Crash [@nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h]

RESOLVED FIXED in Firefox 55

Status

()

Core
Editor
P2
critical
RESOLVED FIXED
a year ago
8 months ago

People

(Reporter: jkratzer, Assigned: m_kato)

Tracking

(Blocks: 1 bug, {crash, csectype-nullptr, testcase})

unspecified
mozilla55
crash, csectype-nullptr, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox54 wontfix, firefox55 fixed)

Details

(crash signature)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8842916 [details]
Testcase

Testcase found by fuzzing mozilla-central rev 20170301-34c6c2f302e7.

ASAN:DEADLYSIGNAL
=================================================================
==14259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f878e92206a bp 0x7ffc0deaedd0 sp 0x7ffc0deaecc0 T0)
    #0 0x7f878e922069 in nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:288:60
    #1 0x7f878e922069 in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:460
    #2 0x7f878e922069 in mozilla::HTMLEditor::PromoteInlineRange(nsRange&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:889
    #3 0x7f878e8df593 in mozilla::HTMLEditor::SetInlineProperty(nsIAtom*, nsAString_internal const&, nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:145:12
    #4 0x7f878e9a7e3c in SetTextProperty /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1524:10
    #5 0x7f878e9a7e3c in nsStyleUpdatingCommand::ToggleState(nsIEditor*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:250
    #6 0x7f878e9a5b69 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:92:10
    #7 0x7f878cb567c6 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:10
    #8 0x7f878cb4d18a in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:10
    #9 0x7f878cb53ad6 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:10
    #10 0x7f878d10c468 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3239:10
    #11 0x7f878c5b9f6d in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:15
    #12 0x7f878c866787 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #13 0x7f879236443f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #14 0x7f879236443f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #15 0x7f879234ad60 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
Flags: in-testsuite?
(Reporter)

Updated

a year ago
Severity: normal → critical
(Assignee)

Updated

a year ago
Crash Signature: [@ mozilla::HTMLEditor::PromoteInlineRange ]
Priority: -- → P2
(Assignee)

Updated

8 months ago
status-firefox54: --- → affected
status-firefox56: --- → unaffected
(Assignee)

Comment 1

8 months ago
This seems to be fixed by bug 1369140, but we should add this test case to crashtest
Comment hidden (mozreview-request)

Comment 3

8 months ago
mozreview-review
Comment on attachment 8879417 [details]
Bug 1343918 - Add crash test for document.execCommand('italic').

https://reviewboard.mozilla.org/r/150742/#review155440

::: editor/libeditor/crashtests/1343918.html:8
(Diff revision 1)
> +  <head>
> +    <script type="application/javascript">
> +      let form = document.createElement('form');
> +      let input1 = document.createElement('input');
> +      let input2 = document.createElement('input');
> +      document.documentElement.appendChild(form); 

nit: trailing whitespace.

::: editor/libeditor/crashtests/1343918.html:12
(Diff revision 1)
> +      let input2 = document.createElement('input');
> +      document.documentElement.appendChild(form); 
> +      document.documentElement.appendChild(input1);
> +      form.appendChild(input2);
> +      form.contentEditable = true
> +      input1.focus(); 

nit: trailing whitespace.

::: editor/libeditor/crashtests/1343918.html:15
(Diff revision 1)
> +      range.selectNode(input2); 
> +      window.getSelection().addRange(range); 
> +      document.execCommand("italic", false, null); 

nit: trailing whitespaces.
Attachment #8879417 - Flags: review?(masayuki) → review+
Comment hidden (mozreview-request)

Comment 5

8 months ago
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/c658542cbb44
Add crash test for document.execCommand('italic'). r=masayuki
(Assignee)

Updated

8 months ago
Assignee: nobody → m_kato

Comment 6

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c658542cbb44
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
status-firefox54: affected → wontfix
status-firefox55: --- → fixed
status-firefox56: unaffected → ---
status-firefox-esr52: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Target Milestone: mozilla56 → mozilla55
You need to log in before you can comment on or make changes to this bug.