Open
Bug 1977890
Opened 3 months ago
Updated 2 months ago
crash near null in [@ GetRangeBehaviour]
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox141 | --- | unaffected |
| firefox142 | --- | wontfix |
| firefox143 | --- | wontfix |
| firefox144 | --- | fix-optional |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
180 bytes,
text/html
|
Details |
Found while fuzzing 20250711-0a0cf8765127 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
==72215==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x7fffd7935456 bp 0x7fffffff85d0 sp 0x7fffffff84c0 T0)
==72215==The signal is caused by a READ memory access.
==72215==Hint: address points to the zero page.
#0 0x7fffd7935456 in AsRaw<nsINode, void> /builds/worker/workspace/obj-build/dist/include/mozilla/RangeBoundary.h:638:48
#1 0x7fffd7935456 in GetRangeBehaviour(nsRange const*, nsINode const*, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::Maybe<mozilla::RangeBoundaryBase<nsINode*, nsIContent*>> const&, bool, mozilla::dom::AllowRangeCrossShadowBoundary)::$_0::operator()() const /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:311:70
#2 0x7fffd78fe570 in GetRangeBehaviour(nsRange const*, nsINode const*, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::Maybe<mozilla::RangeBoundaryBase<nsINode*, nsIContent*>> const&, bool, mozilla::dom::AllowRangeCrossShadowBoundary) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:324:12
#3 0x7fffd78fdcd2 in nsRange::SetStart(mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&, mozilla::dom::AllowRangeCrossShadowBoundary) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1205:7
#4 0x7fffd78fda19 in nsRange::SetStart(nsINode&, unsigned int, mozilla::ErrorResult&, mozilla::dom::AllowRangeCrossShadowBoundary) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:1168:3
#5 0x7fffd7c7483a in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3434:14
#6 0x7fffd7c73375 in mozilla::dom::Selection::ExtendJS(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3148:3
#7 0x7fffd8a18e11 in mozilla::dom::Selection_Binding::extend(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1422:24
#8 0x7fffd982450f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#9 0x7fffe05ccb37 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#10 0x7fffe05ccb37 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#11 0x7fffe05eb5a8 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#12 0x7fffe05eb5a8 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:669:10
#13 0x7fffe05eb5a8 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3287:16
#14 0x7fffe05cb919 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
#15 0x7fffe05cb919 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:471:13
#16 0x7fffe05cccad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:629:13
#17 0x7fffe05ce9b1 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#18 0x7fffe05ce9b1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:696:8
#19 0x7fffe0710fda in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#20 0x7fffd9376792 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#21 0x7fffda6fb537 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#22 0x7fffda6f9ede in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#23 0x7fffda6b1c70 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1368:22
#24 0x7fffda6b3c70 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1674:12
#25 0x7fffda6b2bc9 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1579:35
#26 0x7fffda69acc9 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
#27 0x7fffda69acc9 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#28 0x7fffda6987d8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#29 0x7fffda69f696 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1268:11
#30 0x7fffdec20b7f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1024:7
#31 0x7fffdf51a03b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6438:13
#32 0x7fffdf518fc2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5758:7
#33 0x7fffdf51b442 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:0:0
#34 0x7fffd56c20a5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1477:3
#35 0x7fffd56c0e95 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1010:14
#36 0x7fffd56bd097 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:831:9
#37 0x7fffd56c1200 in ChildDoneWithOnload /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.h:217:5
#38 0x7fffd56c1200 in nsDocLoader::NotifyDoneWithOnload(nsDocLoader*) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:904:14
#39 0x7fffd56bd0a2 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:833:9
#40 0x7fffd56bfbb9 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:712:5
#41 0x7fffdf5665e4 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:14391:23
#42 0x7fffd3f0c974 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:657:22
#43 0x7fffd3f0ed73 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:541:10
#44 0x7fffd79ceef2 in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:12303:18
#45 0x7fffd79ceef2 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:12242:7
#46 0x7fffd79ffe6a in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8589:3
#47 0x7fffd7b2cbdf in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#48 0x7fffd7b2cbdf in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#49 0x7fffd7b2cbdf in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#50 0x7fffd7b2cbdf in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#51 0x7fffd7b2cbdf in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#52 0x7fffd7b2cbdf in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#53 0x7fffd7b2cbdf in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#54 0x7fffd3b1456a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#55 0x7fffd3b01fd8 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
#56 0x7fffd3b090bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1310:20
#57 0x7fffd3b06bf8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1133:15
#58 0x7fffd3b07216 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#59 0x7fffd3b25321 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#60 0x7fffd3b25321 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#61 0x7fffd3b441cb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#62 0x7fffd3b4eb48 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#63 0x7fffd51ec9ae in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#64 0x7fffd50d0804 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#65 0x7fffd50d0804 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#66 0x7fffd50d0804 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#67 0x7fffde39f7d6 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#68 0x7fffde57554b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#69 0x7fffe030e8fd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:20
#70 0x7fffd50d0804 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#71 0x7fffd50d0804 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#72 0x7fffd50d0804 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#73 0x7fffe030cece in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:585:34
#74 0x5555556fbee1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
|
||
Comment 1•3 months ago
|
||
Got a crash from the testcase on latest Nightly: https://crash-stats.mozilla.org/report/index/6b8aa321-f872-45da-a1d7-aed790250718
Crash Signature: [@ mozilla::RangeBoundaryBase<T>::AsRaw ]
|
||
Comment 2•3 months ago
|
||
Verified bug as reproducible on mozilla-central 20250717222429-7ec5a911287f.
The bug appears to have been introduced in the following build range:
Start: 6dbc7b5217213f8fdae8212f46b881aa4b0eb3c6 (20250711024624)
End: 2fae5e8435bb7aacd36b752009048cb51f306c4a (20250711042814)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6dbc7b5217213f8fdae8212f46b881aa4b0eb3c6&tochange=2fae5e8435bb7aacd36b752009048cb51f306c4a
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 3•3 months ago
|
||
:sefeng211 given the range this might be related to bug 1903870?
Flags: needinfo?(sean)
|
||
Comment 4•3 months ago
|
||
It's probably Bug 1975990 I think, but yeah related to shadow dom selection.
|
|
||
Comment 5•3 months ago
|
||
Re-directing NI to reviewer
status-firefox141:
--- → unaffected
status-firefox143:
--- → affected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → unaffected
Flags: needinfo?(sean) → needinfo?(smaug)
Regressed by: 1975990
|
|
||
Comment 6•2 months ago
|
||
:jjaschke i think i missed this one when I was re-directing the crashes. (re: https://bugzilla.mozilla.org/show_bug.cgi?id=1979463#c6)
Flags: needinfo?(smaug) → needinfo?(jjaschke)
|
|
||
Updated•2 months ago
|
|
||
Comment 7•2 months ago
|
||
Set release status flags based on info from the regressing bug 1975990
status-firefox144:
--- → affected
|
||
Updated•2 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•