Closed Bug 1887963 Opened 6 months ago Closed 5 months ago

crash near null in [@ mozilla::dom::AbstractRange::MarkDescendants]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 + verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
220 bytes, text/html
Details
Bug 1887963 - Fix a bug where the commonAncestor could be null when range boundaries are not in flat tree.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html β€”

Found while fuzzing m-c 20240326-f0c093accca5 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==77322==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7685dd53378a bp 0x7ffdae0b3f50 sp 0x7ffdae0b3f20 T0)
==77322==The signal is caused by a READ memory access.
==77322==Hint: address points to the zero page.
    #0 0x7685dd53378a in GetBoolFlag /builds/worker/checkouts/gecko/dom/base/nsINode.h:1945:12
    #1 0x7685dd53378a in IsDescendantOfClosestCommonInclusiveAncestorForRangeInSelection /builds/worker/checkouts/gecko/dom/base/nsINode.h:1987:12
    #2 0x7685dd53378a in IsMaybeSelected /builds/worker/checkouts/gecko/dom/base/nsINode.h:1593:12
    #3 0x7685dd53378a in mozilla::dom::AbstractRange::MarkDescendants(nsINode const&) /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:119:14
    #4 0x7685dd536240 in mozilla::dom::AbstractRange::RegisterClosestCommonInclusiveAncestor(nsINode*) /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:418:3
    #5 0x7685dd53605c in mozilla::dom::AbstractRange::RegisterSelection(mozilla::dom::Selection&) /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:386:5
    #6 0x7685dd9e8323 in mozilla::dom::Selection::StyledRanges::MaybeAddRangeAndTruncateOverlaps(nsRange*, mozilla::Maybe<unsigned long>*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1213:13
    #7 0x7685dd9fb02a in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListenersInternal(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2378:14
    #8 0x7685dda080ce in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4182:3
    #9 0x7685dda108bf in mozilla::dom::Selection::SetBaseAndExtentInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp
    #10 0x7685dda0f969 in mozilla::dom::Selection::SetBaseAndExtent(nsINode&, unsigned int, nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4032:3
    #11 0x7685dda0f01b in mozilla::dom::Selection::SetBaseAndExtentJS(nsINode&, unsigned int, nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:4015:3
    #12 0x7685ded17d1f in mozilla::dom::Selection_Binding::setBaseAndExtent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:950:24
    #13 0x7685dff91514 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3269:13
    #14 0x7685ea2cbc95 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
    #15 0x7685ea2cbc95 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
    #16 0x7685ea2f10e5 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #17 0x7685ea2f10e5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
    #18 0x7685ea2f10e5 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
    #19 0x7685ea2caa17 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10
    #20 0x7685ea2caa17 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
    #21 0x7685ea2cbdfe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
    #22 0x7685ea2cdd86 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
    #23 0x7685ea2cdd86 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
    #24 0x7685ea48f5ab in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
    #25 0x7685df9df982 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
    #26 0x7685e0e646c2 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #27 0x7685e0e62116 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
    #28 0x7685e0e0d619 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1346:22
    #29 0x7685e0e1022a in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1661:12
    #30 0x7685e0e0ec66 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1558:35
    #31 0x7685e0df1d62 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364:17
    #32 0x7685e0def357 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605:16
    #33 0x7685e0df6d2a in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1222:11
    #34 0x7685e59047be in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1028:7
    #35 0x7685e8c0de16 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6303:13
    #36 0x7685e8c0cbd8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5695:7
    #37 0x7685e8c0f626 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #38 0x7685dbb79247 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
    #39 0x7685dbb77ae6 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
    #40 0x7685dbb7316a in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
    #41 0x7685dbb76275 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
    #42 0x7685e8c638ba in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13759:23
    #43 0x7685d9c5d4db in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
    #44 0x7685d9c60a44 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
    #45 0x7685dd7348be in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11715:18
    #46 0x7685dd7348be in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11653:9
    #47 0x7685dd76a158 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8141:3
    #48 0x7685dd89d76b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
    #49 0x7685dd89d76b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #50 0x7685dd89d76b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #51 0x7685dd89d76b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #52 0x7685dd89d76b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #53 0x7685dd89d76b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
    #54 0x7685dd89d76b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
    #55 0x7685d97f557a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
    #56 0x7685d97dae0b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
    #57 0x7685d97d79e8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
    #58 0x7685d97d80e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
    #59 0x7685d97fd671 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
    #60 0x7685d97fd671 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #61 0x7685d98255af in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #62 0x7685d983326a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #63 0x7685db4f9c2e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #64 0x7685db31833a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #65 0x7685db31833a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #66 0x7685db31833a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #67 0x7685e4e69589 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #68 0x7685e507f8b2 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
    #69 0x7685e9e78a9e in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
    #70 0x7685db31833a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #71 0x7685db31833a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #72 0x7685db31833a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #73 0x7685e9e78043 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
    #74 0x6249c643c92c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #75 0x6249c643c92c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
    #76 0x768602629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #77 0x768602629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #78 0x6249c6360c38 in _start (/home/user/workspace/browsers/m-c-20240326095207-fuzzing-asan-opt/firefox+0xdcc38) (BuildId: be9e468be18e82ee6d88738a8db1fb68e3c10feb)
Flags: in-testsuite?

The attached test case also triggers this assertion:

Assertion failure: commonAncestor (unexpected disconnected nodes), at /builds/worker/checkouts/gecko/dom/base/AbstractRange.cpp:385

Verified bug as reproducible on mozilla-central 20240326211853-a93eeb987e4a.
The bug appears to have been introduced in the following build range:

Start: 5969005dae85cc8ac486b2f0bdbb7454b660f252 (20240325134037)
End: 19dcff1ee3fcbb431110e0639c80a3ba51ee0a34 (20240325140555)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5969005dae85cc8ac486b2f0bdbb7454b660f252&tochange=19dcff1ee3fcbb431110e0639c80a3ba51ee0a34

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1867058

Set release status flags based on info from the regressing bug 1867058

:sefeng, since you are the author of the regressor, bug 1867058, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox124: --- → unaffected
status-firefox125: --- → unaffected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(sefeng)
Assignee: nobody → sefeng
Status: NEW → ASSIGNED
Attachment #9393601 - Attachment description: Bug 1887963 - Disallow selection boundaries to be UA widgets r=#dom-core,jjaschke,smaug → Bug 1887963 - Fix a bug where the commonAncestor could be null when range boundaries are not in flat tree.

Got a patch for this

Flags: needinfo?(sefeng)
Blocks: 1888800
Severity: -- → S3

The bug is marked as tracked for firefox126 (nightly). However, the bug still has low severity.

:hsinyi, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(htsai)

Bumping up the severity per request from comment 6; also this is a new regression, new crash.

Severity: S3 → S2
Flags: needinfo?(htsai)
Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/65e4a52d9076
Fix a bug where the commonAncestor could be null when range boundaries are not in flat tree. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45525 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/65e4a52d9076

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20240404034404-1d9c4672f9f5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox126: fixedverified
Keywords: bugmon
Regressions: 1897248
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: