Closed Bug 1812194 Opened 1 year ago Closed 1 year ago

crash near null in [@ nsINode::IsInclusiveDescendantOf]

Categories

(Core :: DOM: Editor, defect)

defect

Tracking

()

VERIFIED FIXED
111 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20230111-0b74dca33cb0 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==257961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fcba9e22f64 bp 0x7ffd45654780 sp 0x7ffd45654780 T0)
==257961==The signal is caused by a READ memory access.
==257961==Hint: address points to the zero page.
    #0 0x7fcba9e22f64 in GetParentNode /builds/worker/checkouts/gecko/dom/base/nsINode.h:1009:43
    #1 0x7fcba9e22f64 in operator++ /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AncestorIterator.h:71:1
    #2 0x7fcba9e22f64 in nsINode::IsInclusiveDescendantOf(nsINode const*) const /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:143:22
    #3 0x7fcbafd0e488 in nsIFrame::HasSelectionInSubtree() /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:6976:29
    #4 0x7fcbafd0e727 in nsIFrame::UpdateIsRelevantContent(mozilla::EnumSet<mozilla::ContentRelevancyReason, unsigned char> const&) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:7039:23
    #5 0x7fcbaf9bd544 in mozilla::PresShell::UpdateRelevancyOfContentVisibilityAutoFrames() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:11901:12
    #6 0x7fcbaf9bb42e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4237:5
    #7 0x7fcba9ab89b1 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10771:16
    #8 0x7fcba858cf7e in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
    #9 0x7fcba858fc29 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
    #10 0x7fcbb340298a in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13866:23
    #11 0x7fcba6c498b2 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
    #12 0x7fcba6c4c244 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
    #13 0x7fcba9ac0501 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11552:18
    #14 0x7fcba9a7065e in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11490:9
    #15 0x7fcba9a98fb4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8017:3
    #16 0x7fcba9b8969a in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #17 0x7fcba9b8969a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #18 0x7fcba9b8969a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
    #19 0x7fcba688b64f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
    #20 0x7fcba689edd9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #21 0x7fcba6895bf7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #22 0x7fcba6892e78 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #23 0x7fcba68935a0 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #24 0x7fcba68a4ee1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #25 0x7fcba68a4ee1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #26 0x7fcba68c7d64 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #27 0x7fcba68d2064 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #28 0x7fcba8046a1e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #29 0x7fcba7ec5f57 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #30 0x7fcba7ec5f57 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #31 0x7fcba7ec5f57 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #32 0x7fcbaf33ba99 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #33 0x7fcbb42e1a78 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
    #34 0x7fcba7ec5f57 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #35 0x7fcba7ec5f57 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #36 0x7fcba7ec5f57 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #37 0x7fcbb42e120f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
    #38 0x5617a2ba0514 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #39 0x5617a2ba09d7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #40 0x7fcbc9067d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #41 0x7fcbc9067e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #42 0x5617a2adef98 in _start (/home/user/workspace/browsers/m-c-20230120212103-fuzzing-asan-opt/firefox+0x111f98) (BuildId: 22cdc183277f39432cecc2ab7d8d5ab5a51fa0c5)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230124213422-ba77054848c4.
The bug appears to have been introduced in the following build range:

Start: 71eb757374eb3bf875ad164016051ee8a4463644 (20221130221357)
End: 47c3acb30de24f5e38cab7daa67e9bb0cd56cafc (20221130233108)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=71eb757374eb3bf875ad164016051ee8a4463644&tochange=47c3acb30de24f5e38cab7daa67e9bb0cd56cafc

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S2
Regressed by: 1791759

Set release status flags based on info from the regressing bug 1791759

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #1)

So, nsIContent::GetContent() may return nullptr?
https://searchfox.org/mozilla-central/rev/f1dc2743777711c821d43f9911ee7c4447d60c8e/layout/generic/nsIFrame.cpp#6965

Emilio, would you like to take a look at this, given you reviewed bug 1791759 and if mrobinson won't get back to here soon?

Flags: needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Flags: needinfo?(mrobinson)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8b8c8ae333a9
Add a missing null-check in content-visibility: auto handling. r=mrobinson
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38412 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

Backed out for causing for causing assertion/crashes in dom/base/nsRange.cpp

Backout link: https://hg.mozilla.org/integration/autoland/rev/3d8d919ac2e490e3d561fbb0fd0b0e6600348b5d

Push with failures

Failure log

Flags: needinfo?(emilio)
Upstream PR was closed without merging

So that does seem like either an editor bug or a missing check in Selection::AddRange. It's separate from the crash in comment 0 so I'll land the fix without the crashtest for now. Masayuki do you have cycles to look at that? It seems we end up with a range registered with the editor selection, but where JS can access it, so JS calling document.getSelection().addRange(d) asserts.

Flags: needinfo?(emilio) → needinfo?(masayuki)

Reduced test-case for that:

<!doctype html>
<html contenteditable>
<button style="background-color: #000; color: #fff">Browse</button>
<script>
  let d = new Range()
  let f = document.getSelection()
  f.addRange(d)
  d.setStart(document.querySelector("button"), 0);
  f.addRange(d)
</script>

This suffers from the bug mentioned in comment 11 and thus crashes in
debug builds, so should be landed probably in another bug.

Depends on D169085

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/060ac8113060
Add a missing null-check in content-visibility: auto handling. r=mrobinson
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

Yeah, it must be a bug of DOM Selection. I don't know how it should be handled (whether the new range is added with cloning or just ignored), but anyway, it should be fixed.

Flags: needinfo?(masayuki)
Flags: in-testsuite? → in-testsuite+

Verified bug as fixed on rev mozilla-central 20230208214144-72d7558735ea.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: