Closed Bug 1879921 Opened 9 months ago Closed 9 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Re-entrant fragment parsing attempted.), at /dom/base/nsContentUtils.cpp:5514

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fixed
firefox125 --- verified

People

(Reporter: jkratzer, Assigned: avandolder)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Testcase
436 bytes, text/plain
Details
Bug 1879921 - Fix failure caused by re-entry of SetHTMLUnsafe. r?peterv,#dom-core
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review

Testcase found while fuzzing mozilla-central rev 13676fc9b0cd (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 13676fc9b0cd --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Re-entrant fragment parsing attempted.), at /dom/base/nsContentUtils.cpp:5514

    ==272237==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9410402bd7 bp 0x7ffdc880e5f0 sp 0x7ffdc880e470 T272237)
    ==272237==The signal is caused by a WRITE memory access.
    ==272237==Hint: address points to the zero page.
        #0 0x7f9410402bd7 in nsContentUtils::ParseFragmentHTML(nsTSubstring<char16_t> const&, nsIContent*, nsAtom*, int, bool, bool, int) /dom/base/nsContentUtils.cpp:5514:5
        #1 0x7f94106b082e in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /dom/base/FragmentOrElement.cpp:2071:14
        #2 0x7f94111cd3fb in SetInnerHTML /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DocumentFragment.h:81:5
        #3 0x7f94111cd3fb in mozilla::dom::ShadowRoot_Binding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./ShadowRootBinding.cpp:430:24
        #4 0x7f9411b52f8a in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3206:8
        #5 0x7f9416053494 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:480:13
        #6 0x7f9416052deb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #7 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #8 0x7f9416055394 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/vm/Interpreter.cpp:804:10
        #9 0x7f94162ebf04 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2655:8
        #10 0x7f94162eae60 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2689:14
        #11 0x7f94160606b5 in SetObjectElementOperation /js/src/vm/Interpreter.cpp:1594:10
        #12 0x7f94160606b5 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2807:12
        #13 0x7f9416052372 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #14 0x7f9416052e08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #15 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #16 0x7f941664894d in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /js/src/proxy/Wrapper.cpp:168:10
        #17 0x7f9416639473 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /js/src/proxy/Proxy.cpp:705:19
        #18 0x7f9416053204 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:554:14
        #19 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #20 0x7f941664894d in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /js/src/proxy/Wrapper.cpp:168:10
        #21 0x7f941662980c in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /js/src/proxy/CrossCompartmentWrapper.cpp:229:19
        #22 0x7f940f8391e1 in xpc::WaiveXrayWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /js/xpconnect/wrappers/WaiveXrayWrapper.cpp:62:35
        #23 0x7f9416639473 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /js/src/proxy/Proxy.cpp:705:19
        #24 0x7f9416053204 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:554:14
        #25 0x7f9416062708 in CallFromStack /js/src/vm/Interpreter.cpp:646:10
        #26 0x7f9416062708 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3061:16
        #27 0x7f9416052372 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #28 0x7f9416052e08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #29 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #30 0x7f941616e264 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #31 0x7f941189866c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #32 0x7f9413964cd3 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:80:12
        #33 0x7f941396272a in mozilla::dom::EventListener::HandleEvent(mozilla::dom::Event&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:93:12
        #34 0x7f9413962413 in mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /dom/ipc/jsactor/JSWindowActorProtocol.cpp:207:18
        #35 0x7f94121c68f5 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1346:22
        #36 0x7f94121c79f4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1661:12
        #37 0x7f94121c7269 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1558:35
        #38 0x7f94121ba8bf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #39 0x7f94121ba8bf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #40 0x7f94121b9e71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:605:16
        #41 0x7f94121bc876 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1222:11
        #42 0x7f94121bfd46 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #43 0x7f94105e7442 in nsWindowRoot::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsWindowRoot.cpp:85:17
        #44 0x7f94103febb2 in nsContentUtils::DispatchChromeEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*) /dom/base/nsContentUtils.cpp:4984:17
        #45 0x7f941071d600 in operator() /dom/base/Element.cpp:1389:9
        #46 0x7f941071d600 in mozilla::detail::RunnableFunction<mozilla::dom::Element::NotifyUAWidgetSetupOrChange()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
        #47 0x7f9410407ebe in nsContentUtils::RemoveScriptBlocker() /dom/base/nsContentUtils.cpp:6129:17
        #48 0x7f9410641ff5 in mozilla::dom::Document::EndUpdate() /dom/base/Document.cpp:7967:3
        #49 0x7f94108fa259 in ~mozAutoDocUpdate /dom/base/mozAutoDocUpdate.h:34:18
        #50 0x7f94108fa259 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:2862:1
        #51 0x7f9410d7ebdf in InsertBefore /dom/base/nsINode.h:2154:12
        #52 0x7f9410d7ebdf in mozilla::dom::Node_Binding::insertBefore(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:898:60
        #53 0x7f9411b5514e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3258:13
        #54 0x7f9416053494 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:480:13
        #55 0x7f9416052deb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #56 0x7f9416062708 in CallFromStack /js/src/vm/Interpreter.cpp:646:10
        #57 0x7f9416062708 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3061:16
        #58 0x7f9416052372 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #59 0x7f9416052e08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #60 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #61 0x7f941616e264 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #62 0x7f941189866c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #63 0x7f94121c6cf6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #64 0x7f94121c68b2 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1340:43
        #65 0x7f94121c79f4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1661:12
        #66 0x7f94121c7269 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1558:35
        #67 0x7f94121ba8bf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #68 0x7f94121ba8bf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #69 0x7f94121b9b54 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:528:12
        #70 0x7f94121bc876 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1222:11
        #71 0x7f9412171c09 in mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe(nsINode&, mozilla::WidgetEvent&, nsEventStatus*) /dom/events/AsyncEventDispatcher.cpp:142:12
        #72 0x7f941065f253 in mozilla::dom::Document::MutationEventDispatched(nsINode*) /dom/base/Document.cpp:12002:5
        #73 0x7f94104007ea in UpdateTarget /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5411:22
        #74 0x7f94104007ea in mozilla::dom::mozAutoSubtreeModified::~mozAutoSubtreeModified() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5407:31
        #75 0x7f94108f6eec in nsINode::ReplaceChildren(nsINode*, mozilla::ErrorResult&) /dom/base/nsINode.cpp:2207:1
        #76 0x7f9410403a8c in nsContentUtils::SetHTMLUnsafe(mozilla::dom::FragmentOrElement*, mozilla::dom::Element*, nsTSubstring<char16_t> const&) /dom/base/nsContentUtils.cpp:5505:12
        #77 0x7f94118bf076 in mozilla::dom::Element_Binding::setHTMLUnsafe(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:5678:24
        #78 0x7f9411b5514e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3258:13
        #79 0x7f9416053494 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:480:13
        #80 0x7f9416052deb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #81 0x7f9416062708 in CallFromStack /js/src/vm/Interpreter.cpp:646:10
        #82 0x7f9416062708 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3061:16
        #83 0x7f9416052372 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #84 0x7f9416052e08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #85 0x7f94160540bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #86 0x7f941616e264 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #87 0x7f941189866c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #88 0x7f94121c6cf6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #89 0x7f94121c68b2 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1340:43
        #90 0x7f94121c79f4 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1661:12
        #91 0x7f94121c7269 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1558:35
        #92 0x7f94121ba8bf in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #93 0x7f94121ba8bf in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #94 0x7f94121b9e71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:605:16
        #95 0x7f94121bc876 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1222:11
        #96 0x7f94121bfd46 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #97 0x7f94108f02a9 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1404:17
        #98 0x7f94103fc6fc in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4754:29
        #99 0x7f94103fc562 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4720:10
        #100 0x7f94106428d5 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8052:3
        #101 0x7f94106f85d9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #102 0x7f94106f85d9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #103 0x7f94106f85d9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #104 0x7f94106f85d9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #105 0x7f94106f85d9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #106 0x7f94106f85d9 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #107 0x7f94106f85d9 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #108 0x7f940e9e3cb7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:578:16
        #109 0x7f940e9d9426 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:905:26
        #110 0x7f940e9d7c07 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:728:15
        #111 0x7f940e9d8085 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:514:36
        #112 0x7f940e9e7c56 in operator() /xpcom/threads/TaskController.cpp:232:37
        #113 0x7f940e9e7c56 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #114 0x7f940e9fcfc2 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #115 0x7f940ea0410d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #116 0x7f940f6e0bd5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #117 0x7f940f5fae71 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #118 0x7f940f5fae71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #119 0x7f9413f441d8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #120 0x7f9414001818 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:470:33
        #121 0x7f9415e1f88b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #122 0x7f940f6e1ab6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #123 0x7f940f5fae71 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #124 0x7f940f5fae71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #125 0x7f9415e1f0f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #126 0x55cc1aefc3b6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #127 0x55cc1aefc3b6 in main /browser/app/nsBrowserApp.cpp:375:18
        #128 0x7f9423979d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #129 0x7f9423979e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #130 0x55cc1aed20e8 in _start (/home/jkratzer/builds/m-c-20240211213657-fuzzing-debug/firefox-bin+0x590e8) (BuildId: ee876ea058ef8318ad7efeb7b4af40cedc32cad4)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/base/nsContentUtils.cpp:5514:5 in nsContentUtils::ParseFragmentHTML(nsTSubstring<char16_t> const&, nsIContent*, nsAtom*, int, bool, bool, int)
    ==272237==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240212214644-27636a965cb6.
The bug appears to have been introduced in the following build range:

Start: 45ce85e7ef6528e8e7f446161a83c61fb28ca7cb (20231208041828)
End: 7f2d3c71baa98717063138ffd8011f56f44bf9de (20231208012614)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=45ce85e7ef6528e8e7f446161a83c61fb28ca7cb&tochange=7f2d3c71baa98717063138ffd8011f56f44bf9de

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

avandolder: Could you take a look? Thanks!

(Looks like this would cause a crash, setting the severity to S2.)

Severity: -- → S2
Flags: needinfo?(avandolder)
Regressed by: 1712140

Set release status flags based on info from the regressing bug 1712140

status-firefox122: --- → affected
status-firefox123: --- → affected
status-firefox124: --- → affected
status-firefox-esr115: --- → unaffected

We might need to put the ReplaceChildren call outside of the scope of the sFragmentParsingActive guard.

Set release status flags based on info from the regressing bug 1712140

status-firefox125: --- → affected
Assignee: nobody → avandolder
Status: NEW → ASSIGNED
Pushed by avandolder@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3141ad983ed0 Fix failure caused by re-entry of SetHTMLUnsafe. r=peterv,dom-core
Duplicate of this bug: 1881068

https://hg.mozilla.org/mozilla-central/rev/3141ad983ed0

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox125: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch

Verified bug as fixed on rev mozilla-central 20240222043825-445c60e096fe.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox125: fixedverified
Keywords: bugmon
status-firefox123: affectedwontfix
Flags: needinfo?(avandolder) → in-testsuite+

The patch landed in nightly and beta is affected.
:avandolder, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox124 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(avandolder)
Attached file Beta Approval Uplift Request (obsolete) —

Approval Request Comment
[Feature/Bug causing the regression]: Implementation of SetHTMLUnsafe as part of Declarative ShadowDOM from bug 1712140
[User impact if declined]: Possible failure to properly parse reenterant calls of SetHTMLUnsafe.
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: n/a
[Is the change risky?]: No
[Why is the change risky/not risky?]: Fixes a small, unintended error in SetHTMLUnsafe, a new API without heavy usage.
[String changes made/needed]: n/a

Flags: needinfo?(avandolder)
Attachment #9388053 - Flags: approval-mozilla-beta?

Comment on attachment 9381063 [details]
Bug 1879921 - Fix failure caused by re-entry of SetHTMLUnsafe. r?peterv,#dom-core

Approved for 124.0b6

Attachment #9381063 - Flags: approval-mozilla-beta+
Attachment #9388053 - Flags: approval-mozilla-beta?
Attachment #9388053 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: