Closed
Bug 1807769
Opened 3 months ago
Closed 3 months ago
Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
110 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox108 | --- | unaffected |
| firefox109 | --- | disabled |
| firefox110 | --- | verified |
People
(Reporter: jkratzer, Assigned: mrobinson)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev bd78e2e5b1fe (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build bd78e2e5b1fe --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315
==72529==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd7a4759f3a bp 0x7fff1beb3a00 sp 0x7fff1beb39d0 T72529)
==72529==The signal is caused by a WRITE memory access.
==72529==Hint: address points to the zero page.
#0 0x7fd7a4759f3a in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:5
#1 0x7fd7a4759f3a in nsIFrame::HasSelectionInSubtree() /layout/generic/nsIFrame.cpp:6947:7
#2 0x7fd7a475a17d in nsIFrame::UpdateIsRelevantContent(mozilla::EnumSet<mozilla::ContentRelevancyReason, unsigned char> const&) /layout/generic/nsIFrame.cpp:7021:23
#3 0x7fd7a458078c in mozilla::PresShell::UpdateRelevancyOfContentVisibilityAutoFrames() /layout/base/PresShell.cpp:11939:12
#4 0x7fd7a457f85e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4292:5
#5 0x7fd7a0c2d702 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1462:5
#6 0x7fd7a0c2d702 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /dom/base/Document.cpp:10737:16
#7 0x7fd7a0c66c2f in FlushPendingNotifications /dom/base/Document.cpp:10658:3
#8 0x7fd7a0c66c2f in nsIContent::GetPrimaryFrame(mozilla::FlushType) /dom/base/Element.cpp:253:10
#9 0x7fd7a0c6c307 in mozilla::dom::Element::GetBoundingClientRect() /dom/base/Element.cpp:1101:21
#10 0x7fd7a201fd75 in mozilla::dom::Element_Binding::getBoundingClientRect(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:3412:74
#11 0x7fd7a23510f2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3287:13
#12 0x7fd7a66634ec in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
#13 0x7fd7a6662e0f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
#14 0x7fd7a6654822 in CallFromStack /js/src/vm/Interpreter.cpp:619:10
#15 0x7fd7a6654822 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3379:16
#16 0x7fd7a664898e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
#17 0x7fd7a6662d0b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
#18 0x7fd7a666424c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
#19 0x7fd7a671dbfc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#20 0x7fd7a2050d23 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#21 0x7fd7a2915ec6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#22 0x7fd7a2915bec in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1311:43
#23 0x7fd7a2916899 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
#24 0x7fd7a290b846 in HandleEvent /dom/events/EventListenerManager.h:395:5
#25 0x7fd7a290b846 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
#26 0x7fd7a290ad7b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
#27 0x7fd7a290d53b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1118:11
#28 0x7fd7a2910016 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#29 0x7fd7a0e96b7b in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1373:17
#30 0x7fd7a09e2346 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4547:28
#31 0x7fd7a09e2145 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4517:10
#32 0x7fd7a0c18f33 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7876:3
#33 0x7fd7a0cca568 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#34 0x7fd7a0cca568 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#35 0x7fd7a0cca568 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#36 0x7fd79f1b9272 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#37 0x7fd79f1c34f5 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#38 0x7fd79f1beadc in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#39 0x7fd79f1bd6aa in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#40 0x7fd79f1bda05 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#41 0x7fd79f1c6df6 in operator() /xpcom/threads/TaskController.cpp:187:37
#42 0x7fd79f1c6df6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#43 0x7fd79f1dc7a8 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
#44 0x7fd79f1e2fed in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:474:10
#45 0x7fd79fdd4af3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#46 0x7fd79fcf9a88 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#47 0x7fd79fcf9991 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#48 0x7fd79fcf9991 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#49 0x7fd7a41f2298 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#50 0x7fd7a641f4bb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:884:20
#51 0x7fd79fdd59b9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#52 0x7fd79fcf9a88 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#53 0x7fd79fcf9991 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#54 0x7fd79fcf9991 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#55 0x7fd7a641ea4c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:743:34
#56 0x56380b6a6ca0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#57 0x56380b6a6ca0 in main /browser/app/nsBrowserApp.cpp:359:18
#58 0x7fd7b46a4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#59 0x7fd7b46a4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#60 0x56380b67d308 in _start (/home/jkratzer/builds/m-c-20221213041109-fuzzing-debug/firefox-bin+0x5b308) (BuildId: be85c748d6fca08f1793e5d193145523e881d675)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:5 in operator->
==72529==ABORTING
|
Reporter | |
Comment 1•3 months ago
|
||
|
||
Comment 2•3 months ago
|
||
Verified bug as reproducible on mozilla-central 20221228044022-cadcf8d9a79e.
The bug appears to have been introduced in the following build range:
Start: 71eb757374eb3bf875ad164016051ee8a4463644 (20221130221357)
End: 47c3acb30de24f5e38cab7daa67e9bb0cd56cafc (20221130233108)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=71eb757374eb3bf875ad164016051ee8a4463644&tochange=47c3acb30de24f5e38cab7daa67e9bb0cd56cafc
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•3 months ago
|
Blocks: css-content-visibility
|
||
Comment 3•3 months ago
|
||
Set release status flags based on info from the regressing bug 1791759
:mrobinson, since you are the author of the regressor, bug 1791759, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
status-firefox108:
--- → unaffected
status-firefox109:
--- → affected
status-firefox110:
--- → affected
status-firefox-esr102:
--- → unaffected
Flags: needinfo?(mrobinson)
|
||
Updated•3 months ago
|
Attachment #9309946 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 4•3 months ago
|
||
Note, you have to set layout.css.content-visibility.enabled to true in order to trigger the crash.
Classifying as S3, given that this is behind that off-by-default pref for now at least. (But we should definitely fix this before enabling the pref.)
|
|
||
Updated•3 months ago
|
Severity: -- → S3
|
Assignee | |
Comment 6•3 months ago
|
||
Be more careful when accessing the frame selection, which might be
nullptr.
|
||
Updated•3 months ago
|
Assignee: nobody → mrobinson
Status: NEW → ASSIGNED
|
|
||
Comment 7•3 months ago
|
||
Copying crash signatures from duplicate bugs.
Crash Signature: [@ get]
[@ nsFrameSelection::GetSelection]
|
|
||
Updated•3 months ago
|
Attachment #9310421 -
Attachment description: Bug 1807769 - Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315 r=emilio → Bug 1807769 - Null-check frame selection in nsIFrame::HasSelectionInSubtree r=emilio
Pushed by mrobinson@igalia.com: https://hg.mozilla.org/integration/autoland/rev/4fca9cae3f42 Null-check frame selection in nsIFrame::HasSelectionInSubtree r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/37735 for changes under testing/web-platform/tests
|
||
Updated•3 months ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Crash Signature: [@ get]
[@ nsFrameSelection::GetSelection] → [@ get]
[@ nsFrameSelection::GetSelection]
|
||
Comment 10•3 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 12•3 months ago
|
||
Verified bug as fixed on rev mozilla-central 20230104042941-616a6f1689dc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 months ago
|
Flags: needinfo?(mrobinson) → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•