Closed
Bug 1375131
Opened 7 years ago
Closed 7 years ago
Crash [@nsAutoOwningThread::AssertCurrentThreadOwnsMe]
Categories
(Core :: DOM: Editor, defect, P1)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | wontfix |
firefox56 | --- | fixed |
People
(Reporter: jkratzer, Assigned: m_kato)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Crash Data
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381. ASAN:DEADLYSIGNAL ================================================================= ==10490==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7ff77ee0645a bp 0x7ffe4e05b2c0 sp 0x7ffe4e05b2b0 T0) ==10490==The signal is caused by a READ memory access. ==10490==Hint: address points to the zero page. #0 0x7ff77ee06459 in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /home/worker/workspace/build/src/xpcom/base/nsISupportsImpl.cpp:41:7 #1 0x7ff781b5f85c in AssertOwnership<24> /home/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:69:5 #2 0x7ff781b5f85c in nsRange::AddRef() /home/worker/workspace/build/src/dom/base/nsRange.cpp:315 #3 0x7ff7853c96fd in AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:37:11 #4 0x7ff7853c96fd in AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:392 #5 0x7ff7853c96fd in assign_with_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:54 #6 0x7ff7853c96fd in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:191 #7 0x7ff7853c96fd in init<nsRange *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/OwningNonNull.h:147 #8 0x7ff7853c96fd in OwningNonNull /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/OwningNonNull.h:25 #9 0x7ff7853c96fd in mozilla::HTMLEditRules::WillDeleteSelection(mozilla::dom::Selection*, short, short, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2457 #10 0x7ff7853c10d9 in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:650:14 #11 0x7ff7854d8598 in mozilla::TextEditor::DeleteSelection(short, short) /home/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:638:24 #12 0x7ff785385b81 in mozilla::DeleteCommand::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp:697:18 #13 0x7ff7836f4f85 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26 #14 0x7ff7836ebdcd in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25 #15 0x7ff7836f2464 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22 #16 0x7ff783c1218b in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3345:18 #17 0x7ff7831305dc in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21 #18 0x7ff783443dbe in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2960:13 #19 0x7ff7899174a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #20 0x7ff7899174a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
Flags: in-testsuite?
Assignee | ||
Updated•7 years ago
|
Crash Signature: [@ nsRange::GetCommonAncestor ]
Priority: -- → P1
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → m_kato
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8880727 [details] Bug 1375131 - Part 1. Store ranges before using on loop. https://reviewboard.mozilla.org/r/152094/#review157082
Attachment #8880727 -
Flags: review?(masayuki) → review+
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8880728 [details] Bug 1375131 - Part 2. Add crash test. https://reviewboard.mozilla.org/r/152096/#review157088
Attachment #8880728 -
Flags: review?(masayuki) → review+
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8880729 [details] Bug 1375131 - Part 3. Use stack class to save ranges before using on loop. https://reviewboard.mozilla.org/r/152098/#review157090
Attachment #8880729 -
Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/094e8f3937e8 Part 1. Store ranges before using on loop. r=masayuki https://hg.mozilla.org/integration/autoland/rev/0c0db23bd493 Part 2. Add crash test. r=masayuki https://hg.mozilla.org/integration/autoland/rev/52f06c62dfe4 Part 3. Use stack class to save ranges before using on loop. r=masayuki
Comment 8•7 years ago
|
||
sorry had to back out for bustage in https://treeherder.mozilla.org/logviewer.html#?job_id=109514919&repo=autoland
Flags: needinfo?(m_kato)
Backout by cbook@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8adde8e79c55 Backed out changeset 52f06c62dfe4 https://hg.mozilla.org/integration/autoland/rev/6adb1c9cd7ee Backed out changeset 0c0db23bd493 https://hg.mozilla.org/integration/autoland/rev/a966daa11b06 Backed out changeset 094e8f3937e8 for bustage
Assignee | ||
Comment 10•7 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #8) > sorry had to back out for bustage in > https://treeherder.mozilla.org/logviewer.html#?job_id=109514919&repo=autoland Ah, I fotget explict keyword. I will reland this tomorrow.
Flags: needinfo?(m_kato)
Comment 11•7 years ago
|
||
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/mozilla-inbound/rev/a46cfc0a8203 Part 1. Store ranges before using on loop. r=masayuki https://hg.mozilla.org/integration/mozilla-inbound/rev/69bd67418866 Part 2. Add crash test. r=masayuki https://hg.mozilla.org/integration/mozilla-inbound/rev/5baa008248ff Part 3. Use stack class to save ranges before using on loop. r=masayuki
Comment 12•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a46cfc0a8203 https://hg.mozilla.org/mozilla-central/rev/69bd67418866 https://hg.mozilla.org/mozilla-central/rev/5baa008248ff
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Comment 13•7 years ago
|
||
How far back does this issue go? Should we consider it for backport or is it good riding the 56 train?
Flags: needinfo?(m_kato)
Flags: in-testsuite?
Flags: in-testsuite+
Assignee | ||
Comment 14•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #13) > How far back does this issue go? Should we consider it for backport or is it > good riding the 56 train? Since crash rate is too low, I don't think that this should fix on 56.
Flags: needinfo?(m_kato)
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → wontfix
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•