Closed
Bug 594808
Opened 14 years ago
Closed 14 years ago
NULL pointer crash [@ nsTypedSelection::RemoveRange(nsIRange*) ] when detaching and removing a range from a selection
Categories
(Core :: DOM: Selection, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla2.0b7
People
(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: bzbarsky)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
175 bytes,
text/html
|
Details | |
1.56 KB,
patch
|
sicking
:
review+
sicking
:
approval2.0+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.55 Safari/534.3 Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5) Gecko/20100101 Firefox/4.0b5 Repro: <script> oSelection = window.getSelection(); oRange = document.createRange(); oSelection.addRange(oRange); oRange.detach(); oSelection.removeRange(oRange); </script> The code above both detaches a range from the selection as well as remove it, which causes a NULL ptr crash. The code is probably missing a check somewhere. Reproducible: Always Steps to Reproduce: 1. Load the repro in Firefox 3/4 2. Crash FTW! Actual Results: NULL pointer crash Expected Results: Nothing or JavaScript error thrown Appears to work in Firefox 3.6 and 4.0. I will upload a crash report for both.
Crash report uploaded. I put the URL of this bug in the details field (https://bugzilla.mozilla.org/show_bug.cgi?id=594808).
Comment 3•14 years ago
|
||
On Trunk: Signature nsTypedSelection::RemoveRange(nsIRange*) UUID 632280c2-21c3-4e82-b6d9-d7ef72100909 Time 2010-09-09 13:46:43.294648 Uptime 310 Last Crash 15371 seconds (4.3 hours) before submission Install Age 13868 seconds (3.9 hours) since version was first installed. Product Firefox Version 4.0b6pre Build ID 20100909041137 Branch 2.0 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 User Comments Bug 594808 App Notes AdapterVendorID: 1002, AdapterDeviceID: 7280 Processor Notes EMCheckCompatibility False Frame Module Signature Source 0 xul.dll nsTypedSelection::RemoveRange(nsIRange*) layout/generic/nsSelection.cpp:4808 1 xul.dll nsTypedSelection::RemoveRange(nsIDOMRange*) layout/generic/nsSelection.cpp:4791 2 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 3 xul.dll js::InvokeCommon<int (__cdecl*)(JSContext*,JSObject*,unsigned int,js::Value*,js::Value*)> js/src/jsinterp.cpp:566 4 xul.dll js::Invoke(JSContext*,js::CallArgs const&,unsigned int) js/src/jsinterp.cpp:696 5 xul.dll js::Interpret(JSContext*) js/src/jsinterp.cpp:4707 6 xul.dll js::Execute(JSContext*,JSObject*,JSScript*,JSStackFrame*,unsigned int,js::Value*) js/src/jsinterp.cpp:881 7 xul.dll JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4801 8 xul.dll nsJSContext::EvaluateString(nsAString_internal const&,void*,nsIPrincipal*,char const*,unsigned int,unsigned int,nsAString_internal*,int*) dom/base/nsJSEnvironment.cpp:1737 9 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest*,nsString const&) content/base/src/nsScriptLoader.cpp:767 10 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) content/base/src/nsScriptLoader.cpp:677 11 xul.dll nsScriptLoader::ProcessScriptElement(nsIScriptElement*) content/base/src/nsScriptLoader.cpp:617 12 xul.dll nsScriptElement::MaybeProcessScript() content/base/src/nsScriptElement.cpp:197 13 xul.dll nsHTMLScriptElement::MaybeProcessScript() content/html/content/src/nsHTMLScriptElement.cpp:551 14 xul.dll nsHTMLScriptElement::DoneAddingChildren(int) content/html/content/src/nsHTMLScriptElement.cpp:479 15 xul.dll nsHtml5TreeOpExecutor::RunScript(nsIContent*) parser/html/nsHtml5TreeOpExecutor.cpp:730 On 1.9.2 Branch: Signature nsTypedSelection::RemoveRange(nsIRange*) UUID f2072bc6-3d9e-484c-96a9-3ce052100909 Time 2010-09-09 13:50:06.614378 Uptime 15 Last Crash 204 seconds (3.4 minutes) before submission Install Age 1208073 seconds (2.0 weeks) since version was first installed. Product Firefox Version 3.6.9 Build ID 20100824153629 Branch 1.9 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 User Comments Bug 594808 Processor Notes EMCheckCompatibility False Frame Module Signature Source 0 xul.dll nsTypedSelection::RemoveRange(nsIRange*) layout/generic/nsSelection.cpp:5202 1 xul.dll nsTypedSelection::RemoveRange(nsIDOMRange*) layout/generic/nsSelection.cpp:5185 2 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 3 xul.dll XPCWrappedNative::CallMethod(XPCCallContext&,XPCWrappedNative::CallMode) js/src/xpconnect/src/xpcwrappednative.cpp:2722 4 xul.dll XPC_WN_CallMethod(JSContext*,JSObject*,unsigned int,int*,int*) js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740 5 js3250.dll js_Invoke js/src/jsinterp.cpp:1360 6 js3250.dll js_Interpret js/src/jsops.cpp:2240 7 js3250.dll js_Execute js/src/jsinterp.cpp:1601 8 js3250.dll JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:5072 9 xul.dll nsJSContext::EvaluateString(nsAString_internal const&,void*,nsIPrincipal*,char const*,unsigned int,unsigned int,nsAString_internal*,int*) dom/base/nsJSEnvironment.cpp:1756 10 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest*,nsString const&) content/base/src/nsScriptLoader.cpp:711 11 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) content/base/src/nsScriptLoader.cpp:625 12 xul.dll nsScriptLoader::ProcessScriptElement(nsIScriptElement*) content/base/src/nsScriptLoader.cpp:577
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Selection
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → selection
Summary: NULL pointer crash when detaching and removing a range from a selection → NULL pointer crash [@ nsTypedSelection::RemoveRange(nsIRange*) ] when detaching and removing a range from a selection
Version: unspecified → Trunk
Assignee | ||
Comment 4•14 years ago
|
||
Assignee | ||
Updated•14 years ago
|
Attachment #473923 -
Flags: review?(jonas)
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → bzbarsky
Priority: -- → P1
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need review]
Comment on attachment 473923 [details] [diff] [review] Fix Though please add a newline at the end of the test.
Attachment #473923 -
Flags: review?(jonas) → review+
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need review] → [need approval]
Assignee | ||
Updated•14 years ago
|
Attachment #473923 -
Flags: approval2.0?
Assignee | ||
Comment 6•14 years ago
|
||
Jonas, want to approve this too?
Comment on attachment 473923 [details] [diff] [review] Fix just noticed the missing endline at the end of the testcase. please fix before checking in.
Attachment #473923 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 8•14 years ago
|
||
Yes, you noticed that during review too. And then I fixed it locally. ;)
Whiteboard: [need approval] → [need landing]
Hey, at least I'm consistent :)
Assignee | ||
Comment 10•14 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/cb077620dd05
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b8
Assignee | ||
Updated•14 years ago
|
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Comment 11•13 years ago
|
||
Hey, I'm still getting this crash on FF 3.6.13.
Comment 12•13 years ago
|
||
(In reply to comment #11) > Hey, I'm still getting this crash on FF 3.6.13. The fix has not been backported to 3.6.
Updated•13 years ago
|
Crash Signature: [@ nsTypedSelection::RemoveRange(nsIRange*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•