1908306 - null ptr crash in [@ nsRange::ResetCrossShadowBoundaryRange]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Frederik Braun [:freddy] (OOO until August 18th)]

Crash report: https://crash-stats.mozilla.org/report/index/981b53fe-aa6b-4c67-b395-bec390240717

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames:

0  XUL  RefPtr<mozilla::dom::CrossShadowBoundaryRange>::assign_assuming_AddRef(mozill...  mfbt/RefPtr.h:65
0  XUL  RefPtr<mozilla::dom::CrossShadowBoundaryRange>::operator=(std::nullptr_t)  mfbt/RefPtr.h:180
0  XUL  nsRange::ResetCrossShadowBoundaryRange()  dom/base/nsRange.h:417
0  XUL  mozilla::dom::CrossShadowBoundaryRange::ParentChainChanged(nsIContent*)  dom/base/CrossShadowBoundaryRange.cpp:253
0  XUL  {virtual override thunk({offset(-184)}, mozilla::dom::CrossShadowBoundaryRang...  dom/base/CrossShadowBoundaryRange.cpp:0
1  XUL  mozilla::dom::MutationObservers::NotifyParentChainChanged(nsIContent*)  dom/base/MutationObservers.h:117
1  XUL  mozilla::dom::Element::UnbindFromTree(mozilla::dom::UnbindContext&)  dom/base/Element.cpp:2175
2  XUL  nsGenericHTMLElement::UnbindFromTree(mozilla::dom::UnbindContext&)  dom/html/nsGenericHTMLElement.cpp:556
2  XUL  nsGenericHTMLFormElement::UnbindFromTree(mozilla::dom::UnbindContext&)  dom/html/nsGenericHTMLElement.cpp:1876
2  XUL  mozilla::dom::HTMLInputElement::UnbindFromTree(mozilla::dom::UnbindContext&)  dom/html/HTMLInputElement.cpp:4491

I believe this is a safe null crash, but I have not looked further, so I am marking this as a security bug just to be sure.

The issue happened for me on https://github.com/notifications and there are some other reports with the same signature from the (roughly) same date range. Likely a recent regression.

Comment 1

[Frederik Braun [:freddy] (OOO until August 18th)]

Could be bug 1907464. CCing Sean Feng.

Comment 2

[Andrew McCreight [:mccr8]]

Looks like mOwner is null. Unhiding.

Comment 3

[Andrew McCreight [:mccr8]]

I'm marking this S2 because it looks like a crash regression happening on real sites.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1907464

:sefeng, since you are the author of the regressor, bug 1907464, could you take a look?

For more information, please visit BugBot documentation.

Comment 5

[Sean Feng [:sefeng211]]

Thanks, yeah looking. It should remove the mutation observer when mOwner is becoming null, so I don't see why...I might need to add a few diagnostic assertions.

Comment 6

[Sean Feng [:sefeng211]]

Attachment: Bug 1908306 - Allow casting nsStubMutationObserver to a DoublyLinkedListElement to check whether it's observing an instance

Also a IsInList() method is added to DoublyLinkedListElement.

Comment 7

[Sean Feng [:sefeng211]]

Attachment: Bug 1908306 - Add more assertions to CrossShadowBoundaryRange to investigate why mOwner could be null

Comment 8

[Sean Feng [:sefeng211]]

Attachment: Bug 1908306 - Ensure CrossShadowBoundaryRange stops observing any instances when the common ancestor is unlinked r=jjaschke

Comment 9

[Pulsebot]

Pushed by sefeng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e5394284e485
Ensure CrossShadowBoundaryRange stops observing any instances when the common ancestor is unlinked r=jjaschke,dom-core

Comment 10

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/e5394284e485

Comment 11

[Sean Feng [:sefeng211]]

The last occurrence of this crash was from build 20240719162139. Looks like my patch has fixed it, so I am clearing my NI :)

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

Copying crash signatures from duplicate bugs.