1747132 - crash near null in [@ mozilla::TextEditor::ComputeValueFromTextNodeAndBRElement]

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20211106-2d244932aec6 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

==15793==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7feee6fe0af8 bp 0x7fffa120b1f0 sp 0x7fffa120b1f0 T0)
==15793==The signal is caused by a READ memory access.
==15793==Hint: address points to the zero page.
    #0 0x7feee6fe0af8 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7feee6fe0af8 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7feee6fe0af8 in nsINode::NodeType() const /builds/worker/workspace/obj-build/dist/include/nsINode.h:707:38
    #3 0x7feee81c1aed in nsINode::Length() const /gecko/dom/base/nsINode.cpp:2846:11
    #4 0x7feeecaa872a in mozilla::TextEditor::ComputeValueFromTextNodeAndBRElement(nsTSubstring<char16_t>&) const /gecko/editor/libeditor/TextEditSubActionHandler.cpp:700:18
    #5 0x7feeec928687 in mozilla::EditorBase::ComputeValueInternal(nsTSubstring<char16_t> const&, unsigned int, nsTSubstring<char16_t>&) const /gecko/editor/libeditor/EditorBase.cpp:1466:27
    #6 0x7feeea7de3ef in mozilla::TextEditor::ComputeTextValue(unsigned int, nsTSubstring<char16_t>&) const /builds/worker/workspace/obj-build/dist/include/mozilla/TextEditor.h:186:19
    #7 0x7feeea7ad633 in mozilla::TextControlState::GetValue(nsTSubstring<char16_t>&, bool) const /gecko/dom/html/TextControlState.cpp:2549:45
    #8 0x7feeea7ae96d in mozilla::TextControlState::UnbindFromFrame(nsTextControlFrame*) /gecko/dom/html/TextControlState.cpp:2394:3
    #9 0x7feeed1aa0e4 in nsTextControlFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/forms/nsTextControlFrame.cpp:147:23
    #10 0x7feeed0bf8d6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
    #11 0x7feeece9a537 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:469:3
    #12 0x7feeed0bf8d6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
    #13 0x7feeece9a537 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:469:3
    #14 0x7feeed0bf8d6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
    #15 0x7feeece9a537 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:469:3
    #16 0x7feeed0bf8d6 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsLineBox.cpp:387:14
    #17 0x7feeece9a537 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:469:3
    #18 0x7feeecec6b53 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) /gecko/layout/generic/nsBlockFrame.cpp:6336:20
    #19 0x7feeecec3b51 in DoRemoveFrame /gecko/layout/generic/nsBlockFrame.h:543:5
    #20 0x7feeecec3b51 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /gecko/layout/generic/nsBlockFrame.cpp:5651:5
    #21 0x7feeecd832eb in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /gecko/layout/base/nsCSSFrameConstructor.cpp:7691:5
    #22 0x7feeecd77567 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:8666:7
    #23 0x7feeecd80acb in nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&, bool, nsIFrame*) /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h
    #24 0x7feeecd7d99a in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:6814:7
    #25 0x7feeecd0efee in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1477:27
    #26 0x7feeecd187b4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3082:9
    #27 0x7feeeccdef65 in ProcessPendingRestyles /gecko/layout/base/RestyleManager.cpp:3161:3
    #28 0x7feeeccdef65 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4218:39
    #29 0x7feee7eed56e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1436:5
    #30 0x7feee7eed56e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10748:16
    #31 0x7feee7eba41d in FlushPendingNotifications /gecko/dom/base/Document.cpp:10669:3
    #32 0x7feee7eba41d in mozilla::dom::Document::AutoEditorCommandTarget::AutoEditorCommandTarget(mozilla::dom::Document&, mozilla::dom::Document::InternalCommandData const&) /gecko/dom/base/Document.cpp:5093:13
    #33 0x7feee7ebba66 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /gecko/dom/base/Document.cpp:5324:27
    #34 0x7feee97ba4cc in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3772:36
    #35 0x7feee9c6c11d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3300:13
    #36 0x7feef148a091 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:385:13
    #37 0x7feef148a091 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:472:12
    #38 0x7feef14766dd in CallFromStack /gecko/js/src/vm/Interpreter.cpp:536:10
    #39 0x7feef14766dd in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3240:16
    #40 0x7feef145b79c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:354:13
    #41 0x7feef148a1cc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:504:13
    #42 0x7feef148c31b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:549:8
    #43 0x7feef16feefd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #44 0x7feee9882ecf in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
    #45 0x7feeea499673 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #46 0x7feeea497ba4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
    #47 0x7feeea45ede8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1123:22
    #48 0x7feeea4603fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1314:17
    #49 0x7feeea44e5ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
    #50 0x7feeea44cddd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
    #51 0x7feeea451055 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
    #52 0x7feeea456509 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #53 0x7feee81b8bba in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1344:17
    #54 0x7feee7c39c6f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /gecko/dom/base/nsContentUtils.cpp:4293:28
    #55 0x7feee7c399b3 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /gecko/dom/base/nsContentUtils.cpp:4263:10
    #56 0x7feeea7bfc09 in mozilla::dom::HTMLTrackElement::DispatchTrustedEvent(nsTSubstring<char16_t> const&) /gecko/dom/html/HTMLTrackElement.cpp:470:3
    #57 0x7feeea7f0e44 in applyImpl<mozilla::dom::HTMLTrackElement, void (mozilla::dom::HTMLTrackElement::*)(const nsTSubstring<char16_t> &), StoreCopyPassByConstLRef<const nsTString<char16_t> > , 0UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #58 0x7feeea7f0e44 in apply<mozilla::dom::HTMLTrackElement, void (mozilla::dom::HTMLTrackElement::*)(const nsTSubstring<char16_t> &)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #59 0x7feeea7f0e44 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLTrackElement*, void (mozilla::dom::HTMLTrackElement::*)(nsTSubstring<char16_t> const&), true, (mozilla::RunnableKind)0, nsTString<char16_t> const>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #60 0x7feee4834cef in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:144:20
    #61 0x7feee4880fa2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
    #62 0x7feee4846d7d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
    #63 0x7feee48442d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
    #64 0x7feee48449e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
    #65 0x7feee488a571 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
    #66 0x7feee488a571 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
    #67 0x7feee4866dc7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
    #68 0x7feee4871dec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #69 0x7feee5d4fb3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #70 0x7feee5bcdcb1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #71 0x7feee5bcdcb1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #72 0x7feee5bcdcb1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #73 0x7feeec729cd7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #74 0x7feef11a7fbf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
    #75 0x7feee5bcdcb1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #76 0x7feee5bcdcb1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #77 0x7feee5bcdcb1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #78 0x7feef11a71f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #79 0x5627eed7c6ed in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #80 0x5627eed7cb18 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
    #81 0x7fef030b20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #82 0x5627eeccb7b9 in _start (/home/worker/builds/m-c-20211106212323-fuzzing-asan-opt/firefox+0x5c7b9)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/kVRDmpbHnyZWP1JyCdIXWg/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211221214151-f16661bf49d3.
The bug appears to have been introduced in the following build range:

Start: 91e0c6d26de8ba365ec3d462f98d28c75055a89b (20210916205558)
End: 149a7c7573f2ef4a0a198c649a78fa177a54dc51 (20210917005945)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=91e0c6d26de8ba365ec3d462f98d28c75055a89b&tochange=149a7c7573f2ef4a0a198c649a78fa177a54dc51

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1731005

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1747132 - part 1: Make `EditorBase::IsSelectionEditable()` return `false` if selection is accidentally in a native anonymous subtree r=m_kato!

Perhaps due to a bug Selection and/or Range API, selection may be in a native
anonymous subtree, and if the content is editable like in anonymous <div>
element in <input> or <textarea>, HTMLEditor may put unexpected element
into the anonymous <div> element.

For avoiding it, EditorBase::IsSelectionEditable() should return false
when it detects this odd situation. Then, editing commands do not work in
the anonymous subtree.

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1747132 - part 2: Make `HTMLEditor::GetActiveEditingHost()` return `nullptr` if selection is in a native anonymous subtree r=m_kato!

This is a follow up fix for the previous patch. Even if IsSelectionEditable()
is not used before starting to handle an edit action, it should be aborted by
failing to get editing host.

Depends on D134658

Comment 6

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/80c594979b3c
part 1: Make `EditorBase::IsSelectionEditable()` return `false` if selection is accidentally in a native anonymous subtree r=m_kato
https://hg.mozilla.org/integration/autoland/rev/1dea684c9474
part 2: Make `HTMLEditor::GetActiveEditingHost()` return `nullptr` if selection is in a native anonymous subtree r=m_kato

Comment 7

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32195 for changes under testing/web-platform/tests

Comment 8

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/80c594979b3c
https://hg.mozilla.org/mozilla-central/rev/1dea684c9474

Comment 9

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211226092042-e9a430d93229.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 12

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Comment on attachment 9256770 [details]
Bug 1747132 - part 1: Make EditorBase::IsSelectionEditable() return false if selection is accidentally in a native anonymous subtree r=m_kato!

Beta/Release Uplift Approval Request

• User impact if declined: Users may hit the crash
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): The patch just makes HTMLEditor do nothing if Selection is accidentally in a native anonymous subtree. The case is caused by a bug of somewhere out of editor module.
• String changes made/needed:

Comment 13

[Dianna Smith [:diannaS]]

Comment on attachment 9256770 [details]
Bug 1747132 - part 1: Make EditorBase::IsSelectionEditable() return false if selection is accidentally in a native anonymous subtree r=m_kato!

Will let this ride the train in 97 given the crash rate and that it is already RC week