Closed Bug 1361052 Opened 3 years ago Closed 2 years ago

Near-Null Crash @ [mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode]

Categories

(Core :: DOM: Editor, defect, P3, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

Attached file Testcase
Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8.

ASAN:DEADLYSIGNAL
=================================================================
==24395==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x7f5b1647074b bp 0x7fffc3773530 sp 0x7fffc3773440 T0)
==24395==The signal is caused by a READ memory access.
==24395==Hint: address points to the zero page.
    #0 0x7f5b1647074a in Collapsed /home/worker/workspace/build/src/dom/base/nsRange.h:183:12
    #1 0x7f5b1647074a in mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4126
    #2 0x7f5b1653b35a in mozilla::HTMLEditor::InsertElementAtSelection(nsIDOMElement*, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:1556:21
    #3 0x7f5b16613447 in nsInsertTagCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1387:18
    #4 0x7f5b148ac375 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #5 0x7f5b148a36cd in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #6 0x7f5b148a99f4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:22
    #7 0x7f5b14de65ab in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3322:18
    #8 0x7f5b1432a94c in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
    #9 0x7f5b145f34ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #10 0x7f5b19dea633 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #11 0x7f5b19dea633 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #12 0x7f5b19dd31df in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #13 0x7f5b19dd31df in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #14 0x7f5b19db9138 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #15 0x7f5b19decb47 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
Flags: in-testsuite?
Crash Signature: [@ nsRange::Collapsed ]
Priority: -- → P1
Duplicate of this bug: 1275134
Priority: P1 → P3
This testcase still consistently asserts in debug builds (the same one it hit when this bug was first filed). It also still crashes intermittently, though it sometimes takes a reload or two.
Assertion failure: selection->GetAnchorFocusRange(), at z:/build/build/src/editor/libeditor/EditorBase.cpp:4211

Regression range for the assertion:
INFO: Last good revision: 28e269b5ab120e15b7cf22f082befb1ed00cd5d5
INFO: First bad revision: 32f776e0c7b56e905d929efa1aa13e46849b6223
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=28e269b5ab120e15b7cf22f082befb1ed00cd5d5&tochange=32f776e0c7b56e905d929efa1aa13e46849b6223
Crash Signature: [@ nsRange::Collapsed ] → [@ nsRange::Collapsed ] [@ mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode ]
Has Regression Range: --- → yes
Keywords: assertion
See Also: → 1354025
Assignee: nobody → m_kato
Comment on attachment 8968099 [details]
Bug 1361052 - DeleteSelectionAndPrepareToCreateNode should be more safety.

https://reviewboard.mozilla.org/r/236398/#review242504
Attachment #8968099 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/ceb3db3b31a0
DeleteSelectionAndPrepareToCreateNode should be more safety. r=masayuki
https://hg.mozilla.org/mozilla-central/rev/ceb3db3b31a0
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.