Closed Bug 1439435 Opened 7 years ago Closed 7 years ago

UBSan: load of value which is not a valid value for type 'bool' [@ mozInlineSpellChecker::DidSplitNode]

Categories

(Core :: Spelling checker, defect, P3)

Product:
Core
Component:
Spelling checker
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, testcase)

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1439435 - Initialize mIsListeningToEditActions.
(deleted), text/x-review-board-request
masayuki
: review+
Details
Attached file testcase.html (deleted) —
Found in mozilla-central changeset: 404376:d0d3693d9bef. Built with -fsanitize=bool This does look "editor-ish". The testcase can require a few refreshes which makes me think this is due to the use uninitialized memory. /extensions/spellcheck/src/mozInlineSpellChecker.cpp:1043:8: runtime error: load of value 234, which is not a valid value for type 'bool' #0 0x7f098a62e1be in mozInlineSpellChecker::DidSplitNode(nsINode*, nsINode*) /extensions/spellcheck/src/mozInlineSpellChecker.cpp:1043:8 #1 0x7f0986bd92f4 in mozilla::EditorBase::SplitNode(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::ErrorResult&) /editor/libeditor/EditorBase.cpp:1601:19 #2 0x7f0986c0ee4b in mozilla::HTMLEditRules::WillMakeList(mozilla::dom::Selection*, nsTSubstring<char16_t> const*, bool, nsTSubstring<char16_t> const*, bool*, bool*, nsTSubstring<char16_t> const*) /editor/libeditor/HTMLEditRules.cpp:3663:25 #3 0x7f0986c08cf1 in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /editor/libeditor/HTMLEditRules.cpp #4 0x7f0986c3e17b in mozilla::HTMLEditor::MakeOrChangeList(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&) /editor/libeditor/HTMLEditor.cpp:1905:24 #5 0x7f0986c99f95 in nsListCommand::ToggleState(mozilla::HTMLEditor*) /editor/composer/nsComposerCommands.cpp:334:23 #6 0x7f0986c990b4 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /editor/composer/nsComposerCommands.cpp:107:10 #7 0x7f0985d790e6 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /dom/commandhandler/nsControllerCommandTable.cpp:147:26 #8 0x7f0985d75711 in nsBaseCommandController::DoCommand(char const*) /dom/commandhandler/nsBaseCommandController.cpp:136:25 #9 0x7f0985d77db7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /dom/commandhandler/nsCommandManager.cpp:212:22 #10 0x7f0985fce353 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /dom/html/nsHTMLDocument.cpp:3091:18 #11 0x7f09859e362e in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /objdir-ff-ubsan/dom/bindings/HTMLDocumentBinding.cpp:811:21 #12 0x7f0985b3adbb in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3031:13 #13 0x7f098aba28dc in CallJSNative /js/src/vm/JSContext-inl.h:290:15 #14 0x7f098aba28dc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:473 #15 0x7f098aba3009 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:522:12 #16 0x7f098ab9c681 in CallFromStack /js/src/vm/Interpreter.cpp:528:12 #17 0x7f098ab9c681 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3096 #18 0x7f098ab867c6 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:423:12 #19 0x7f098aba29a9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:495:15 #20 0x7f098aba3009 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:522:12 #21 0x7f098aba30b7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:541:10 #22 0x7f098b1b06fd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:3037:12 #23 0x7f09858fc585 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:260:37 #24 0x7f0985e13ad7 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #25 0x7f0985e0715f in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /dom/events/JSEventHandler.cpp:215:12 #26 0x7f0985df1b10 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1111:51 #27 0x7f0985df2644 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /dom/events/EventListenerManager.cpp:1286:20 #28 0x7f0985dea7ef in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:527:16 #29 0x7f0985debd47 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:915:9 #30 0x7f0986f77879 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1071:7 #31 0x7f098a445b6f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:7303:21 #32 0x7f098a44468d in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:7096:7 #33 0x7f098a446b2f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp #34 0x7f09845e2662 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1318:3 #35 0x7f09845e2255 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:861:14 #36 0x7f09845e1112 in nsDocLoader::DocLoaderIsEmpty(bool) /uriloader/base/nsDocLoader.cpp:750:9 #37 0x7f09845e1c6e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp:632:5 #38 0x7f09845e214c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /uriloader/base/nsDocLoader.cpp #39 0x7f09831459f4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:629:28 #40 0x7f09850b3dfb in nsDocument::DoUnblockOnload() /dom/base/nsDocument.cpp:8439:18 #41 0x7f09850aa33b in nsDocument::DispatchContentLoadedEvents() /dom/base/nsDocument.cpp:5372:3 #42 0x7f09850f3496 in applyImpl<nsDocument, void (nsDocument::*)()> /objdir-ff-ubsan/dist/include/nsThreadUtils.h:1149:12 #43 0x7f09850f3496 in apply<nsDocument, void (nsDocument::*)()> /objdir-ff-ubsan/dist/include/nsThreadUtils.h:1155 #44 0x7f09850f3496 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200 #45 0x7f09830270a4 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:413:25 #46 0x7f0983043192 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1040:14 #47 0x7f098305ef00 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:517:10 #48 0x7f0983ae967b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21 #49 0x7f0983a11389 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3 #50 0x7f0983a11389 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299 #51 0x7f0986b294f6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:157:27 #52 0x7f098a964dc4 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:892:22 #53 0x7f0983a11389 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3 #54 0x7f0983a11389 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299 #55 0x7f098a9649f0 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:718:34 #56 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #57 0x42d358 in main /browser/app/nsBrowserApp.cpp:280:18 #58 0x7f09a958d1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308 #59 0x407159 in _start (/objdir-ff-ubsan/dist/bin/firefox+0x407159)
Flags: in-testsuite?
Assignee: nobody → m_kato
Blocks: 1430785
Comment on attachment 8952287 [details] Bug 1439435 - Initialize mIsListeningToEditActions. https://reviewboard.mozilla.org/r/221538/#review227340 Thanks!
Attachment #8952287 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/57b6da7f66e1 Initialize mIsListeningToEditActions. r=masayuki
https://hg.mozilla.org/mozilla-central/rev/57b6da7f66e1
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
[ Triage 2017/02/20: P3 ]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: