Closed Bug 1965664 Opened 22 days ago Closed 19 days ago

crash near null at [@ mozilla::ContentSubtreeIterator::Next]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 --- unaffected
firefox140 blocking verified

People

(Reporter: tsmith, Assigned: sefeng)

References

(Blocks 2 open bugs, Regression,
URL
)

Details

(4 keywords, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.html
229 bytes, text/html
Details
Bug 1965664 - Fix some crashes in ContentSubtreeIterator
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing 20250510-72ee50ceade7 (--enable-address-sanitizer --enable-fuzzing)

This is being reported by fuzzers at a very high rate marking as fuzzblocker.

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==9579==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x792b44a79631 bp 0x7fff5f209b10 sp 0x7fff5f209aa0 T0)
==9579==The signal is caused by a READ memory access.
==9579==Hint: address points to the zero page.
    #0 0x792b44a79631 in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:751:48
    #1 0x792b44a79631 in operator nsIContent * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:759:33
    #2 0x792b44a79631 in GetFirstChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:1780:46
    #3 0x792b44a79631 in mozilla::ContentSubtreeIterator::Next() /builds/worker/checkouts/gecko/dom/base/ContentIterator.cpp:1256:24
    #4 0x792b44e7affe in mozilla::dom::Selection::SelectFrames(nsPresContext*, mozilla::dom::AbstractRange&, bool) const /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2007:45
    #5 0x792b44e88d23 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListenersInternal(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2592:3
    #6 0x792b44e89285 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2522:10
    #7 0x792b4b742bca in mozilla::AutoClonedSelectionRangeArray::ApplyTo(mozilla::dom::Selection&) /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.h:519:18
    #8 0x792b4b889ad3 in nsresult mozilla::HTMLEditor::SetInlinePropertiesAsSubAction<1ul>(AutoTArray<mozilla::EditorInlineStyleAndValue, 1ul> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:317:24
    #9 0x792b4b88479e in mozilla::HTMLEditor::SetInlinePropertyAsAction(nsStaticAtom&, nsStaticAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLStyleEditor.cpp:198:8
    #10 0x792b4b7cad3e in mozilla::StyleUpdatingCommand::ToggleState(nsStaticAtom&, mozilla::HTMLEditor&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:210:29
    #11 0x792b44bff96b in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5727:37
    #12 0x792b465af3ef in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4181:36
    #13 0x792b46a2bb7f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
    #14 0x792b4d5e5cf7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #15 0x792b4d5e5cf7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #16 0x792b4e6b0429 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
    #17 0x792aab012963  ([anon:js-executable-memory]+0x2963)
Flags: in-testsuite?

This issue is also being reported by live site testing.

Blocks: site-scout
URL: http://www.overstock.com/

This is the crash i get on the testcase: https://crash-stats.mozilla.org/report/index/d777f31c-58c9-4434-a033-e6faa0250510#tab-bugzilla

Crash Signature: [@ mozilla::ContentSubtreeIterator::Next] → [@ mozilla::ContentSubtreeIterator::Next] [@ nsINode::GetFirstChild ]

Bisection:
Bug 1932150 - Add new test cases for selection in flat tree r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D231591

Flags: needinfo?(sefeng)
Keywords: regression
Regressed by: 1932150

Set release status flags based on info from the regressing bug 1932150

status-firefox138: --- → unaffected
status-firefox139: --- → unaffected
status-firefox-esr128: --- → unaffected
Crash Signature: [@ mozilla::ContentSubtreeIterator::Next] [@ nsINode::GetFirstChild ] → [@ mozilla::ContentSubtreeIterator::Next] [@ mozilla::Maybe<T>::value | IsItemInRangeComparator::operator()] [@ nsINode::GetFirstChild ]

Regressor landed in 140

status-firefox138: affectedunaffected
tracking-firefox140: --- → +

Verified bug as reproducible on mozilla-central 20250511205430-e473aa82ffe1.
The bug appears to have been introduced in the following build range:

Start: 101e4f854d1a33e0221db74e2b5fd02d103d1096 (20250509181936)
End: cd52078d7a2a64f813974712b9f3565a18714483 (20250509195321)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=101e4f854d1a33e0221db74e2b5fd02d103d1096&tochange=cd52078d7a2a64f813974712b9f3565a18714483

Whiteboard: [fuzzblocker] → [fuzzblocker][bugmon:bisected,confirmed]

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

The bug is marked as tracked for firefox140 (nightly). We have limited time to fix this, the soft freeze is in 10 days. However, the bug still isn't assigned.

:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(htsai)

Sean, please take this.

Assignee: nobody → sefeng
Severity: -- → S2
Flags: needinfo?(htsai)

by skipping the shadow hosts that ShadowDOM selection doesn't
support at the moment.

Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3aa74b745aa5 Fix some crashes in ContentSubtreeIterator r=jjaschke,dom-core

https://hg.mozilla.org/mozilla-central/rev/3aa74b745aa5

Status: NEW → RESOLVED
Closed: 19 days ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch
Regressions: 1966135

Verified bug as fixed on rev mozilla-central 20250513092634-bff55607678c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox140: fixedverified
Keywords: bugmon
See Also: → 1966269

Looking at the crash volumes,

[@ mozilla::ContentSubtreeIterator::Next ]
[@ nsINode::GetFirstChild ]

are now fixed

[@ mozilla::Maybe<T>::value | IsItemInRangeComparator::operator() ] should be fixed by bug 1966485

Flags: needinfo?(sefeng)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: