Closed Bug 1763292 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::EditorUtils::IsWhiteSpacePreformatted]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1763292 - Make `WhiteSpaceVisibilityKeeper::NormalizeVisibleWhiteSpacesAt` check the DOM tree after inserting a `<br>` element r=m_kato!
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20220403-2d8724cbbddd (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==24205==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7fab849c6cfa bp 0x7ffdd1730150 sp 0x7ffdd1730140 T0)
==24205==The signal is caused by a READ memory access.
==24205==Hint: address points to the zero page.
    #0 0x7fab849c6cfa in GetBoolFlag src/dom/base/nsINode.h:1809:12
    #1 0x7fab849c6cfa in IsElement src/dom/base/nsINode.h:512:35
    #2 0x7fab849c6cfa in nsINode::GetAsElementOrParentElement() const /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:2130:10
    #3 0x7fab8a2abd6a in mozilla::EditorUtils::IsWhiteSpacePreformatted(nsIContent const&) src/editor/libeditor/EditorUtils.cpp:540:31
    #4 0x7fab8a435af3 in nsresult mozilla::WhiteSpaceVisibilityKeeper::NormalizeVisibleWhiteSpacesAt<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > >(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/WSRunObject.cpp:3111:11
    #5 0x7fab8a2c5088 in mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubActionInternal() src/editor/libeditor/HTMLEditSubActionHandler.cpp:540:15
    #6 0x7fab8a2c4428 in mozilla::HTMLEditor::OnEndHandlingTopLevelEditSubAction() src/editor/libeditor/HTMLEditSubActionHandler.cpp:328:10
    #7 0x7fab8a27f657 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) src/editor/libeditor/EditorBase.cpp:4274:1
    #8 0x7fab8a277e43 in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) src/editor/libeditor/EditorBase.cpp:4194:8
    #9 0x7fab84cdca93 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:5432:37
    #10 0x7fab8677bbac in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:4057:36
    #11 0x7fab86c2c1dd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3303:13
    #12 0x7fab8f1a95f4 in CallJSNative src/js/src/vm/Interpreter.cpp:420:13
    #13 0x7fab8f1a95f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
    #14 0x7fab8f195d5c in CallFromStack src/js/src/vm/Interpreter.cpp:571:10
    #15 0x7fab8f195d5c in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3303:16
    #16 0x7fab8f17ada1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
    #17 0x7fab8f1a972f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
    #18 0x7fab8f1ab87b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:584:8
    #19 0x7fab8f366ddd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
    #20 0x7fab86847129 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #21 0x7fab875f8a04 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #22 0x7fab875f84c0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1310:43
    #23 0x7fab875f9b6c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1507:17
    #24 0x7fab875e755e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
    #25 0x7fab875e5fe2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:586:14
    #26 0x7fab875ea05d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1119:11
    #27 0x7fab875efe29 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #28 0x7fab850983f4 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1354:17
    #29 0x7fab876077b3 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:180:13
    #30 0x7fab87573ef0 in mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:69:12
    #31 0x7fab849ce914 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) src/dom/base/nsContentUtils.cpp:5777:13
    #32 0x7fab8757466e in mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe() src/dom/events/AsyncEventDispatcher.cpp:99:3
    #33 0x7fab84d24b60 in mozilla::dom::Document::MutationEventDispatched(nsINode*) src/dom/base/Document.cpp:11850:13
    #34 0x7fab849cab92 in mozilla::dom::mozAutoSubtreeModified::UpdateTarget(mozilla::dom::Document*, nsINode*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5333:22
    #35 0x7fab849c4ae0 in mozilla::dom::mozAutoSubtreeModified::~mozAutoSubtreeModified() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Document.h:5329:31
    #36 0x7fab849c400e in nsContentUtils::MaybeFireNodeRemoved(nsINode*, nsINode*) src/dom/base/nsContentUtils.cpp:4780:3
    #37 0x7fab850a052c in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2480:7
    #38 0x7fab85825a93 in InsertBefore src/dom/base/nsINode.h:2042:12
    #39 0x7fab85825a93 in AppendChild src/dom/base/nsINode.h:2049:12
    #40 0x7fab85825a93 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:996:60
    #41 0x7fab86c2c1dd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3303:13
    #42 0x7fab8f1a95f4 in CallJSNative src/js/src/vm/Interpreter.cpp:420:13
    #43 0x7fab8f1a95f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:12
    #44 0x7fab8f195d5c in CallFromStack src/js/src/vm/Interpreter.cpp:571:10
    #45 0x7fab8f195d5c in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3303:16
    #46 0x7fab8f17ada1 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:389:13
    #47 0x7fab8f1a972f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:539:13
    #48 0x7fab8f1ab87b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:584:8
    #49 0x7fab8f366ddd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
    #50 0x7fab86201c41 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:852:8
    #51 0x7fab84c0eac8 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:695:12
    #52 0x7fab84e2b58e in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:708:12
    #53 0x7fab84e2b58e in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:61:13
    #54 0x7fab84a7a7af in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:739:12
    #55 0x7fab84a79032 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:767:3
    #56 0x7fab84a78d74 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:608:13
    #57 0x7fab81cc8642 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
    #58 0x7fab81c8e9bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:778:26
    #59 0x7fab81c8c1f5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:654:15
    #60 0x7fab81c8c5e9 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
    #61 0x7fab81cd4fd1 in operator() src/xpcom/threads/TaskController.cpp:124:37
    #62 0x7fab81cd4fd1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #63 0x7fab81caeec7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1187:16
    #64 0x7fab81cb8fcc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #65 0x7fab833bcabf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #66 0x7fab832385d1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #67 0x7fab832385d1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #68 0x7fab832385d1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #69 0x7fab8a087747 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #70 0x7fab8eec03ff in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
    #71 0x7fab832385d1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #72 0x7fab832385d1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #73 0x7fab832385d1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #74 0x7fab8eebf623 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:729:34
    #75 0x562b912c247d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #76 0x562b912c28b0 in main src/browser/app/nsBrowserApp.cpp:327:18
    #77 0x7fabad710c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #78 0x562b91211569 in _start (/home/twsmith/workspace/browsers/m-c-20220403215202-fuzzing-asan-opt/firefox+0x5e569)
Flags: in-testsuite?

Sigh, a bug related to the legacy DOM mutation events...

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Priority: -- → P2

I cannot reproduce this crash with normal debug build because too many recursive calls stops the script (perhaps) before the situation.

Although I couldn't reproduce it on tryserver as rewriting a crashtest for WPT. Anyway, the stack in comment 0 clearly points a buggy point in WhitesSpaceVisibilityKeeper::NormalizerVisibleWhiteSpacesAt so that the patch must fix the crash.

Bugmon Analysis
Unable to reproduce bug 1763292 using build mozilla-central 20220403215202-2d8724cbbddd. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I cannot test the WPT crashtest in Chrome both on Windows 11 and Ubuntu... So I cannot land it until one of them is fixed.

Depends on: 1764473, 1764475
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/1b1728ab0a2f Make `WhiteSpaceVisibilityKeeper::NormalizeVisibleWhiteSpacesAt` check the DOM tree after inserting a `<br>` element r=m_kato
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/33649 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/1b1728ab0a2f

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
Upstream PR merged by moz-wptsync-bot
No longer depends on: 1764473
Crash Signature: [@ mozilla::EditorUtils::IsWhiteSpacePreformatted]
status-firefox100: --- → wontfix
status-firefox99: --- → wontfix
status-firefox-esr91: --- → wontfix
Flags: in-testsuite? → in-testsuite+

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)

Sorry, wrong needinfo because of a bug in the bot.

Flags: needinfo?(masayuki)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: