Closed
Bug 1383747
Opened 8 years ago
Closed 8 years ago
Crash [@ get] in /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:284:27
Categories
(Core :: DOM: Selection, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | fixed |
| firefox57 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jchen)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
680 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.
ASAN:DEADLYSIGNAL
=================================================================
==14861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fcbd872c5c1 bp 0x7ffea2a5ead0 sp 0x7ffea2a5ea40 T0)
==14861==The signal is caused by a READ memory access.
==14861==Hint: address points to the zero page.
#0 0x7fcbd872c5c0 in get /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:284:27
#1 0x7fcbd872c5c0 in operator-> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:316
#2 0x7fcbd872c5c0 in NodePrincipal /home/worker/workspace/build/src/dom/base/nsINode.h:901
#3 0x7fcbd872c5c0 in nsContentUtils::CanCallerAccess(nsINode*) /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:2306
#4 0x7fcbd8c9e30c in nsRange::SetStartBefore(nsINode&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsRange.cpp:1327:8
#5 0x7fcbd8cb3868 in nsRange::ExcludeNonSelectableNodes(nsTArray<RefPtr<nsRange> >*) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3506:18
#6 0x7fcbd89d59bb in mozilla::dom::Selection::UserSelectRangesToAdd(nsRange*, nsTArray<RefPtr<nsRange> >&) /home/worker/workspace/build/src/dom/base/Selection.cpp:1103:10
#7 0x7fcbd89d09ca in mozilla::dom::Selection::AddItem(nsRange*, int*, bool) /home/worker/workspace/build/src/dom/base/Selection.cpp:1144:7
#8 0x7fcbd89e4045 in mozilla::dom::Selection::SetAnchorFocusToRange(nsRange*) /home/worker/workspace/build/src/dom/base/Selection.cpp:2770:9
#9 0x7fcbd89e559d in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:2967:11
#10 0x7fcbd89e4b05 in mozilla::dom::Selection::Extend(nsINode*, int) /home/worker/workspace/build/src/dom/base/Selection.cpp:2874:3
#11 0x7fcbdced82b3 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:1507:34
#12 0x7fcbdced6608 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:951:14
#13 0x7fcbd89ec348 in mozilla::dom::Selection::Modify(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:3948:24
#14 0x7fcbd983704c in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:886:9
#15 0x7fcbda5e7340 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13
#16 0x7fcbe0c2e594 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#17 0x7fcbe0c2e594 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#18 0x7fcbe0c1730b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#19 0x7fcbe0c1730b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066
#20 0x7fcbe0bfde08 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
Flags: in-testsuite?
|
||
Updated•8 years ago
|
Priority: -- → P2
|
||
Comment 1•8 years ago
|
||
Regression range:
INFO: Last good revision: 17e2e2aa8f56546d6749d41266af06b7390df7db
INFO: First bad revision: 9fc3f64f258358a93d2b6ea11e931725a8e3e677
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=17e2e2aa8f56546d6749d41266af06b7390df7db&tochange=9fc3f64f258358a93d2b6ea11e931725a8e3e677
Fix range:
INFO: First good revision: f9b9ffb6fea52259bbcf00eca45285a930f0ca59
INFO: Last bad revision: 274953221bdfcec279aa53c02d1aa96d441a4359
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=274953221bdfcec279aa53c02d1aa96d441a4359&tochange=f9b9ffb6fea52259bbcf00eca45285a930f0ca59
Regressed by bug 1351170 and fixed by bug 1382342. NI myself to land this testcase as a crashtest.
Assignee: nobody → nchen
Blocks: 1351170
Status: NEW → RESOLVED
Has Regression Range: --- → yes
Closed: 8 years ago
status-firefox56:
--- → fixed
status-firefox57:
--- → fixed
status-firefox-esr52:
--- → unaffected
Depends on: 1383242
Flags: needinfo?(ryanvm)
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Version: unspecified → 55 Branch
|
||
Comment 2•8 years ago
|
||
"fixed by 1382342"
"Depends on: 1383242"
----------------^^
transposed digits?
|
|
||
Comment 3•8 years ago
|
||
Yup, should have been 1383242. Oh well, I'm over it.
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e233eda69717
Add crashtest. r=me
|
|
||
Updated•8 years ago
|
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
|
||
Comment 5•8 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•