Closed Bug 1268482 Opened 10 years ago Closed 4 years ago

AVR:NULL c09.1cb @ firefox.exe!xul.dll!nsEditor::DeleteSelectionAndPrepareToCreateNode

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox46 --- affected
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr38 --- affected
firefox-esr45 --- affected

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(1 file)

Repro
134 bytes, text/html
Details
Attached file Repro
Repro: <body onload=d=document;d.execCommand("insertHTML",d.addEventListener("DOMSubtreeModified",d.normalize.bind(d)),d.designMode='on')> a Result: NULL pointer crash in xul!nsEditor::DeleteSelectionAndPrepareToCreateNode Disassembly around crash: xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x151 [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\libeditor\nseditor.cpp @ 4132]: 61f8e229 8b17 mov edx,dword ptr [edi] ⇐ instruction pointer 61f8e22b ff928c000000 call dword ptr [edx+8Ch] 61f8e231 50 push eax 61f8e232 57 push edi 61f8e233 8bce mov ecx,esi 61f8e235 e80a0804ff call xul!mozilla::dom::Selection::Collapse (60fcea44) Relevant stack: xul.dll!nsEditor::DeleteSelectionAndPrepareToCreateNode + 0x151 (c09 in id) [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\libeditor\nseditor.cpp @ 4132] xul.dll!nsHTMLEditor::DoInsertHTMLWithContext + 0x39D (1cb in id) [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\libeditor\nshtmldatatransfer.cpp @ 342] xul.dll!nsHTMLEditor::InsertHTMLWithContext + 0x2D [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\libeditor\nshtmldatatransfer.cpp @ 192] xul.dll!nsHTMLEditor::InsertHTML + 0x1C [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\libeditor\nshtmldatatransfer.cpp @ 176] xul.dll!nsInsertHTMLCommand::DoCommandParams + 0x6C [c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\editor\composer\nscomposercommands.cpp @ 1341] Reported as crashing in https://mxr.mozilla.org/mozilla-central/source/editor/libeditor/nsEditor.cpp#4132 4091 nsresult 4092 nsEditor::DeleteSelectionAndPrepareToCreateNode() 4093 { ... 4108 // If the selection is a chardata node, split it if necessary and compute 4109 // where to put the new node 4110 nsCOMPtr<nsINode> node = selection->GetAnchorNode(); 4111 MOZ_ASSERT(node, "Selection has no ranges in it"); 4112 4113 if (node && node->IsNodeOfType(nsINode::eDATA_NODE)) { 4114 NS_ASSERTION(node->GetParentNode(), 4115 "It's impossible to insert into chardata with no parent -- " 4116 "fix the caller"); 4117 NS_ENSURE_STATE(node->GetParentNode()); ... 4131 } else { 4132** nsCOMPtr<nsIDOMNode> tmp; 4133 res = SplitNode(node->AsDOMNode(), offset, getter_AddRefs(tmp)); 4134 NS_ENSURE_SUCCESS(res, res); 4135 res = selection->Collapse(node->GetParentNode(), 4136 node->GetParentNode()->IndexOf(node)); 4137 MOZ_ASSERT(NS_SUCCEEDED(res)); 4138 NS_ENSURE_SUCCESS(res, res); 4139 } 4140 } 4141 return NS_OK; 4142 } I believe the source mapping may be off by a few and the crash actually happens on line 4136 in "node->GetParentNode()->IndexOf(node)" because node->GetParentNode() returns null, but I am speculating based on comparing the disassembly and source - I have not tested this in a local build.
Crash Signature: [@ nsEditor::DeleteSelectionAndPrepareToCreateNode ]

It seems this crash no longer occurs since I cant find any reports on it , I will close it as WFM and then if it starts to reoccur we can reopen the issue

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: