Open Bug 1991465 Opened 6 months ago Updated 5 months ago

Crash [@ get]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox-esr140 --- unaffected
firefox144 --- wontfix
firefox145 --- fix-optional

People

(Reporter: jkratzer, Assigned: keithamus)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
536 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 2dfd502d8f50 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2dfd502d8f50 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ get]

    =================================================================
    ==194684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x725b021130b6 bp 0x7fff78e3e5b0 sp 0x7fff78e3e570 T0)
    ==194684==The signal is caused by a READ memory access.
    ==194684==Hint: address points to the zero page.
        #0 0x725b021130b6 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27
        #1 0x725b021130b6 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:344:12
        #2 0x725b021130b6 in OwnerDoc /dom/base/nsINode.h:799:12
        #3 0x725b021130b6 in Init /dom/base/AbstractRange.cpp:210:19
        #4 0x725b021130b6 in mozilla::dom::AbstractRange::AbstractRange(nsINode*, bool, TreeKind) /dom/base/AbstractRange.cpp:203:3
        #5 0x725b025b4a5a in StaticRange /builds/worker/workspace/obj-build/dist/include/mozilla/dom/StaticRange.h:86:9
        #6 0x725b025b4a5a in mozilla::dom::StaticRange::Create(nsINode*) /dom/base/StaticRange.cpp:77:13
        #7 0x725b0258ddde in Create<nsINode *, nsIContent *, nsINode *, nsIContent *> /dom/base/StaticRange.cpp:90:7
        #8 0x725b0258ddde in Create /builds/worker/workspace/obj-build/dist/include/mozilla/dom/StaticRange.h:55:12
        #9 0x725b0258ddde in mozilla::dom::Selection::GetComposedRange(mozilla::dom::AbstractRange const*, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::ShadowRoot>> const&) const /dom/base/Selection.cpp:2509:39
        #10 0x725b0258e9ee in mozilla::dom::Selection::GetComposedRanges(mozilla::dom::ShadowRootOrGetComposedRangesOptions const&, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::ShadowRoot>> const&, nsTArray<RefPtr<mozilla::dom::StaticRange>>&)::$_0::operator()(mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::ShadowRoot>> const&) const /dom/base/Selection.cpp:2526:15
        #11 0x725b0258e4bd in mozilla::dom::Selection::GetComposedRanges(mozilla::dom::ShadowRootOrGetComposedRangesOptions const&, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::ShadowRoot>> const&, nsTArray<RefPtr<mozilla::dom::StaticRange>>&) /dom/base/Selection.cpp:2534:12
        #12 0x725b034b72ec in mozilla::dom::Selection_Binding::getComposedRanges(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./SelectionBinding.cpp:1133:24
        #13 0x725b0425e69f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #14 0x725b0b33ba57 in CallJSNative /js/src/vm/Interpreter.cpp:490:13
        #15 0x725b0b33ba57 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:586:12
        #16 0x725b0c4727b9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1695:10
        #17 0x381a26f30a03  ([anon:js-executable-memory]+0x2a03)
    
    ==194684==Register values:
    rax = 0x0000000000000006  rbx = 0x0000000000000030  rcx = 0x0000000000000000  rdx = 0x0000000000000010
    rdi = 0x000051000006eaf2  rsi = 0x0000000000000000  rbp = 0x00007fff78e3e5b0  rsp = 0x00007fff78e3e570
     r8 = 0x00000a200000dd51   r9 = 0x000051000006ea97  r10 = 0x00000a200000dd52  r11 = 0x00000a2080005d50
    r12 = 0x000051000006ea88  r13 = 0x00000a200000dd4f  r14 = 0x000051000006eaf3  r15 = 0x0000000000000000
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/jkratzer/builds/m-c-20250929081533-fuzzing-asan-opt/libxul.so+0xa6760b6) (BuildId: e9386a07859401063249d308ecaa142b1591be30)
    ==194684==ABORTING
Attached file Testcase
Attachment #9516959 - Attachment filename: testcase.html.undefined → testcase.html
Assignee: nobody → mozilla
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P3

Verified bug as reproducible on mozilla-central 20250929160404-e0d24a0fe50f.
The bug appears to have been introduced in the following build range:

Start: 324a320c87e98f4d668da7a8fb0efcfee0bd53dd (20250617161930)
End: 011876a25442004c2eb4a278859b549211765857 (20250617182935)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=324a320c87e98f4d668da7a8fb0efcfee0bd53dd&tochange=011876a25442004c2eb4a278859b549211765857

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:keithamus, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(mozilla)
Flags: needinfo?(mozilla)

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox145: --- → affected

Very low crash volume, no security implication, so sdjusting the severity/priority after chatting with Keith.

Severity: S2 → S3
Priority: P3 → P2

(In reply to Bugmon [:jkratzer for issues] from comment #2)

Verified bug as reproducible on mozilla-central 20250929160404-e0d24a0fe50f.
The bug appears to have been introduced in the following build range:

Start: 324a320c87e98f4d668da7a8fb0efcfee0bd53dd (20250617161930)
End: 011876a25442004c2eb4a278859b549211765857 (20250617182935)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=324a320c87e98f4d668da7a8fb0efcfee0bd53dd&tochange=011876a25442004c2eb4a278859b549211765857

Adding "regressed by" based on the push range.

Regressed by: 1972095

Set release status flags based on info from the regressing bug 1972095

status-firefox-esr140: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: