Closed
Bug 1428393
Opened 7 years ago
Closed 7 years ago
Crash near null [@ IsComposedDocParticipant]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: jkratzer, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev f78a83244fbe.
==21701==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000101 (pc 0x7f1dc6959b07 bp 0x7ffc7d460e80 sp 0x7ffc7d460e80 T0)
==21701==The signal is caused by a READ memory access.
==21701==Hint: address points to the zero page.
#0 0x7f1dc6959b06 in IsComposedDocParticipant /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ShadowRoot.h:144:44
#1 0x7f1dc6959b06 in nsINode::GetComposedDocInternal() const /builds/worker/workspace/build/src/dom/base/nsINode.cpp:448
#2 0x7f1dc6645020 in GetComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:579:7
#3 0x7f1dc6645020 in mozilla::dom::Element::UpdateState(bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:267
#4 0x7f1dc8f60c4b in mozilla::dom::HTMLFormElement::UpdateValidity(bool) /builds/worker/workspace/build/src/dom/html/HTMLFormElement.cpp:2108:3
#5 0x7f1dc8f61e75 in mozilla::dom::HTMLFormElement::RemoveElement(nsGenericHTMLFormElement*, bool) /builds/worker/workspace/build/src/dom/html/HTMLFormElement.cpp:1396:7
#6 0x7f1dc9109597 in nsGenericHTMLFormElement::ClearForm(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:1821:12
#7 0x7f1dc910b17d in nsGenericHTMLFormElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp
#8 0x7f1dc8fc4e5b in mozilla::dom::HTMLInputElement::UnbindFromTree(bool, bool) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4894:38
#9 0x7f1dc663e807 in mozilla::dom::FragmentOrElement::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1412:16
#10 0x7f1dc8f51c4d in mozilla::dom::HTMLFormElement::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/html/HTMLFormElement.cpp:146:1
#11 0x7f1dc349eda4 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3396:26
#12 0x7f1dc34a1add in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3764:24
#13 0x7f1dc34a1474 in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3682:10
#14 0x7f1dc34a61af in Shutdown /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3985:5
#15 0x7f1dc34a61af in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4368
#16 0x7f1dc366a3fc in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:969:3
#17 0x7f1dcf08eb6c in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:228:3
#18 0x7f1dc44c65b5 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:108:5
#19 0x7f1dcf08f42b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:705:16
#20 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#21 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#22 0x7f1de263582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Comment 1•7 years ago
|
||
Ben or Jessica, do you think this is ShadowRoot-related?
We end up crashing at ShadowRoot::IsComposedDocParticipant.
Flags: needinfo?(jjong)
Flags: needinfo?(btian)
Comment 2•7 years ago
|
||
(In reply to Andreas Farre [:farre] from comment #1)
> Ben or Jessica, do you think this is ShadowRoot-related?
>
> We end up crashing at ShadowRoot::IsComposedDocParticipant.
Yes. Looks like during cycle collection, HTMLFormElement's NODE_IS_IN_SHADOW_TREE flag is still set but its containing shadow has been cleared.
Updated•7 years ago
|
Flags: needinfo?(ben.tian)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → bugs
Assignee | ||
Comment 3•7 years ago
|
||
null pointer check in case node has been unlinked already.
Attachment #8972102 -
Flags: review?(continuation)
Updated•7 years ago
|
Attachment #8972102 -
Flags: review?(continuation) → review+
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/86e39351c774
Crash near null [@ IsComposedDocParticipant], r=mccr8
Comment 5•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 6•7 years ago
|
||
Worth landing the test from this bug as a crashtest?
status-firefox60:
--- → wontfix
status-firefox-esr52:
--- → disabled
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(bugs)
Assignee | ||
Comment 7•7 years ago
|
||
The patch was written based on code inspection. Never reproduced the crash, which is highly random given that it depends on ordering in cycle collector's unlinking (which is random).
So, no.
Flags: needinfo?(bugs)
Updated•7 years ago
|
Flags: in-testsuite? → in-testsuite-
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•