Near-Null Crash @ [mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode]

RESOLVED FIXED in Firefox 61

Status

()

Core
Editor
P3
critical
RESOLVED FIXED
a year ago
2 months ago

People

(Reporter: jkratzer, Assigned: m_kato)

Tracking

(Blocks: 1 bug, 5 keywords)

unspecified
mozilla61
assertion, crash, csectype-nullptr, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 wontfix, firefox56 wontfix, firefox57 wontfix, firefox58 wontfix, firefox59 wontfix, firefox60 wontfix, firefox61 fixed)

Details

(crash signature)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8863361 [details]
Testcase

Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8.

ASAN:DEADLYSIGNAL
=================================================================
==24395==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x7f5b1647074b bp 0x7fffc3773530 sp 0x7fffc3773440 T0)
==24395==The signal is caused by a READ memory access.
==24395==Hint: address points to the zero page.
    #0 0x7f5b1647074a in Collapsed /home/worker/workspace/build/src/dom/base/nsRange.h:183:12
    #1 0x7f5b1647074a in mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4126
    #2 0x7f5b1653b35a in mozilla::HTMLEditor::InsertElementAtSelection(nsIDOMElement*, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:1556:21
    #3 0x7f5b16613447 in nsInsertTagCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1387:18
    #4 0x7f5b148ac375 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #5 0x7f5b148a36cd in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #6 0x7f5b148a99f4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:22
    #7 0x7f5b14de65ab in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3322:18
    #8 0x7f5b1432a94c in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
    #9 0x7f5b145f34ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #10 0x7f5b19dea633 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #11 0x7f5b19dea633 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #12 0x7f5b19dd31df in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #13 0x7f5b19dd31df in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #14 0x7f5b19db9138 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #15 0x7f5b19decb47 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
Flags: in-testsuite?
(Assignee)

Updated

a year ago
Crash Signature: [@ nsRange::Collapsed ]
(Assignee)

Updated

a year ago
Priority: -- → P1
(Assignee)

Updated

a year ago
Duplicate of this bug: 1275134
(Assignee)

Updated

a year ago
status-firefox56: --- → unaffected
Priority: P1 → P3
This testcase still consistently asserts in debug builds (the same one it hit when this bug was first filed). It also still crashes intermittently, though it sometimes takes a reload or two.
Assertion failure: selection->GetAnchorFocusRange(), at z:/build/build/src/editor/libeditor/EditorBase.cpp:4211

Regression range for the assertion:
INFO: Last good revision: 28e269b5ab120e15b7cf22f082befb1ed00cd5d5
INFO: First bad revision: 32f776e0c7b56e905d929efa1aa13e46849b6223
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=28e269b5ab120e15b7cf22f082befb1ed00cd5d5&tochange=32f776e0c7b56e905d929efa1aa13e46849b6223
Blocks: 1314442
Crash Signature: [@ nsRange::Collapsed ] → [@ nsRange::Collapsed ] [@ mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode ]
Has Regression Range: --- → yes
status-firefox55: --- → wontfix
status-firefox56: unaffected → wontfix
status-firefox57: --- → fix-optional
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → unaffected
Keywords: assertion

Updated

10 months ago
See Also: → bug 1354025
(Assignee)

Updated

10 months ago
Assignee: nobody → m_kato
Comment hidden (mozreview-request)

Comment 5

3 months ago
mozreview-review
Comment on attachment 8968099 [details]
Bug 1361052 - DeleteSelectionAndPrepareToCreateNode should be more safety.

https://reviewboard.mozilla.org/r/236398/#review242504
Attachment #8968099 - Flags: review?(masayuki) → review+

Comment 6

3 months ago
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/ceb3db3b31a0
DeleteSelectionAndPrepareToCreateNode should be more safety. r=masayuki

Comment 7

3 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ceb3db3b31a0
Status: NEW → RESOLVED
Last Resolved: 3 months ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
status-firefox57: fix-optional → wontfix
status-firefox59: ? → wontfix
status-firefox60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
Keywords: regression
You need to log in before you can comment on or make changes to this bug.