Reproduces on trunk, has fixes for other dir=auto bugs. >==2583== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f66817afcac at pc 0x7f66a5ded003 bp 0x7fff8c2f48b0 sp 0x7fff8c2f48a8 >READ of size 4 at 0x7f66817afcac thread T0 > #0 0x7f66a5ded002 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348 > #1 0x7f66a7ca7e8e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431 > #2 0x7f66a7ca69c7 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:506 > #3 0x7f66a7ca639a in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) src/content/base/src/DirectionalityUtils.cpp:611 > #4 0x7f66a7cadcb3 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) src/content/base/src/DirectionalityUtils.cpp:902 > #5 0x7f66a82befe0 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/Element.cpp:1170 > #6 0x7f66a92582d9 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:603 > #7 0x7f66a839af3a in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1325 > #8 0x7f66a878f247 in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:884 > #9 0x7f66a83a3885 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1929 > #10 0x7f66a82eb1fd in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538 > #11 0x7f66a82e7692 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1542 > #12 0x7f66b2f1eb83 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:568 > #13 0x7f66b2ecad76 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1390 > #14 0x7f66bba6fa8a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #15 0x7f66bba6fa8a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #16 0x7f66bba2039e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385 > #17 0x7f66bb980e5b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #18 0x7f66bba703de in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #19 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #20 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #21 0x7f66bb1f5be2 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831 > #22 0x7f66ae133cc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #23 0x7f66ae0d4950 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581 > #24 0x7f66b40622df in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 > #25 0x7f66b405efc6 in SharedStub > #26 0x7f66a8eb3a95 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922 > #27 0x7f66a8eb52a7 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989 > #28 0x7f66a90a627a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278 > #29 0x7f66a909542c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181 > #30 0x7f66a9093693 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310 > #31 0x7f66a909b3c7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678 > #32 0x7f66a909dc19 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738 > #33 0x7f66a83963d5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1101 > #34 0x7f66a7e7fe10 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511 > #35 0x7f66a7e7f0e4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481 > #36 0x7f66a809f7cf in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4321 > #37 0x7f66a81a1f92 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367 > #38 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #39 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #40 0x7f66b11ad57c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #41 0x7f66b4224742 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #42 0x7f66b4224579 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #43 0x7f66b422444e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #44 0x7f66b0567387 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #45 0x7f66af072ad5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #46 0x7f66a42da984 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #47 0x7f66a42e056a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #48 0x7f66a42e3340 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #49 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #50 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 > #51 0x7f66c74af76c in >0x7f66817afcac is located 44 bytes inside of 120-byte region [0x7f66817afc80,0x7f66817afcf8) >freed by thread T0 here: > #0 0x40f992 in __interceptor_free > #1 0x7f66c412f409 in moz_free src/memory/mozalloc/mozalloc.cpp:48 > #2 0x7f66a85ffab0 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224 > #3 0x7f66a85ffab0 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117 > #4 0x7f66a84c5bf7 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258 > #5 0x7f66a833f9d0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117 > #6 0x7f66a85fffaa in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121 > #7 0x7f66a42a446f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410 > #8 0x7f66a60a1fdc in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #9 0x7f66a60a1ca9 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #10 0x7f66a878f65d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896 > #11 0x7f66a7e96ffe in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) src/content/base/src/nsContentUtils.cpp:4374 > #12 0x7f66a878fa82 in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/FragmentOrElement.cpp:908 > #13 0x7f66a7c9ff9a in nsINode::SetTextContent(nsAString_internal const&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1087 > #14 0x7f66b2e9d3bf in mozilla::dom::NodeBinding::set_textContent(JSContext*, JS::Handle<JSObject*>, nsINode*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:417 > #15 0x7f66b2e98e18 in mozilla::dom::NodeBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1458 > #16 0x7f66bba6fa8a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #17 0x7f66bba6fa8a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #18 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #19 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #20 0x7f66bba7bcd5 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #21 0x7f66bbd1e288 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314 > #22 0x7f66bbd59204 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841 > #23 0x7f66bbab0338 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365 > #24 0x7f66bba1024d in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278 > #25 0x7f66bb980e5b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #26 0x7f66bba703de in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #27 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #28 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #29 0x7f66bb1f5be2 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831 > #30 0x7f66ae133cc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #31 0x7f66ae0d4950 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581 >previously allocated by thread T0 here: > #0 0x40fa72 in malloc > #1 0x7f66c412f554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 > #2 0x7f66a85ff2d0 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200 > #3 0x7f66a85ff2d0 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106 > #4 0x7f66abf28cae in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164 > #5 0x7f66abf33f37 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457 > #6 0x7f66abf52096 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559 > #7 0x7f66abf900ad in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127 > #8 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #9 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #10 0x7f66b3f2b5a3 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:474 > #11 0x7f66b3f54472 in nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(), true>::Run() src/../../dist/include/nsThreadUtils.h:367 > #12 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #13 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #14 0x7f66b11ad57c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #15 0x7f66b4224742 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #16 0x7f66b4224579 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #17 0x7f66b422444e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #18 0x7f66b0567387 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #19 0x7f66af072ad5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #20 0x7f66a42da984 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #21 0x7f66a42e056a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #22 0x7f66a42e3340 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #23 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #24 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 >Shadow bytes around the buggy address: > 0x1fecd02f5f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fecd02f5f50: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb > 0x1fecd02f5f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fecd02f5f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fecd02f5f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x1fecd02f5f90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd > 0x1fecd02f5fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fecd02f5fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fecd02f5fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fecd02f5fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fecd02f5fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >Stats: 251M malloced (272M for red zones) by 406231 calls >Stats: 47M realloced by 24222 calls >Stats: 216M freed by 273892 calls >Stats: 83M really freed by 193907 calls >Stats: 472M (472M-0M) mmaped; 118 maps, 0 unmaps > mmaps by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1216; 17:1312; 18:48; 19:40; 20:24; > mallocs by size class: 8:339578; 9:32263; 10:8845; 11:16335; 12:2515; 13:1701; 14:1604; 15:407; 16:1489; 17:1362; 18:69; 19:40; 20:23; > frees by size class: 8:225362; 9:22259; 10:5111; 11:14068; 12:1481; 13:1241; 14:1432; 15:281; 16:1198; 17:1344; 18:57; 19:38; 20:20; > rfrees by size class: 8:171380; 9:7877; 10:2170; 11:9472; 12:612; 13:520; 14:456; 15:165; 16:1007; 17:217; 18:26; 19:4; 20:1; >Stats: malloc large: 1494 small slow: 2384 >Stats: StackDepot: 0 ids; 0M mapped >==2583== ABORTING > > >

Assigning to Simon Montagu because he fixed the blocking bug. Feel free to reassign as appropriate.

Kyle: by marking this blocking bug 819623 were you trying to say this is a regression from that fix? Or just that it's similar to it like the other DirAuto regressions?

I believe it is a regression, but I don't remember for sure.

Need to clear the dir-auto flags when setting dir to an invalid value.

We need this in Firefox 20 as well, right? It'll be easier to get approval to land while that's still on Aurora.

Comment on attachment 706870 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 548206 (or one of its followups) User impact if declined: critical security vulnerability Testing completed (on m-c, etc.): Baked on m-c since 2013-01-28 Risk to taking this patch (and alternatives if risky): Minimal String or UUID changes made by this patch: None

Comment on attachment 706870 [details] [diff] [review] Patch low risk fix for a sec-critical regression.Approving on aurora.