Closed Bug 1383755 Opened 3 years ago Closed 3 years ago

Crash [@hdr] in /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:525:32

Categories

(Core :: DOM: Editor, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: jkratzer, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(3 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.

==20317==Hint: address points to the zero page.
    #0 0x7f6b73cca395 in Hdr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:525:32
    #1 0x7f6b73cca395 in Elements /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1038
    #2 0x7f6b73cca395 in IndexOf<nsIContent *, nsDefaultComparator<mozilla::dom::Element *, nsIContent *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1173
    #3 0x7f6b73cca395 in RemoveElement<nsIContent *, nsDefaultComparator<mozilla::dom::Element *, nsIContent *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1756
    #4 0x7f6b73cca395 in RemoveElement<nsIContent *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1770
    #5 0x7f6b73cca395 in mozilla::HTMLEditor::DeleteRefToAnonymousNode(nsIContent*, nsIPresShell*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:325
    #6 0x7f6b73ccc99b in RemoveListenerAndDeleteRef /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:272:3
    #7 0x7f6b73ccc99b in mozilla::HTMLEditor::HideResizers() /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:388
    #8 0x7f6b73d55a8b in HideAnonymousEditingUIs /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:188:5
    #9 0x7f6b73d55a8b in mozilla::HTMLEditor::PreDestroy(bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:341
    #10 0x7f6b77302a87 in SetEditor /home/worker/workspace/build/src/docshell/base/nsDocShellEditorData.cpp:116:16
    #11 0x7f6b77302a87 in nsDocShell::SetEditor(nsIEditor*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:13127
    #12 0x7f6b73e540f0 in nsEditingSession::TearDownEditorOnWindow(mozIDOMWindowProxy*) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:568:13
    #13 0x7f6b7247f2e2 in nsHTMLDocument::TurnEditingOff() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2694:21
    #14 0x7f6b7247f6f1 in nsHTMLDocument::EditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2741:12
    #15 0x7f6b72492ab4 in nsHTMLDocument::MaybeEditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2506:7
    #16 0x7f6b724bb182 in applyImpl<nsHTMLDocument, void (nsHTMLDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1158:12
    #17 0x7f6b724bb182 in apply<nsHTMLDocument, void (nsHTMLDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164
    #18 0x7f6b724bb182 in mozilla::detail::RunnableMethodImpl<nsHTMLDocument*, void (nsHTMLDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1207
    #19 0x7f6b6fe0a26f in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5637:15
    #20 0x7f6b70180a39 in ~nsAutoScriptBlocker /home/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3357:5
Flags: in-testsuite?
Crash Signature: [@ mozilla::HTMLEditor::DeleteRefToAnonymousNode ]
Priority: -- → P1
Comment on attachment 8890775 [details]
Bug 1383755 - Part 2. Add crash test for object resizer.

https://reviewboard.mozilla.org/r/161962/#review167276

::: editor/libeditor/crashtests/1383755.html:4
(Diff revision 1)
> +      let table = document.createElement('table');
> +      document.documentElement.appendChild(table);
> +      let tr = document.createElement('tr');
> +      table.appendChild(tr);
> +      let input = document.createElement('input');
> +      document.documentElement.appendChild(input);
> +
> +      let img = document.createElement('img');
> +      input.appendChild(img);
> +      img.contentEditable = 'true'
> +      tr.appendChild(img);
> +      img.offsetParent;
> +
> +      window.getSelection().selectAllChildren(tr);

Could you insert a comment line where before causing creating anonymous content. Like:

// This causes creating editor creating anonymous elements.

::: editor/libeditor/crashtests/1383755.html:18
(Diff revision 1)
> +      img.contentEditable = 'true'
> +      tr.appendChild(img);
> +      img.offsetParent;
> +
> +      window.getSelection().selectAllChildren(tr);
> +      document.implementation.createDocument('', '').adoptNode(table);

And could you insert a comment before this line to explain that it will remove the anonymous nodes, e.g.,

// Document.adoptNode() will remove anonymous elements and it shouldn't cause crash.

Then, it becomes clearer that what is being tested by this file.
Attachment #8890775 - Flags: review?(masayuki) → review+
Comment on attachment 8890774 [details]
Bug 1383755 - Part 1. NAC property might be removed by nsIDocument::AdoptNode.

https://reviewboard.mozilla.org/r/161960/#review167278

::: editor/libeditor/HTMLAnonymousNodeEditor.cpp:331
(Diff revision 1)
>  
>    // Remove reference from the parent element.
>    auto nac = static_cast<mozilla::ManualNAC*>(
>        parentContent->GetProperty(nsGkAtoms::manualNACProperty));
> -  MOZ_ASSERT(nac);
> +  // nsIDocument::AdoptNode might remove all properties before destroying
> +  // editor.  So we have to consider that NAC is already removed.

s/is already/could be already
Attachment #8890774 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/1b4c1019f2ab
Part 1. NAC property might be removed by nsIDocument::AdoptNode. r=masayuki
https://hg.mozilla.org/integration/autoland/rev/9aa80b8b5650
Part 2. Add crash test for object resizer. r=masayuki
Assignee: nobody → m_kato
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.