Closed Bug 1343918 Opened 8 years ago Closed 8 years ago

Crash [@nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(2 files)

Testcase
644 bytes, text/html
Details
Bug 1343918 - Add crash test for document.execCommand('italic').
59 bytes, text/x-review-board-request
masayuki
: review+
Details
Attached file Testcase
Testcase found by fuzzing mozilla-central rev 20170301-34c6c2f302e7. ASAN:DEADLYSIGNAL ================================================================= ==14259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f878e92206a bp 0x7ffc0deaedd0 sp 0x7ffc0deaecc0 T0) #0 0x7f878e922069 in nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:288:60 #1 0x7f878e922069 in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:460 #2 0x7f878e922069 in mozilla::HTMLEditor::PromoteInlineRange(nsRange&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:889 #3 0x7f878e8df593 in mozilla::HTMLEditor::SetInlineProperty(nsIAtom*, nsAString_internal const&, nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:145:12 #4 0x7f878e9a7e3c in SetTextProperty /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1524:10 #5 0x7f878e9a7e3c in nsStyleUpdatingCommand::ToggleState(nsIEditor*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:250 #6 0x7f878e9a5b69 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:92:10 #7 0x7f878cb567c6 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:10 #8 0x7f878cb4d18a in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:10 #9 0x7f878cb53ad6 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:10 #10 0x7f878d10c468 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3239:10 #11 0x7f878c5b9f6d in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:15 #12 0x7f878c866787 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13 #13 0x7f879236443f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15 #14 0x7f879236443f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448 #15 0x7f879234ad60 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
Flags: in-testsuite?
Severity: normal → critical
Crash Signature: [@ mozilla::HTMLEditor::PromoteInlineRange ]
Priority: -- → P2
This seems to be fixed by bug 1369140, but we should add this test case to crashtest
Comment on attachment 8879417 [details] Bug 1343918 - Add crash test for document.execCommand('italic'). https://reviewboard.mozilla.org/r/150742/#review155440 ::: editor/libeditor/crashtests/1343918.html:8 (Diff revision 1) > + <head> > + <script type="application/javascript"> > + let form = document.createElement('form'); > + let input1 = document.createElement('input'); > + let input2 = document.createElement('input'); > + document.documentElement.appendChild(form); nit: trailing whitespace. ::: editor/libeditor/crashtests/1343918.html:12 (Diff revision 1) > + let input2 = document.createElement('input'); > + document.documentElement.appendChild(form); > + document.documentElement.appendChild(input1); > + form.appendChild(input2); > + form.contentEditable = true > + input1.focus(); nit: trailing whitespace. ::: editor/libeditor/crashtests/1343918.html:15 (Diff revision 1) > + range.selectNode(input2); > + window.getSelection().addRange(range); > + document.execCommand("italic", false, null); nit: trailing whitespaces.
Attachment #8879417 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/c658542cbb44 Add crash test for document.execCommand('italic'). r=masayuki
Assignee: nobody → m_kato
https://hg.mozilla.org/mozilla-central/rev/c658542cbb44
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
status-firefox54: affectedwontfix
status-firefox55: --- → fixed
status-firefox56: unaffected → ---
status-firefox-esr52: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Target Milestone: mozilla56 → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: