mozilla::dom::Text>::Release(mozilla::dom::Text * aPtr) Line 381	C++
 	[Inline Frame] xul.dll!RefPtr<mozilla::dom::Text>::~RefPtr() Line 81	C++

I read another one for the crash report of 98.0.1 with VC++ too. And the string is also not sanitized by HandleNewLinesInStringForSingleLineEditor. So perhaps, the string is not related.

So currently I'm guessing that textNode could be nullptr, although it should not happen...

Chiming in on the aebc9973-2854-45f1-bc27-76ea20220314. If your analysis makes the crash appear to be impossible - like because it's pointing to an instruction which couldn't possibly fault - then it's likely you hit a hardware bug. That crash comes from a Bonnell-based Intel Atom from what I can see and we've had a long history of "impossible" bugs coming from these. If you can prove that the instruction that was being executed was not accessing memory you can be 99.99% sure that it was a hardware bug.

This reminds me that we're trying to improve the automatic detection of these issues via Socorro.

Thank you Gabriele for confirming the 98.0.1 crash report - https://crash-stats.mozilla.org/report/index/aebc9973-2854-45f1-bc27-76ea20220314. Then it's invalid for us.

We still have to figure out the oddness of the 97.0.1 crash report - https://crash-stats.mozilla.org/report/index/a7997c10-5adf-47d4-a50f-ceb460220226. According to Masayuki and Arai, the odd point is, it crashes at accessing vtable of releasing text node. That's really odd because if the textNode is nullptr, the crash should occur before the destruction of RefPtr...

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #7)

I read the minidump for the crash report of 97.0.1 with VC++.

The link was wrong. I believe it's meant to be https://crash-stats.mozilla.org/report/index/a7997c10-5adf-47d4-a50f-ceb460220226

In that most recent crash, rax is 0x0000010000000000, so maybe there was a memory error that flipped a bit in null. Because the value isn't null, that's how it would pass a null check. So probably not something we need to worry about security-wise.

Thank you very much. Then, this bug should be closed because the originally reported issue has already been fixed by bug 1734507.

Thanks for investigating. I'll dupe this over and remove the sec ratings. It sounds like we had an original report by Tyson that was a dupe of the other bug, and then separately some investigation of a few crash reports that ended up appearing to be the result of a hardware error and not an issue in the code.

Status: NEW → RESOLVED
Closed: 3 years ago
Keywords: csectype-uaf, sec-high
Resolution: --- → DUPLICATE
See Also: 1734507
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: