Found while fuzzing m-c 20210320-f56d2bf535d6 (--enable-debug --enable-fuzzing)

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:838

#0 0x7f50d77231c1 in nsRange::ComparePoint(nsINode const&, unsigned int, mozilla::ErrorResult&) const /builds/worker/checkouts/gecko/dom/base/nsRange.cpp
#1 0x7f50d7d7922b in mozilla::dom::Range_Binding::comparePoint(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/RangeBinding.cpp:1186:39
#2 0x7f50d89275fd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3238:13
#3 0x7f50db9afec0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
#4 0x7f50db9af62c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
#5 0x7f50db9b0e29 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#6 0x7f50db9a597f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
#7 0x7f50db9a597f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
#8 0x7f50db99ce41 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
#9 0x7f50db9af649 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
#10 0x7f50db9b0e29 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#11 0x7f50db9b104f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
#12 0x7f50dbf266fb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2856:10
#13 0x7f50d7b1ce03 in mozilla::dom::MutationCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Sequence<mozilla::OwningNonNull<nsDOMMutationRecord> > const&, nsDOMMutationObserver&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/MutationObserverBinding.cpp:618:8
#14 0x7f50d7711e81 in void mozilla::dom::MutationCallback::Call<nsDOMMutationObserver*>(nsDOMMutationObserver* const&, mozilla::dom::Sequence<mozilla::OwningNonNull<nsDOMMutationRecord> > const&, nsDOMMutationObserver&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MutationObserverBinding.h:195:12
#15 0x7f50d76b4b07 in Call<nsDOMMutationObserver *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MutationObserverBinding.h:217:12
#16 0x7f50d76b4b07 in nsDOMMutationObserver::HandleMutation() /builds/worker/checkouts/gecko/dom/base/nsDOMMutationObserver.cpp:853:13
#17 0x7f50d76b3027 in nsDOMMutationObserver::HandleMutationsInternal(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/dom/base/nsDOMMutationObserver.cpp:882:26
#18 0x7f50d584e4a7 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:647:17
#19 0x7f50d893b131 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:233:7
#20 0x7f50d893b131 in mozilla::dom::CallbackObject::CallSetup::~CallSetup() /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp:393:11
#21 0x7f50d74ddb91 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:783:3
#22 0x7f50d75cf459 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:795:12
#23 0x7f50d75cf459 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:61:13
#24 0x7f50d744fa23 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:745:12
#25 0x7f50d744edf5 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:773:3
#26 0x7f50d744ec24 in IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:614:13
#27 0x7f50d594e4ff in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
#28 0x7f50d594ca80 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
#29 0x7f50d594ba96 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:634:15
#30 0x7f50d594bb97 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
#31 0x7f50d5952096 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
#32 0x7f50d5952096 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#33 0x7f50d5963567 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#34 0x7f50d5969ada in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#35 0x7f50d6295d86 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#36 0x7f50d6200be3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#37 0x7f50d6200afd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#38 0x7f50d6200afd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#39 0x7f50da019a38 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#40 0x7f50db87abb3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
#41 0x7f50d6296c6c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#42 0x7f50d6200be3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#43 0x7f50d6200afd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#44 0x7f50d6200afd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#45 0x7f50db87a788 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#46 0x563157e40fb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#47 0x563157e40fb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#48 0x7f50eaa720b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#49 0x563157e1ed5c in _start (/home/worker/builds/m-c-20210320213106-fuzzing-debug/firefox-bin+0x14d5c)

A Pernosco session is available here: https://pernos.co/debug/RlN5_lVmYIurLojWfKUZ5w/index.html

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210322174641-7bff3dc37b07
mozilla-central 20210320085643-f56d2bf535d6
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Hi Mirko, I saw you worked on nsRange::ComparePoint issues[1], perhaps you can take a look. Thank you.

[1] https://searchfox.org/mozilla-central/rev/0e3d2eb698a51006943f3b4fb74c035da80aa2ff/dom/base/nsRange.cpp#782

I'll take a closer look at it soon. Presumably next week.

:jkratzer: could you help providing a regression range for this? Is this something your team usually does? If it's not a regression, that'd be helpful to know too.

(I) mRoot represents the <select> element.
mStart represents a text node. Presumably the child of mRoot.
(II) The text node's parent is nullptr.

aContainer represents the same <select> element as above.

nsRange::IsPointComparableToRange checks that aContainer is an inclusive descendant of mRoot, which is the case.

So why (II) if (I)? Needs further analysis.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210407094544-8f7e11867d56.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 6663d3dc883b6ad0d0dfa9346f9ceabf2b2c7967 (20200408033650)
End: f56d2bf535d67b0ae8e4a11d4aa2f3e755943ae6 (20210320085643)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

(In reply to Mirko Brodesser (:mbrodesser) from comment #5)

:jkratzer: could you help providing a regression range for this? Is this something your team usually does? If it's not a regression, that'd be helpful to know too.

Mirko, the testcase bisects back further than a year which is the furthest back that bugmon can bisect.

(In reply to Jason Kratzer [:jkratzer] from comment #11)

(In reply to Mirko Brodesser (:mbrodesser) from comment #5)

:jkratzer: could you help providing a regression range for this? Is this something your team usually does? If it's not a regression, that'd be helpful to know too.

Mirko, the testcase bisects back further than a year which is the furthest back that bugmon can bisect.

Thanks for figuring that out.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210522035320-574a43c224bd) but not with tip (mozilla-central 20220520153703-1d31a0098979.)
Unable to bisect testcase (End build crashes!):

Start: 574a43c224bda1a8a4b0ce73d6a64e11bbd7dea7 (20210522035320)
End: 1d31a009897964e94d43db5961ff68538d5e8ddb (20220520153703)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

(In reply to Bugmon [:jkratzer for issues] from comment #13)

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210522035320-574a43c224bd) but not with tip (mozilla-central 20220520153703-1d31a0098979.)
Unable to bisect testcase (End build crashes!):

Start: 574a43c224bda1a8a4b0ce73d6a64e11bbd7dea7 (20210522035320)
End: 1d31a009897964e94d43db5961ff68538d5e8ddb (20220520153703)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

So this seems fixed.

I've got a working test case.

Let me know if you'd like an updated Pernosco session.

Oops sorry Miko :)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220601154702-ead7dd146ec4.
Unable to bisect testcase (failed to find build near f56d2bf535d6)

The new testcase crashes the tab in Nightly (release build) and release. On Ubuntu 20.04.

(In reply to Mirko Brodesser (:mbrodesser) -- away for an unknown duration from comment #19)

The new testcase crashes the tab in Nightly (release build) and release. On Ubuntu 20.04.

It crashes on Windows, too.

Masayuki, mind taking a look at this and suggest the severity and/or next steps? Thank you.

This is not so serious crash unless used by attackers for DOS.

I guess that checking nsINode::IsInclusingDescandantOf is wrong here.
https://searchfox.org/mozilla-central/rev/d28f7751c47d75699c6ab1afd4852ad84ebb7399/dom/base/nsRange.cpp#740

If the node is being removed, the node still store the (ex-)parent node but the parent has already removed the node from the list of children. This can be checked with nsINode::IsBeingRemoved and we need a clone of nsINode::IsInclusiveDescendantOf because nsINode::Contains needs to return true in the case but uses IsInclusiveDescendantOf.

Therefore, I think that this may be one of good first bugs for Jan, but I'd like to check second opinion of Olli.

But the stack trace is such that the node has been already removed.

Anyhow, this looks like a good first bug. Need to investigate why order in
https://searchfox.org/mozilla-central/rev/8d3488927e96cae9af0b581a40448655506f9bca/dom/base/nsRange.cpp#784
is Nothing()

ok, this is starting to look like not so good "first bug". The issue is that user-select: none; in the CSS leads to selection select so called "native anonymous node" (which is not visible to the web page) inside <select>.

Filed bug 1784106 to deal with the non-crashing part of this.

This bug solves the crash that resulted from calling nsRange::ComparePoint() with both NAC and non-NAC nodes.
This bug does not solve the root issue, being a range with both NAC and non-NAC content
in context of a <select> element being created in the first place.
See also Bug 1784106.

https://hg.mozilla.org/mozilla-central/rev/e65ed6790ab3

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit auto_nag documentation.

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220812093714-9ce1bc0acf15.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The patch landed in nightly and beta is affected.
:jjaschke, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.Also, don't forget to request an uplift for the patches in the regression caused by this fix.
• If no, please set status-firefox104 to wontfix.

For more information, please visit auto_nag documentation.