Closed Bug 1941827 Opened 24 days ago Closed 23 days ago

Assertion failure: editingHost, at /editor/libeditor/HTMLEditor.cpp:7886

Categories

(Core :: DOM: Editor, defect)

defect

Tracking

()

VERIFIED FIXED
136 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- fixed
firefox136 --- verified

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(3 files)

Testcase found while fuzzing mozilla-central rev 5904a2d552f2 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5904a2d552f2 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: editingHost, at /editor/libeditor/HTMLEditor.cpp:7886

    ==483475==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c1e410524e3 bp 0x7ffe12f8cd50 sp 0x7ffe12f8cca0 T483475)
    ==483475==The signal is caused by a WRITE memory access.
    ==483475==Hint: address points to the zero page.
        #0 0x7c1e410524e3 in mozilla::HTMLEditor::DocumentModifiedEvent::MaybeAppendNewInvisibleWhiteSpace(nsIContent const*) /editor/libeditor/HTMLEditor.cpp:7886:3
        #1 0x7c1e4105208a in mozilla::HTMLEditor::OnDocumentModified(nsIContent const*) /editor/libeditor/HTMLEditSubActionHandler.cpp:12472:35
        #2 0x7c1e4106ed92 in mozilla::HTMLEditor::ContentWillBeRemoved(nsIContent*) /editor/libeditor/HTMLEditor.cpp:5069:19
        #3 0x7c1e3d4f0ead in operator() /dom/base/MutationObservers.cpp:187:35
        #4 0x7c1e3d4f0ead in ForEachAncestorObserver<(lambda at /dom/base/MutationObservers.cpp:187:35)> /dom/base/MutationObservers.cpp:60:11
        #5 0x7c1e3d4f0ead in Notify<(NotifyPresShell)1, (lambda at /dom/base/MutationObservers.cpp:187:35)> /dom/base/MutationObservers.cpp:94:19
        #6 0x7c1e3d4f0ead in mozilla::dom::MutationObservers::NotifyContentWillBeRemoved(nsINode*, nsIContent*) /dom/base/MutationObservers.cpp:186:3
        #7 0x7c1e3d68f8a8 in nsINode::RemoveChildNode(nsIContent*, bool) /dom/base/nsINode.cpp:2328:5
        #8 0x7c1e3d6853a8 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /dom/base/nsINode.cpp:955:3
        #9 0x7c1e3dada1dc in mozilla::dom::Node_Binding::removeChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:1086:60
        #10 0x7c1e3e79677d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3290:13
        #11 0x7c1e4202c96a in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:532:13
        #12 0x7c1e4202c143 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:628:12
        #13 0x7c1e42042c88 in CallFromStack /js/src/vm/Interpreter.cpp:700:10
        #14 0x7c1e42042c88 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3338:16
        #15 0x7c1e4202b5da in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:502:13
        #16 0x7c1e4202c02d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:660:13
        #17 0x7c1e4202d798 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:727:8
        #18 0x7c1e42114e7b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #19 0x7c1e3e4aeb28 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #20 0x7c1e3f04e176 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #21 0x7c1e3f04dd05 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1340:43
        #22 0x7c1e3f04ee49 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1663:12
        #23 0x7c1e3f04e6a1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1560:35
        #24 0x7c1e3f04259e in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
        #25 0x7c1e3f04259e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:365:17
        #26 0x7c1e3f041c6c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:606:16
        #27 0x7c1e3f044601 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1221:11
        #28 0x7c1e3f0476ea in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #29 0x7c1e3d6887bc in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1479:17
        #30 0x7c1e3d1539c3 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4759:29
        #31 0x7c1e3d153836 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4725:10
        #32 0x7c1e3d3d5455 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8412:3
        #33 0x7c1e3d493075 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
        #34 0x7c1e3d493075 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #35 0x7c1e3d493075 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #36 0x7c1e3d493075 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #37 0x7c1e3d493075 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #38 0x7c1e3d493075 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
        #39 0x7c1e3d493075 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
        #40 0x7c1e3b4dc687 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:688:16
        #41 0x7c1e3b4d2b6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1015:20
        #42 0x7c1e3b4d17e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:838:15
        #43 0x7c1e3b4d1c65 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:624:36
        #44 0x7c1e3b4e4e76 in operator() /xpcom/threads/TaskController.cpp:336:37
        #45 0x7c1e3b4e4e76 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #46 0x7c1e3b4f8594 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #47 0x7c1e3b4ff24f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #48 0x7c1e3c0ab5e7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #49 0x7c1e3bffbfe1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #50 0x7c1e3bffbfe1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #51 0x7c1e40e92468 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #52 0x7c1e40f54004 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:470:33
        #53 0x7c1e41e7c55b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:646:20
        #54 0x7c1e3c0ac494 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #55 0x7c1e3bffbfe1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #56 0x7c1e3bffbfe1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #57 0x7c1e41e7b98a in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:584:34
        #58 0x601b3e10b7be in main /browser/app/nsBrowserApp.cpp:397:22
        #59 0x7c1e4b6a11c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #60 0x7c1e4b6a128a in __libc_start_main csu/../csu/libc-start.c:360:3
        #61 0x601b3e0df028 in _start (/home/jkratzer/builds/m-c-20250115042832-fuzzing-debug/firefox-bin+0x5b028) (BuildId: 63ca9294f19b39e254fcb7a980f6853e00ba175a)
    
    ==483475==Register values:
    rax = 0x00007c1e37d0e867  rbx = 0x0000601b57804660  rcx = 0x0000601b3eb8ea20  rdx = 0x00007c1e4b87b563  
    rdi = 0x00007c1e4b87c700  rsi = 0x0000000000000000  rbp = 0x00007ffe12f8cd50  rsp = 0x00007ffe12f8cca0  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x0000601b57804660  r13 = 0x0000000000000080  r14 = 0x0000601b57ae8b70  r15 = 0x0000601b57804660  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/HTMLEditor.cpp:7886:3 in mozilla::HTMLEditor::DocumentModifiedEvent::MaybeAppendNewInvisibleWhiteSpace(nsIContent const*)
    ==483475==ABORTING
Attached file Testcase

Hmm, that causes odd tree.

<!doctype html>
<html>
  (innerText value)
  <body></body>
</html>
Assignee: nobody → masayuki
Severity: -- → S2
Status: NEW → ASSIGNED
Keywords: regression
OS: Linux → All
Regressed by: 1940278
Hardware: x86_64 → All

Err, no, I forgot the DOMContentLoaded event. So, it becomes:

<!doctype html>
<html>
  (innerText value)
</html>

I.e., there is no <body>.

Verified bug as reproducible on mozilla-central 20250115215720-f7524feb52aa.
The bug appears to have been introduced in the following build range:

Start: 6da2f152d57b1d53d526ce821330553db4947c84 (20250109093225)
End: 419c5be09fedecd0a4d27258ba0deed9b3e1e312 (20250109091445)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6da2f152d57b1d53d526ce821330553db4947c84&tochange=419c5be09fedecd0a4d27258ba0deed9b3e1e312

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The logic before getting editing host in them are correct, but both
nsIContent::GetEditingHost() and HTMLEditor::ComputeEditingHostInternal()
return Document::GetBody() result if it's in the design mode.

For now, we should just add nullptr checks into the methods since they are
required only for some specific web apps.

Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/a177fb513de6 Make `DocumentModifiedEvent` and `HTMLEditor::OnModifyDocument` assume there is no editing host r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/50116 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 23 days ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20250116153242-bf920dd0a5a1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: in-testsuite+

The logic before getting editing host in them are correct, but both
nsIContent::GetEditingHost() and HTMLEditor::ComputeEditingHostInternal()
return Document::GetBody() result if it's in the design mode.

For now, we should just add nullptr checks into the methods since they are
required only for some specific web apps.

Original Revision: https://phabricator.services.mozilla.com/D234442

Attachment #9460079 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Crash due to nullptr reference if malicious web site does same thing
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: Run the automated test
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Just adding null-check instead of MOZ_ASSERT
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9460079 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: