Closed Bug 1343918 Opened 7 years ago Closed 7 years ago

Crash [@nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(2 files)

Testcase
644 bytes, text/html
Details
Bug 1343918 - Add crash test for document.execCommand('italic').
59 bytes, text/x-review-board-request
masayuki
: review+
Details
Attached file Testcase 
Testcase found by fuzzing mozilla-central rev 20170301-34c6c2f302e7.

ASAN:DEADLYSIGNAL
=================================================================
==14259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f878e92206a bp 0x7ffc0deaedd0 sp 0x7ffc0deaecc0 T0)
    #0 0x7f878e922069 in nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:288:60
    #1 0x7f878e922069 in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:460
    #2 0x7f878e922069 in mozilla::HTMLEditor::PromoteInlineRange(nsRange&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:889
    #3 0x7f878e8df593 in mozilla::HTMLEditor::SetInlineProperty(nsIAtom*, nsAString_internal const&, nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:145:12
    #4 0x7f878e9a7e3c in SetTextProperty /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1524:10
    #5 0x7f878e9a7e3c in nsStyleUpdatingCommand::ToggleState(nsIEditor*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:250
    #6 0x7f878e9a5b69 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:92:10
    #7 0x7f878cb567c6 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:10
    #8 0x7f878cb4d18a in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:10
    #9 0x7f878cb53ad6 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:10
    #10 0x7f878d10c468 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3239:10
    #11 0x7f878c5b9f6d in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:15
    #12 0x7f878c866787 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #13 0x7f879236443f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #14 0x7f879236443f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #15 0x7f879234ad60 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
Flags: in-testsuite?
Severity: normal → critical
Crash Signature: [@ mozilla::HTMLEditor::PromoteInlineRange ]
Priority: -- → P2
This seems to be fixed by bug 1369140, but we should add this test case to crashtest
Comment on attachment 8879417 [details]
Bug 1343918 - Add crash test for document.execCommand('italic').

https://reviewboard.mozilla.org/r/150742/#review155440

::: editor/libeditor/crashtests/1343918.html:8
(Diff revision 1)
> +  <head>
> +    <script type="application/javascript">
> +      let form = document.createElement('form');
> +      let input1 = document.createElement('input');
> +      let input2 = document.createElement('input');
> +      document.documentElement.appendChild(form); 

nit: trailing whitespace.

::: editor/libeditor/crashtests/1343918.html:12
(Diff revision 1)
> +      let input2 = document.createElement('input');
> +      document.documentElement.appendChild(form); 
> +      document.documentElement.appendChild(input1);
> +      form.appendChild(input2);
> +      form.contentEditable = true
> +      input1.focus(); 

nit: trailing whitespace.

::: editor/libeditor/crashtests/1343918.html:15
(Diff revision 1)
> +      range.selectNode(input2); 
> +      window.getSelection().addRange(range); 
> +      document.execCommand("italic", false, null); 

nit: trailing whitespaces.
Attachment #8879417 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/c658542cbb44
Add crash test for document.execCommand('italic'). r=masayuki
Assignee: nobody → m_kato
https://hg.mozilla.org/mozilla-central/rev/c658542cbb44
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
status-firefox54: affectedwontfix
status-firefox55: --- → fixed
status-firefox56: unaffected → ---
status-firefox-esr52: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Target Milestone: mozilla56 → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: