Closed
Bug 1441404
Opened 7 years ago
Closed 7 years ago
UBSan: null pointer passed as argument 2, which is declared to never be null [@ nsTextFragment::Append]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined)
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
Found with mozilla-central changeset: 405244:6d72eade26af
src/dom/base/nsTextFragment.cpp:405:35: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7fb55d674fd1 in nsTextFragment::Append(char16_t const*, unsigned int, bool, bool) src/dom/base/nsTextFragment.cpp:405:5
#1 0x7fb55d60e89a in nsGenericDOMDataNode::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) src/dom/base/nsGenericDOMDataNode.cpp:329:13
#2 0x7fb55d60eee8 in nsGenericDOMDataNode::DeleteData(unsigned int, unsigned int) src/dom/base/nsGenericDOMDataNode.cpp:251:10
#3 0x7fb55db562cf in DeleteData src/dom/base/nsGenericDOMDataNode.h:204:10
#4 0x7fb55db562cf in mozilla::dom::CharacterDataBinding::deleteData(JSContext*, JS::Handle<JSObject*>, nsGenericDOMDataNode*, JSJitMethodCallArgs const&) src/objdir-ff-ubsan/dom/bindings/CharacterDataBinding.cpp:281
#5 0x7fb55e06c11b in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3031:13
#6 0x7fb5630f029c in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
#7 0x7fb5630f029c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
#8 0x7fb5630f09c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#9 0x7fb5630e9ffe in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
#10 0x7fb5630e9ffe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3092
#11 0x7fb5630d3f76 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#12 0x7fb5630f0369 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#13 0x7fb5630f09c9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#14 0x7fb5630f0a77 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#15 0x7fb5636ff90d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3028:12
#16 0x7fb55de28065 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:260:37
#17 0x7fb55e344c77 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#18 0x7fb55e3382df in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215:12
#19 0x7fb55e322c90 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:51
#20 0x7fb55e3237c4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1286:20
#21 0x7fb55e31b96f in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16
#22 0x7fb55e31cec7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:915:9
#23 0x7fb55f4bd3d9 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1068:7
#24 0x7fb562996a3f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7303:21
#25 0x7fb56299555d in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7096:7
#26 0x7fb5629979ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#27 0x7fb55cad89a2 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
#28 0x7fb55cad8595 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
#29 0x7fb55cad745e in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9
#30 0x7fb55cad7fae in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
#31 0x7fb55cad848c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#32 0x7fb55b6274d4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
#33 0x7fb55d5ac7fb in nsDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8432:18
#34 0x7fb55d5a2cdb in nsDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5363:3
#35 0x7fb55d5ebfa6 in applyImpl<nsDocument, void (nsDocument::*)()> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1149:12
#36 0x7fb55d5ebfa6 in apply<nsDocument, void (nsDocument::*)()> src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1155
#37 0x7fb55d5ebfa6 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1200
#38 0x7fb55b5074d4 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:413:25
#39 0x7fb55b5235c2 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
#40 0x7fb55b53f330 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
#41 0x7fb55bfcc72b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#42 0x7fb55bef3b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
#43 0x7fb55bef3b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#44 0x7fb55f06e996 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#45 0x7fb562eb2694 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
#46 0x7fb55bef3b19 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
#47 0x7fb55bef3b19 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#48 0x7fb562eb22c0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
#49 0x42d23b in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#50 0x42d358 in main src/browser/app/nsBrowserApp.cpp:280:18
#51 0x7fb581b571c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#52 0x407159 in _start (firefox+0x407159)
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Olli, since you touched src/dom/base/nsTextFragment.cpp:405:35 last, maybe you can have a look.
Flags: needinfo?(bugs)
|
Assignee | |
Comment 2•7 years ago
|
||
I don't understand what
"src/dom/base/nsTextFragment.cpp:405:35: runtime error: null pointer passed as argument 2, which is declared to never be null"
means.
Per C standard it isn't error, just undefined.
Looks like we've had the same issue for ages, since bug 330872
http://52.25.115.98/viewvc/main/mozilla/content/base/src/nsTextFragment.cpp?annotate=1.27#l309
Flags: needinfo?(bugs)
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 3•7 years ago
|
||
Appending zero length string isn't exactly useful.
Attachment #8962724 -
Flags: review?(amarchesini)
|
|
Assignee | |
Comment 4•7 years ago
|
||
remote:
remote: Follow the progress of your build on Treeherder:
remote: https://treeherder.mozilla.org/#/jobs?repo=try&revision=48020ad02e018bb3eb7c0f135986a41c5533f3e3
remote: recorded changegroup in replication log in 0.085s
|
||
Updated•7 years ago
|
Attachment #8962724 -
Flags: review?(amarchesini) → review+
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7d9e36d70c3e
return early when appending null string to a text fragment, r=baku
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Updated•7 years ago
|
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•