Closed Bug 1954751 Opened 1 month ago Closed 23 days ago

Crash [@ get]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox136 --- unaffected
firefox137 --- wontfix
firefox138 --- verified

People

(Reporter: jkratzer, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files, 1 obsolete file)

Testcase
4.33 KB, application/octet-stream
Details
Bug 1954751: SelectionManager::SelectionRangeChanged: Fail gracefully if the range's closest common ancestor is null.
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 28eeefe17675 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 28eeefe17675 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ get]

    =================================================================
    ==187970==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x73724bfe302c bp 0x7ffcd38f7730 sp 0x7ffcd38f7710 T0)
    ==187970==The signal is caused by a READ memory access.
    ==187970==Hint: address points to the zero page.
        #0 0x73724bfe302c in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27
        #1 0x73724bfe302c in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:344:12
        #2 0x73724bfe302c in OwnerDoc /dom/base/nsINode.h:777:12
        #3 0x73724bfe302c in GetTextContainer /accessible/base/nsAccUtils.cpp:245:65
        #4 0x73724bfe302c in mozilla::a11y::SelectionManager::SelectionRangeChanged(mozilla::SelectionType, mozilla::dom::AbstractRange const&) /accessible/base/SelectionManager.cpp:222:30
        #5 0x737244775fda in mozilla::dom::Selection::StyledRanges::Clear() /dom/base/Selection.cpp:2244:10
        #6 0x7372447747b1 in mozilla::dom::Selection::Clear(nsPresContext*) /dom/base/Selection.cpp:1478:17
        #7 0x73724476c148 in mozilla::dom::Selection::RemoveAllRangesInternal(mozilla::ErrorResult&) /dom/base/Selection.cpp:2449:3
        #8 0x73724476bc3b in mozilla::dom::Selection::cycleCollection::Unlink(void*) /dom/base/Selection.cpp:835:23
        #9 0x73724060792c in nsCycleCollector::CollectWhite() /xpcom/base/nsCycleCollector.cpp:3288:26
        #10 0x73724060bb4d in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, JS::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3700:26
        #11 0x73724060fff5 in nsCycleCollector_collectSlice(JS::SliceBudget&, mozilla::CCReason, bool) /xpcom/base/nsCycleCollector.cpp:4251:21
        #12 0x73724498ae5c in nsJSContext::RunCycleCollectorSlice(mozilla::CCReason, mozilla::TimeStamp) /dom/base/nsJSEnvironment.cpp:1150:5
        #13 0x73724498e15c in mozilla::CCGCScheduler::CCRunnerFired(mozilla::TimeStamp) /dom/base/nsJSEnvironment.cpp:1323:9
        #14 0x7372407756c4 in operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
        #15 0x7372407756c4 in mozilla::IdleTaskRunner::Run() /xpcom/threads/IdleTaskRunner.cpp:124:14
        #16 0x737240776fdf in mozilla::IdleTaskRunnerTask::Run() /xpcom/threads/IdleTaskRunner.cpp:45:15
        #17 0x737240782398 in mozilla::TaskController::RunTask(mozilla::Task*) /xpcom/threads/TaskController.cpp:196:19
        #18 0x73724078944d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1252:20
        #19 0x73724078724b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1117:15
        #20 0x7372407875a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:639:36
        #21 0x7372407a3601 in operator() /xpcom/threads/TaskController.cpp:333:37
        #22 0x7372407a3601 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #23 0x7372407c3f5b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #24 0x7372407ce8d8 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #25 0x737241d8650e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #26 0x737241c6e934 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #27 0x737241c6e934 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #28 0x737241c6e934 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #29 0x73724aca1ca6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #30 0x73724ae731ab in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:539:33
        #31 0x73724cbb954d in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:646:20
        #32 0x737241c6e934 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #33 0x737241c6e934 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #34 0x737241c6e934 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #35 0x73724cbb7b6e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:584:34
        #36 0x6237de119121 in main /browser/app/nsBrowserApp.cpp:397:22
        #37 0x7372630911c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #38 0x73726309128a in __libc_start_main csu/../csu/libc-start.c:360:3
        #39 0x6237de038ec8 in _start (/home/jkratzer/builds/m-c-20250318043238-fuzzing-asan-opt/firefox+0xd4ec8) (BuildId: e8586cf41b223da96cc2a20f1a68f511c03da856)
    
    ==187970==Register values:
    rax = 0x0000000000000006  rbx = 0x0000000000000000  rcx = 0x0000000000000022  rdx = 0x0000000000000080  
    rdi = 0x0000000000000030  rsi = 0x00000000000000f5  rbp = 0x00007ffcd38f7730  rsp = 0x00007ffcd38f7710  
     r8 = 0x0000000000001910   r9 = 0x0000000000000001  r10 = 0x0000737261272120  r11 = 0x00000e6e4c24e424  
    r12 = 0x0000000000000000  r13 = 0x0000512000188d88  r14 = 0x000051e000044480  r15 = 0x0000511000163540  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27 in get
    ==187970==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20250318090311-fcf2e06b70b4.
The bug appears to have been introduced in the following build range:

Start: 30aa94561355b435455f4aeae6f54c745d484eb7 (20250210093546)
End: 53c2f68b34286aa7043545e8af2f5a43f76e78c6 (20250210104807)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=30aa94561355b435455f4aeae6f54c745d484eb7&tochange=53c2f68b34286aa7043545e8af2f5a43f76e78c6

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Regressed by: 1909142

Set release status flags based on info from the regressing bug 1909142

:Jamie, since you are the author of the regressor, bug 1909142, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox136: --- → unaffected
status-firefox137: --- → affected
status-firefox138: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(jteh)
Assignee: nobody → jteh
Status: NEW → ASSIGNED
Severity: -- → S3
Flags: needinfo?(jteh)
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5294085df32f SelectionManager::SelectionRangeChanged: Fail gracefully if the range's closest common ancestor is null. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/5294085df32f

Status: ASSIGNED → RESOLVED
Closed: 23 days ago
status-firefox138: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch

Verified bug as fixed on rev mozilla-central 20250325043221-6e8194e3e366.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox138: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox137 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jteh)
Attachment #9474577 - Flags: approval-mozilla-beta?
Flags: needinfo?(jteh)

beta Uplift Approval Request

  • User impact if declined: Rare crash.
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: not applicable
  • Risk associated with taking this patch: low
  • Explanation of risk level: Simple null check.
  • String changes made/needed: none
  • Is Android affected?: yes

:jamie 138 is now in beta... did you want to change this uplift request as consideration for 137 (release)? If you'd rather this ride the 138 trains, feel free to abandon D243058 revision.

Flags: needinfo?(jteh)
Attachment #9474577 - Attachment is obsolete: true
Attachment #9474577 - Flags: approval-mozilla-beta?
Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: