Closed Bug 1361052 Opened 8 years ago Closed 7 years ago

Near-Null Crash @ [mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode]

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

Testcase
808 bytes, text/html
Details
Bug 1361052 - DeleteSelectionAndPrepareToCreateNode should be more safety.
59 bytes, text/x-review-board-request
masayuki
: review+
Details
Attached file Testcase
Testcase found while fuzzing mozilla-central rev 20170430-5278e2a35fc8. ASAN:DEADLYSIGNAL ================================================================= ==24395==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x7f5b1647074b bp 0x7fffc3773530 sp 0x7fffc3773440 T0) ==24395==The signal is caused by a READ memory access. ==24395==Hint: address points to the zero page. #0 0x7f5b1647074a in Collapsed /home/worker/workspace/build/src/dom/base/nsRange.h:183:12 #1 0x7f5b1647074a in mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4126 #2 0x7f5b1653b35a in mozilla::HTMLEditor::InsertElementAtSelection(nsIDOMElement*, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:1556:21 #3 0x7f5b16613447 in nsInsertTagCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1387:18 #4 0x7f5b148ac375 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26 #5 0x7f5b148a36cd in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25 #6 0x7f5b148a99f4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:214:22 #7 0x7f5b14de65ab in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3322:18 #8 0x7f5b1432a94c in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21 #9 0x7f5b145f34ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13 #10 0x7f5b19dea633 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #11 0x7f5b19dea633 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470 #12 0x7f5b19dd31df in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12 #13 0x7f5b19dd31df in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025 #14 0x7f5b19db9138 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12 #15 0x7f5b19decb47 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
Flags: in-testsuite?
Crash Signature: [@ nsRange::Collapsed ]
Priority: -- → P1
status-firefox56: --- → unaffected
Priority: P1 → P3
This testcase still consistently asserts in debug builds (the same one it hit when this bug was first filed). It also still crashes intermittently, though it sometimes takes a reload or two. Assertion failure: selection->GetAnchorFocusRange(), at z:/build/build/src/editor/libeditor/EditorBase.cpp:4211 Regression range for the assertion: INFO: Last good revision: 28e269b5ab120e15b7cf22f082befb1ed00cd5d5 INFO: First bad revision: 32f776e0c7b56e905d929efa1aa13e46849b6223 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=28e269b5ab120e15b7cf22f082befb1ed00cd5d5&tochange=32f776e0c7b56e905d929efa1aa13e46849b6223
Blocks: CVE-2016-9898
Crash Signature: [@ nsRange::Collapsed ] → [@ nsRange::Collapsed ] [@ mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode ]
Has Regression Range: --- → yes
status-firefox55: --- → wontfix
status-firefox56: unaffectedwontfix
status-firefox57: --- → fix-optional
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → unaffected
Keywords: assertion
See Also: → 1354025
Assignee: nobody → m_kato
Comment on attachment 8968099 [details] Bug 1361052 - DeleteSelectionAndPrepareToCreateNode should be more safety. https://reviewboard.mozilla.org/r/236398/#review242504
Attachment #8968099 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/ceb3db3b31a0 DeleteSelectionAndPrepareToCreateNode should be more safety. r=masayuki
https://hg.mozilla.org/mozilla-central/rev/ceb3db3b31a0
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
status-firefox57: fix-optionalwontfix
status-firefox59: ?wontfix
status-firefox60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: