Closed Bug 1907228 Opened 4 months ago Closed 4 months ago

crash near null in [@ GetShadowRoot]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox128 --- unaffected
firefox129 --- fixed
firefox130 --- verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
507 bytes, text/html
Details
Bug 1907228 - Fix a crash about when Element::FromNode is used for textnode
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing 20240626-c56c790ea2f4 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==154542==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7064313e6c73 bp 0x7fffcd855b80 sp 0x7fffcd855b60 T0)
==154542==The signal is caused by a READ memory access.
==154542==Hint: address points to the zero page.
    #0 0x7064313e6c73 in GetBoolFlag /builds/worker/checkouts/gecko/dom/base/nsINode.h:2005:12
    #1 0x7064313e6c73 in IsContent /builds/worker/checkouts/gecko/dom/base/nsINode.h:2015:35
    #2 0x7064313e6c73 in GetShadowRoot /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3876:10
    #3 0x7064313e6c73 in nsINode::GetShadowRootForSelection() const /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:3884:28
    #4 0x706430e312cf in mozilla::ContentSubtreeIterator::Next() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1160:24
    #5 0x706430ecfde6 in RangeSubtreeIterator::Next() /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1607:19
    #6 0x706430ed0eee in nsRange::CutContents(mozilla::dom::DocumentFragment**, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1873:10
    #7 0x70643121ee82 in mozilla::dom::Selection::DeleteFromDocument(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3866:27
    #8 0x706431f0cf7f in mozilla::dom::Selection_Binding::deleteFromDocument(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1078:24
    #9 0x706432c539f4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3268:13
    #10 0x70643918a444 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:491:13
    #11 0x70643918a444 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:12
    #12 0x7064391a6b28 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
    #13 0x7064391a6b28 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #14 0x7064391a6b28 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3394:16
    #15 0x70643918936f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:10
    #16 0x70643918936f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
    #17 0x70643918a5ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:617:13
    #18 0x70643918c34c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
    #19 0x70643918c34c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
    #20 0x7064392e5faf in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
    #21 0x7064327fb392 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
    #22 0x7064337c9fbb in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #23 0x7064337c962c in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1339:43
    #24 0x7064337cb934 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1662:12
    #25 0x7064337ca7b3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1559:35
    #26 0x7064337b30e2 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
    #27 0x7064337b1044 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:643:14
    #28 0x7064337b722a in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
    #29 0x7064337beb36 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #30 0x7064313d05e7 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1444:17
    #31 0x7064337d7ec2 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:214:13
    #32 0x706433724eeb in DispatchEventOnTarget /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:89:12
    #33 0x706433724eeb in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:59:5
    #34 0x706430c15b8f in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6258:17
    #35 0x706430fc79b9 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8090:3
    #36 0x70643105c73b in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
    #37 0x70643105c73b in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2604:1
    #38 0x7064328c25f2 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:992:12
    #39 0x7064328c25f2 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:988:12
    #40 0x7064328c25f2 in SetClassName /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1203:5
    #41 0x7064328c25f2 in mozilla::dom::Element_Binding::set_className(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./ElementBinding.cpp:1505:24
    #42 0x706432c4f6ae in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3216:8
    #43 0x70643918a444 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:491:13
    #44 0x70643918a444 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:12
    #45 0x70643918c34c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
    #46 0x70643918c34c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
    #47 0x70643918e273 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:815:10
    #48 0x7064394de2f6 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2667:8
    #49 0x7064394dbd49 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2701:14
    #50 0x7064391a1dd2 in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:305:10
    #51 0x7064391a1dd2 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1625:10
    #52 0x7064391a1dd2 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3140:12
    #53 0x70643918936f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:10
    #54 0x70643918936f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
    #55 0x70643918a5ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:617:13
    #56 0x70643918c34c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
    #57 0x70643918c34c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
    #58 0x7064392e5faf in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
    #59 0x7064327f8cf1 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
    #60 0x706433813276 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #61 0x706433811aa2 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12
    #62 0x7064337c96a9 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1345:22
    #63 0x7064337cb934 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1662:12
    #64 0x7064337ca7b3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1559:35
    #65 0x7064337b30e2 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
    #66 0x7064337b0921 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
    #67 0x7064337b722a in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
    #68 0x7064337beb36 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #69 0x7064313d05e7 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1444:17
    #70 0x706430c07f96 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4876:29
    #71 0x706430c07ca4 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4842:10
    #72 0x706433ccad4d in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:6368:10
    #73 0x70642d33eefa in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #74 0x70642d32b23d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #75 0x70642d328a88 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #76 0x70642d3290a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #77 0x70642d346121 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #78 0x70642d346121 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #79 0x70642d366ebd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #80 0x70642d371c88 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #81 0x70642e8d33be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #82 0x70642e7b7364 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #83 0x70642e7b7364 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #84 0x70642e7b7364 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #85 0x7064370b5989 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #86 0x70643726a36b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #87 0x706438ec541d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
    #88 0x70642e7b7364 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #89 0x70642e7b7364 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #90 0x70642e7b7364 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #91 0x706438ec4a05 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
    #92 0x55853f4b83b0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #93 0x55853f4b83b0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/da1d9535-10e2-4d4d-b594-998320240711

Crash Signature: [@ nsINode::GetBoolFlag ]

Bisection:
Bug 1881096 - Add tests for shadow-crossing selection r=emilio,jjaschke,dom-core

Differential Revision: https://phabricator.services.mozilla.com/D212930

Keywords: regression
Regressed by: 1881096

Set release status flags based on info from the regressing bug 1881096

:sefeng, since you are the author of the regressor, bug 1881096, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox128: --- → unaffected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(sefeng)

Verified bug as reproducible on mozilla-central 20240711042720-be6b3324bc2c.
The bug appears to have been introduced in the following build range:

Start: d9e1c4b495cb148848fd3ad0b73fb8ba03b71f30 (20240620195918)
End: 020d2296a729f0be03d028dfca5f46b498b9c4b9 (20240620220214)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d9e1c4b495cb148848fd3ad0b73fb8ba03b71f30&tochange=020d2296a729f0be03d028dfca5f46b498b9c4b9

Whiteboard: [bugmon:bisected,confirmed]

I am confused by the regression window and affected firefox versions. There are crash reports for the signature
[@ nsINode::GetBoolFlag ] in Fx 127 , Fx 128 or ESR 115 before bug 1881096 landed.

Assignee: nobody → sefeng
Status: NEW → ASSIGNED

Hsinyi, I think there are multiple callers of nsINode::GetBoolFlag that can trigger a crash, that's why you see crashes before bug 1881096.

However this bug is legit because GetShadowRoot is one of the crash callers :)

Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/525316d699c5 Fix a crash about when Element::FromNode is used for textnode r=jjaschke,dom-core

Backed out for causing reftest failures on 1907228.html

[task 2024-07-16T22:22:17.856Z] 22:22:17     INFO - REFTEST TEST-END | dom/base/crashtests/1907228.html
[task 2024-07-16T22:22:17.857Z] 22:22:17     INFO - REFTEST TEST-UNEXPECTED-FAIL | dom/base/crashtests/1907228.html | assertion count 1 is more than expected 0 assertions
[task 2024-07-16T22:22:17.857Z] 22:22:17     INFO - REFTEST TEST-START | dom/bindings/crashtests/769464.html
Flags: needinfo?(sefeng)

So the attached patch fixes null pointer crash, however the test case will trigger this assertion https://searchfox.org/mozilla-central/rev/8c6edfe25c094e032a27722ef30f69555f556bf8/dom/base/ContentIterator.cpp#1171, which is a preexisting issue.

So I'll modify the crashtests.list to allow this assertion to happen and file a new bug for fixing this assertion.

Flags: needinfo?(sefeng)
Blocks: 1908485
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5d5de7f7081b Fix a crash about when Element::FromNode is used for textnode r=jjaschke,dom-core

https://hg.mozilla.org/mozilla-central/rev/5d5de7f7081b

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox130: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Verified bug as fixed on rev mozilla-central 20240717212306-e2109b806cd9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox130: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:sefeng, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(sefeng)

Comment on attachment 9413093 [details]
Bug 1907228 - Fix a crash about when Element::FromNode is used for textnode

Beta/Release Uplift Approval Request

  • User impact if declined: Users will experience an null pointer access which is bad
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change itself is trivial.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(sefeng)
Attachment #9413093 - Flags: approval-mozilla-beta?

Comment on attachment 9413093 [details]
Bug 1907228 - Fix a crash about when Element::FromNode is used for textnode

Approved for 129.0b6

Attachment #9413093 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: