Closed Bug 1272490 Opened 9 years ago Closed 9 years ago

Crash in nsHTMLEditRules::ReapplyCachedStyles

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Version:
15 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: vulnerable.zappa, Assigned: masayuki)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

Minimum testcase
658 bytes, text/html
Details
MozReview Request: Bug 1272490 nsHTMLEditRules::ReapplyCachedStyles() should do nothing if nsIEditor::GetSelection() returns nullptr r?ehsan
58 bytes, text/x-review-board-request
ehsan.akhgari
: review+
Details
Attached file Crash testcase (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160502172042 Steps to reproduce: Run repro Actual results: Registers: eax = 0x0038CBCC (RW-) ebx = 0x1BECA000 (RW-) ecx = 0x0038CBCC (RW-) edx = 0x00000000 esi = 0x00000000 edi = 0x00000000 ebp = 0x1BECA000 (RW-) esp = 0x0038CBB8 (RW-) eip = 0x6F80D9DB (R-X) - xul!nsHTMLEditRules::ReapplyCachedStyles Code: 0x6F80D9DB - mov ecx, [esi+1ch] 0x6F80D9DE - cmp dword ptr [ecx], 0 0x6F80D9E1 - jnz 6f80d9eah 0x6F80D9E3 - xor edi, edi 0x6F80D9E5 - jmp 6f80daf3h 0x6F80D9EA - push 0 0x6F80D9EC - mov ecx, esi 0x6F80D9EE - call xul!mozilla::dom::Selection::GetRangeAt Call Stack: 0x6F80D9DB - xul!nsHTMLEditRules::ReapplyCachedStyles 0x6F7EEC46 - xul!nsHTMLEditRules::AfterEditInner 0x6F7EE892 - xul!nsHTMLEditRules::AfterEdit 0x6E4820FE - xul!nsPlaintextEditor::EndOperation 0x6E8EBD32 - xul!nsAutoRules::~nsAutoRules 0x6F80A1AC - xul!nsHTMLEditor::MakeOrChangeList 0x6F836934 - xul!nsListCommand::ToggleState 0x6F83178C - xul!nsBaseStateUpdatingCommand::DoCommand 0x6FA3A2CD - xul!nsControllerCommandTable::DoCommand 0x6FA3A205 - xul!nsBaseCommandController::DoCommand 0x6FA3A27D - xul!nsCommandManager::DoCommand 0x6F56CFEE - xul!nsHTMLDocument::ExecCommand 0x6F42ED47 - xul!mozilla::dom::HTMLDocumentBinding::execCommand 0x6E361713 - xul!js::Invoke 0x6E361F79 - xul!js::DirectProxyHandler::call 0x6E359034 - xul!js::CrossCompartmentWrapper::call 0x6E36151D - xul!js::Invoke 0x6E365433 - xul!Interpret 0x6E9CCE66 - xul!js::RunScript 0x6E3613DC - xul!js::Invoke 0x6E36304B - xul!js::Invoke 0x6E4A77D2 - xul!mozilla::dom::EventHandlerNonNull::Call 0x6E4A7605 - xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *> 0x6E4A740B - xul!mozilla::JSEventHandler::HandleEvent 0x6E65E6BA - xul!mozilla::EventListenerManager::HandleEventInternal 0x6E65ECE8 - xul!mozilla::EventTargetChainItem::HandleEventTargetChain 0x6E4A4545 - xul!mozilla::EventDispatcher::Dispatch 0x6E481684 - xul!nsDocumentViewer::LoadComplete 0x6E542D52 - xul!nsDocShell::EndPageLoad 0x6E542AFE - xul!nsDocShell::OnStateChange 0x6E4A14DE - xul!nsCOMPtr_base::assign_from_qi 0x700E862C - xul!nsDocShell::`vftable' 0x18C2C680 - 0x700E8640 - xul!nsDocShell::`vftable'
Attachment #8751903 - Attachment description: B5DEBA9D.86A5E353.html → Crash testcase
CR FF46: https://crash-stats.mozilla.com/report/index/3d9ee17e-2ed1-41b4-a2f2-1f02f2160512 It crashes old versions back to FF17.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsHTMLEditRules::ReapplyCachedStyles ]
Component: Untriaged → Editor
Ever confirmed: true
Keywords: crash, reproducible, testcase
Product: Firefox → Core
Summary: xul!nsHTMLEditRules::ReapplyCachedStyles → Crash in nsHTMLEditRules::ReapplyCachedStyles
Regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d0ebcaa7efb5&tochange=dd6ec482a85d It's bug 757371. Ehsan, could you NI? someone at Mozilla who is charge of this component, please.
Blocks: 757371
Flags: needinfo?(ehsan)
Keywords: regression
302 Masayuki!
Flags: needinfo?(ehsan) → needinfo?(masayuki)
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Attached file Minimum testcase
Attachment #8751903 - Attachment is obsolete: true
nsHTMLEditRules::ReapplyCachedStyles() may be called after the document is removed from the DOM tree. For example, the document can be removed from the tree even during handling an edit operation if the web contents uses DOMMutationEvent. In such case, nsIEditor::GetSelection() returns nullptr and it should do nothing. Review commit: https://reviewboard.mozilla.org/r/53150/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/53150/
Attachment #8753261 - Flags: review?(ehsan)
Attachment #8753261 - Flags: review?(ehsan) → review+
Comment on attachment 8753261 [details] MozReview Request: Bug 1272490 nsHTMLEditRules::ReapplyCachedStyles() should do nothing if nsIEditor::GetSelection() returns nullptr r?ehsan https://reviewboard.mozilla.org/r/53150/#review50772
https://hg.mozilla.org/mozilla-central/rev/6471cf751c2d
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Version: 46 Branch → 15 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: