Assertion failure: editingHost, at /editor/libeditor/HTMLEditor.cpp:7886
Categories
(Core :: DOM: Editor, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox-esr128 | --- | unaffected |
firefox134 | --- | unaffected |
firefox135 | --- | fixed |
firefox136 | --- | verified |
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 5904a2d552f2 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5904a2d552f2 --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: editingHost, at /editor/libeditor/HTMLEditor.cpp:7886
==483475==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c1e410524e3 bp 0x7ffe12f8cd50 sp 0x7ffe12f8cca0 T483475)
==483475==The signal is caused by a WRITE memory access.
==483475==Hint: address points to the zero page.
#0 0x7c1e410524e3 in mozilla::HTMLEditor::DocumentModifiedEvent::MaybeAppendNewInvisibleWhiteSpace(nsIContent const*) /editor/libeditor/HTMLEditor.cpp:7886:3
#1 0x7c1e4105208a in mozilla::HTMLEditor::OnDocumentModified(nsIContent const*) /editor/libeditor/HTMLEditSubActionHandler.cpp:12472:35
#2 0x7c1e4106ed92 in mozilla::HTMLEditor::ContentWillBeRemoved(nsIContent*) /editor/libeditor/HTMLEditor.cpp:5069:19
#3 0x7c1e3d4f0ead in operator() /dom/base/MutationObservers.cpp:187:35
#4 0x7c1e3d4f0ead in ForEachAncestorObserver<(lambda at /dom/base/MutationObservers.cpp:187:35)> /dom/base/MutationObservers.cpp:60:11
#5 0x7c1e3d4f0ead in Notify<(NotifyPresShell)1, (lambda at /dom/base/MutationObservers.cpp:187:35)> /dom/base/MutationObservers.cpp:94:19
#6 0x7c1e3d4f0ead in mozilla::dom::MutationObservers::NotifyContentWillBeRemoved(nsINode*, nsIContent*) /dom/base/MutationObservers.cpp:186:3
#7 0x7c1e3d68f8a8 in nsINode::RemoveChildNode(nsIContent*, bool) /dom/base/nsINode.cpp:2328:5
#8 0x7c1e3d6853a8 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /dom/base/nsINode.cpp:955:3
#9 0x7c1e3dada1dc in mozilla::dom::Node_Binding::removeChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./NodeBinding.cpp:1086:60
#10 0x7c1e3e79677d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3290:13
#11 0x7c1e4202c96a in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:532:13
#12 0x7c1e4202c143 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:628:12
#13 0x7c1e42042c88 in CallFromStack /js/src/vm/Interpreter.cpp:700:10
#14 0x7c1e42042c88 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3338:16
#15 0x7c1e4202b5da in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:502:13
#16 0x7c1e4202c02d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:660:13
#17 0x7c1e4202d798 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:727:8
#18 0x7c1e42114e7b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
#19 0x7c1e3e4aeb28 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#20 0x7c1e3f04e176 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#21 0x7c1e3f04dd05 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1340:43
#22 0x7c1e3f04ee49 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1663:12
#23 0x7c1e3f04e6a1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1560:35
#24 0x7c1e3f04259e in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
#25 0x7c1e3f04259e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:365:17
#26 0x7c1e3f041c6c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:606:16
#27 0x7c1e3f044601 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1221:11
#28 0x7c1e3f0476ea in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#29 0x7c1e3d6887bc in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1479:17
#30 0x7c1e3d1539c3 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4759:29
#31 0x7c1e3d153836 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4725:10
#32 0x7c1e3d3d5455 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8412:3
#33 0x7c1e3d493075 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#34 0x7c1e3d493075 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#35 0x7c1e3d493075 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#36 0x7c1e3d493075 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#37 0x7c1e3d493075 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#38 0x7c1e3d493075 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#39 0x7c1e3d493075 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#40 0x7c1e3b4dc687 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:688:16
#41 0x7c1e3b4d2b6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1015:20
#42 0x7c1e3b4d17e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:838:15
#43 0x7c1e3b4d1c65 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:624:36
#44 0x7c1e3b4e4e76 in operator() /xpcom/threads/TaskController.cpp:336:37
#45 0x7c1e3b4e4e76 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#46 0x7c1e3b4f8594 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
#47 0x7c1e3b4ff24f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#48 0x7c1e3c0ab5e7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#49 0x7c1e3bffbfe1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#50 0x7c1e3bffbfe1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#51 0x7c1e40e92468 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#52 0x7c1e40f54004 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:470:33
#53 0x7c1e41e7c55b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:646:20
#54 0x7c1e3c0ac494 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#55 0x7c1e3bffbfe1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#56 0x7c1e3bffbfe1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#57 0x7c1e41e7b98a in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:584:34
#58 0x601b3e10b7be in main /browser/app/nsBrowserApp.cpp:397:22
#59 0x7c1e4b6a11c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#60 0x7c1e4b6a128a in __libc_start_main csu/../csu/libc-start.c:360:3
#61 0x601b3e0df028 in _start (/home/jkratzer/builds/m-c-20250115042832-fuzzing-debug/firefox-bin+0x5b028) (BuildId: 63ca9294f19b39e254fcb7a980f6853e00ba175a)
==483475==Register values:
rax = 0x00007c1e37d0e867 rbx = 0x0000601b57804660 rcx = 0x0000601b3eb8ea20 rdx = 0x00007c1e4b87b563
rdi = 0x00007c1e4b87c700 rsi = 0x0000000000000000 rbp = 0x00007ffe12f8cd50 rsp = 0x00007ffe12f8cca0
r8 = 0x0000000000000000 r9 = 0x0000000000000003 r10 = 0x0000000000000000 r11 = 0x0000000000000293
r12 = 0x0000601b57804660 r13 = 0x0000000000000080 r14 = 0x0000601b57ae8b70 r15 = 0x0000601b57804660
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /editor/libeditor/HTMLEditor.cpp:7886:3 in mozilla::HTMLEditor::DocumentModifiedEvent::MaybeAppendNewInvisibleWhiteSpace(nsIContent const*)
==483475==ABORTING
Reporter | ||
Comment 1•24 days ago
|
||
Assignee | ||
Comment 2•24 days ago
|
||
Hmm, that causes odd tree.
<!doctype html>
<html>
(innerText value)
<body></body>
</html>
Assignee | ||
Comment 3•24 days ago
|
||
Err, no, I forgot the DOMContentLoaded
event. So, it becomes:
<!doctype html>
<html>
(innerText value)
</html>
I.e., there is no <body>
.
Comment 4•24 days ago
|
||
Verified bug as reproducible on mozilla-central 20250115215720-f7524feb52aa.
The bug appears to have been introduced in the following build range:
Start: 6da2f152d57b1d53d526ce821330553db4947c84 (20250109093225)
End: 419c5be09fedecd0a4d27258ba0deed9b3e1e312 (20250109091445)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6da2f152d57b1d53d526ce821330553db4947c84&tochange=419c5be09fedecd0a4d27258ba0deed9b3e1e312
Assignee | ||
Comment 5•24 days ago
|
||
The logic before getting editing host in them are correct, but both
nsIContent::GetEditingHost()
and HTMLEditor::ComputeEditingHostInternal()
return Document::GetBody()
result if it's in the design mode.
For now, we should just add nullptr checks into the methods since they are
required only for some specific web apps.
Comment 8•23 days ago
|
||
bugherder |
Comment 10•23 days ago
|
||
Verified bug as fixed on rev mozilla-central 20250116153242-bf920dd0a5a1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•23 days ago
|
Assignee | ||
Comment 11•23 days ago
|
||
The logic before getting editing host in them are correct, but both
nsIContent::GetEditingHost()
and HTMLEditor::ComputeEditingHostInternal()
return Document::GetBody()
result if it's in the design mode.
For now, we should just add nullptr checks into the methods since they are
required only for some specific web apps.
Original Revision: https://phabricator.services.mozilla.com/D234442
Updated•23 days ago
|
Comment 12•23 days ago
|
||
beta Uplift Approval Request
- User impact if declined: Crash due to nullptr reference if malicious web site does same thing
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Run the automated test
- Risk associated with taking this patch: Low
- Explanation of risk level: Just adding null-check instead of
MOZ_ASSERT
- String changes made/needed: none
- Is Android affected?: yes
Updated•23 days ago
|
Comment 13•23 days ago
|
||
uplift |
Updated•23 days ago
|
Description
•