Open
Bug 1798740
Opened 2 years ago
Updated 2 months ago
Assertion failure: !aStartBoundary.IsSet(), at /dom/base/nsRange.cpp:902
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
NEW
People
(Reporter: jkratzer, Assigned: jjaschke)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
1.36 KB,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 2db9822e6dd3 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 2db9822e6dd3 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !aStartBoundary.IsSet(), at /dom/base/nsRange.cpp:902
==109698==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8a8be8b9b0 bp 0x7ffeca13ca70 sp 0x7ffeca13ca10 T109698)
==109698==The signal is caused by a WRITE memory access.
==109698==Hint: address points to the zero page.
#0 0x7f8a8be8b9b0 in void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*, bool) /dom/base/nsRange.cpp:902:3
#1 0x7f8a8be8cb5b in nsRange::ParentChainChanged(nsIContent*) /dom/base/nsRange.cpp:728:3
#2 0x7f8a8bac9957 in mozilla::dom::MutationObservers::NotifyParentChainChanged(nsIContent*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MutationObservers.h:127:15
#3 0x7f8a8bc25013 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2098:3
#4 0x7f8a8dbaf92b in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
#5 0x7f8a8dbb5197 in nsGenericHTMLFormElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:1778:25
#6 0x7f8a8db053ac in mozilla::dom::HTMLInputElement::UnbindFromTree(bool) /dom/html/HTMLInputElement.cpp:4278:45
#7 0x7f8a8bc24fe9 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2095:12
#8 0x7f8a8dbaf92b in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
#9 0x7f8a8bc24fe9 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2095:12
#10 0x7f8a8dbaf92b in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
#11 0x7f8a8dbb5197 in nsGenericHTMLFormElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:1778:25
#12 0x7f8a8dacc0e0 in mozilla::dom::HTMLElement::UnbindFromTree(bool) /dom/html/HTMLElement.cpp:50:29
#13 0x7f8a8bc24fe9 in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:2095:12
#14 0x7f8a8dbaf92b in nsGenericHTMLElement::UnbindFromTree(bool) /dom/html/nsGenericHTMLElement.cpp:499:20
#15 0x7f8a8db6cfc8 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) /dom/html/HTMLSharedElement.cpp:249:25
#16 0x7f8a8bb9f366 in mozilla::dom::Document::DisconnectNodeTree() /dom/base/Document.cpp:2852:16
#17 0x7f8a8bbd5642 in mozilla::dom::Document::Open(mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, mozilla::ErrorResult&) /dom/base/Document.cpp:9537:5
#18 0x7f8a8bbd701b in mozilla::dom::Document::WriteCommon(nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /dom/base/Document.cpp:9771:5
#19 0x7f8a8bbd6946 in mozilla::dom::Document::WriteCommon(mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /dom/base/Document.cpp:9675:5
#20 0x7f8a8cf894e8 in mozilla::dom::Document_Binding::write(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3847:24
#21 0x7f8a8d32dfac in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13
#22 0x7f8a92a5229c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
#23 0x7f8a92a51bc1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
#24 0x7f8a92a48098 in CallFromStack /js/src/vm/Interpreter.cpp:619:10
#25 0x7f8a92a48098 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3375:16
#26 0x7f8a92a3ff1d in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
#27 0x7f8a92a51abd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
#28 0x7f8a92a52ffc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
#29 0x7f8a916bf6ac in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#30 0x7f8a8d020039 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#31 0x7f8a8d8f9b86 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#32 0x7f8a8d8f98ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
#33 0x7f8a8d8fa557 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1506:17
#34 0x7f8a8d8ef494 in HandleEvent /dom/events/EventListenerManager.h:395:5
#35 0x7f8a8d8ef494 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
#36 0x7f8a8d8ee9e2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
#37 0x7f8a8d8f1281 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
#38 0x7f8a8f5c3483 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1079:7
#39 0x7f8a90c296ad in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6434:20
#40 0x7f8a90c28c14 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5827:7
#41 0x7f8a90c2a5e7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
#42 0x7f8a8b065fbc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1380:3
#43 0x7f8a8b0654fa in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14
#44 0x7f8a8b0637b1 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:797:9
#45 0x7f8a8b064998 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
#46 0x7f8a90c5d601 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13841:23
#47 0x7f8a8a350800 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:628:22
#48 0x7f8a8a351d33 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:532:10
#49 0x7f8a8bbe28cd in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11476:18
#50 0x7f8a8bbadbdf in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11414:9
#51 0x7f8a8bbc9034 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7950:3
#52 0x7f8a8bc7e9db in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#53 0x7f8a8bc7e9db in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#54 0x7f8a8bc7e9db in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#55 0x7f8a8a13e3b2 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#56 0x7f8a8a148714 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#57 0x7f8a8a143d11 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#58 0x7f8a8a14286a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#59 0x7f8a8a142bc5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#60 0x7f8a8a14c066 in operator() /xpcom/threads/TaskController.cpp:187:37
#61 0x7f8a8a14c066 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#62 0x7f8a8a161967 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
#63 0x7f8a8a16816d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#64 0x7f8a8ad5d576 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#65 0x7f8a8ac812e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#66 0x7f8a8ac811f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#67 0x7f8a8ac811f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#68 0x7f8a8f1c7188 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#69 0x7f8a913fa6fb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:884:20
#70 0x7f8a8ad5e46a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#71 0x7f8a8ac812e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#72 0x7f8a8ac811f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#73 0x7f8a8ac811f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#74 0x7f8a913f9d00 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:743:34
#75 0x558fc2accc19 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#76 0x558fc2accc19 in main /browser/app/nsBrowserApp.cpp:357:18
#77 0x7f8aa0e4bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#78 0x7f8aa0e4be3f in __libc_start_main csu/../csu/libc-start.c:392:3
#79 0x558fc2aa28dc in _start (/home/jkratzer/builds/m-c-20221031214452-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 07a8923c4f6b95c46a3124f5353756a114c76cdf)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/nsRange.cpp:902:3 in void nsRange::DoSetRange<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*, bool)
==109698==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Updated•2 years ago
|
Attachment #9301581 -
Attachment mime type: text/plain → text/html
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221102174350-6d65bca9434c.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 0658bfc611aa2025d84fd169cd5d66f2bc445ec9 (20211104045127)
End: 2db9822e6dd36ebcb94adbfa54031b471988fa1e (20221031214452)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
Jan, could you take a look? This looks related to bug 1777925. Maybe a missing null check or something. Thanks.
Severity: -- → S2
Flags: needinfo?(jjaschke)
|
||
Comment 5•2 years ago
|
||
Per offline discussions with Jan and Masayuki - downgrading this to S3
From the investigation right now, this doesn't look a regression of bug 1777925. We didn't reproduce this with normal debug builds.
Jan's current assumption is that there is a “half-way positioned” range (startBoundary.IsSet() is true, endBoundary.IsSet() is false), which runs into an assertion while being destroyed. This definitely needs further investigation, but from what he sees right now it should not actually crash a release build.
We could review the severity, if there are real-life crashes and have significant crash volumes.
Severity: S2 → S3
|
|
||
Comment 6•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 7•2 years ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Keywords: bugmon
|
|
||
Comment 8•2 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20231118093245-391181d97b6b) but not with tip (mozilla-central 20241116092601-8cdd018168b0.)
The bug appears to have been fixed in the following build range:
Start: 61cd1b5a48406a84169cd39d7445b75dc32e8f4d (20241025182241)
End: dc7525e3426bfc6827b32eb43ea844be861c9578 (20241025183839)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61cd1b5a48406a84169cd39d7445b75dc32e8f4d&tochange=dc7525e3426bfc6827b32eb43ea844be861c9578
jjaschke, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jjaschke)
Keywords: bugmon
|
Assignee | |
Comment 9•2 months ago
|
||
Looking at the build range, it could only be https://phabricator.services.mozilla.com/D226931. I can't tell from looking at the code if that actually fixed the issue, it is touching somewhat similar areas. OTOH, it looks like it's only refactoring, so I guess it's rather unlikely?
The other patch in the range is pdf.js, it doesn't touch native code.
Emilio, can you tell if it's possible that your patch fixed this crash?
Flags: needinfo?(jjaschke) → needinfo?(emilio)
|
||
Comment 10•2 months ago
|
||
No, that seems rather unlikely... The APIs that my patch tweaks are not used by the test-case...
Flags: needinfo?(emilio)
You need to log in
before you can comment on or make changes to this bug.
Description
•