Crash [@nsCOMPtr] | mozilla::CSSEditUtils::CreateCSSPropertyTxn

RESOLVED WORKSFORME

Status

()

Core
Editor
P3
critical
RESOLVED WORKSFORME
a year ago
4 months ago

People

(Reporter: jkratzer, Unassigned)

Tracking

(Blocks: 1 bug, {crash, csectype-nullptr, testcase})

unspecified
crash, csectype-nullptr, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8843163 [details]
testcase

Testcase generated by fuzzing mozilla-central rev 20170302-d29f84406483.  Testcase requires the fuzzPriv extension:

https://www.squarefree.com/extensions/domFuzzLite3.xpi

==13843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbe4d5281af bp 0x7ffdf2fb47d0 sp 0x7ffdf2fb4770 T0)
    #0 0x7fbe4d5281ae in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:464:7
    #1 0x7fbe4d5281ae in ChangeStyleTransaction /home/worker/workspace/build/src/editor/libeditor/ChangeStyleTransaction.cpp:127
    #2 0x7fbe4d5281ae in mozilla::CSSEditUtils::CreateCSSPropertyTxn(mozilla::dom::Element&, nsIAtom&, nsAString_internal const&, mozilla::ChangeStyleTransaction::EChangeType) /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:503
    #3 0x7fbe4d52a2d0 in SetCSSProperty /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:458:5
    #4 0x7fbe4d52a2d0 in mozilla::CSSEditUtils::SetCSSPropertyPixels(mozilla::dom::Element&, nsIAtom&, int) /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:473
    #5 0x7fbe4d68864c in SetAnonymousElementPosition /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:547:3
    #6 0x7fbe4d68864c in mozilla::HTMLEditor::SetShadowPosition(mozilla::dom::Element*, mozilla::dom::Element*, int, int) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:721
    #7 0x7fbe4d685b7e in mozilla::DocumentResizeEventListener::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:68:12
    #8 0x7fbe4ba284d9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:16
    #9 0x7fbe4ba2a480 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
    #10 0x7fbe4ba14c83 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:5
    #11 0x7fbe4ba18514 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #12 0x7fbe4db94e99 in mozilla::PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/PresShell.cpp:2045:5
    #13 0x7fbe4dbaad7a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4139:7
    #14 0x7fbe49c50e3e in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
    #15 0x7fbe49c50e3e in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7984
Flags: in-testsuite?
Priority: -- → P3
I haven't been able to reproduce this, even with builds from around the time it was filed. Does this still reproduce for you, Jason?
Flags: needinfo?(jkratzer)
(Reporter)

Comment 2

4 months ago
I cannot reproduce this with the latest nightly.
Flags: needinfo?(jkratzer)
Thanks for checking. NI myself to look into landing a crashtest still at least.
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Flags: needinfo?(ryanvm)
Resolution: --- → WORKSFORME
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.