1872205 - crash in [@ nsFrameIterator::nsFrameIterator]

Status: RESOLVED FIXED

(Core :: DOM: Selection, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20231224-72ca09ca9698 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==186078==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006d (pc 0x7fa60ea143f0 bp 0x7ffdd4a19930 sp 0x7ffdd4a19930 T0)
==186078==The signal is caused by a READ memory access.
==186078==Hint: address points to the zero page.
    #0 0x7fa60ea143f0 in IsPlaceholderFrame /builds/worker/workspace/obj-build/dist/include/mozilla/FrameTypeList.h:72:1
    #1 0x7fa60ea143f0 in GetRealFrameFor /builds/worker/checkouts/gecko/layout/generic/nsPlaceholderFrame.h:165:17
    #2 0x7fa60ea143f0 in nsFrameIterator::nsFrameIterator(nsPresContext*, nsIFrame*, nsFrameIterator::Type, bool, bool, bool, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsFrameTraversal.cpp:33:28
    #3 0x7fa606e70e97 in nsFocusManager::GetSelectionLocation(mozilla::dom::Document*, mozilla::PresShell*, nsIContent**, nsIContent**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3229:21
    #4 0x7fa606e547cc in nsFocusManager::DetermineElementToMoveFocus(nsPIDOMWindowOuter*, nsIContent*, int, bool, bool, nsIContent**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:3449:9
    #5 0x7fa606e528d7 in nsFocusManager::MoveFocus(mozIDOMWindowProxy*, mozilla::dom::Element*, unsigned int, unsigned int, mozilla::dom::Element**) /builds/worker/checkouts/gecko/dom/base/nsFocusManager.cpp:532:17
    #6 0x7fa6128e0e99 in nsWebBrowserFind::SetSelectionAndScroll(nsPIDOMWindowOuter*, nsRange*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:356:13
    #7 0x7fa6128dfb2f in nsWebBrowserFind::SearchInFrame(nsPIDOMWindowOuter*, bool, bool*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:675:5
    #8 0x7fa6128de117 in nsWebBrowserFind::FindNext(bool*) /builds/worker/checkouts/gecko/toolkit/components/find/nsWebBrowserFind.cpp:109:8
    #9 0x7fa606793e5a in nsGlobalWindowOuter::FindOuter(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6409:20
    #10 0x7fa60670725b in nsGlobalWindowInner::Find(nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:4154:3
    #11 0x7fa6086de74d in mozilla::dom::Window_Binding::find(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WindowBinding.cpp:6394:36
    #12 0x7fa609197f59 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
    #13 0x153a385ec291  ([anon:js-executable-memory]+0x20291)

Comment 1

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20231224090923-72ca09ca9698) but not with tip (mozilla-central 20231227205835-856e86584c4c.)

The bug appears to have been fixed in the following build range:

Start: 6d9a0abd0a3c26f4337aff723c15795fe91fe884 (20231227091935)
End: 856e86584c4c811f064f93e2b734dd374c787eaf (20231227145854)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6d9a0abd0a3c26f4337aff723c15795fe91fe884&tochange=856e86584c4c811f064f93e2b734dd374c787eaf

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 2

[Tyson Smith [:tsmith]]

Fixed by bug 1816581.