Closed
Bug 1383755
Opened 7 years ago
Closed 7 years ago
Crash [@hdr] in /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:525:32
Categories
(Core :: DOM: Editor, defect, P1)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: jkratzer, Assigned: m_kato)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Crash Data
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670. ==20317==Hint: address points to the zero page. #0 0x7f6b73cca395 in Hdr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:525:32 #1 0x7f6b73cca395 in Elements /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1038 #2 0x7f6b73cca395 in IndexOf<nsIContent *, nsDefaultComparator<mozilla::dom::Element *, nsIContent *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1173 #3 0x7f6b73cca395 in RemoveElement<nsIContent *, nsDefaultComparator<mozilla::dom::Element *, nsIContent *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1756 #4 0x7f6b73cca395 in RemoveElement<nsIContent *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1770 #5 0x7f6b73cca395 in mozilla::HTMLEditor::DeleteRefToAnonymousNode(nsIContent*, nsIPresShell*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:325 #6 0x7f6b73ccc99b in RemoveListenerAndDeleteRef /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:272:3 #7 0x7f6b73ccc99b in mozilla::HTMLEditor::HideResizers() /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:388 #8 0x7f6b73d55a8b in HideAnonymousEditingUIs /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:188:5 #9 0x7f6b73d55a8b in mozilla::HTMLEditor::PreDestroy(bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:341 #10 0x7f6b77302a87 in SetEditor /home/worker/workspace/build/src/docshell/base/nsDocShellEditorData.cpp:116:16 #11 0x7f6b77302a87 in nsDocShell::SetEditor(nsIEditor*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:13127 #12 0x7f6b73e540f0 in nsEditingSession::TearDownEditorOnWindow(mozIDOMWindowProxy*) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:568:13 #13 0x7f6b7247f2e2 in nsHTMLDocument::TurnEditingOff() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2694:21 #14 0x7f6b7247f6f1 in nsHTMLDocument::EditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2741:12 #15 0x7f6b72492ab4 in nsHTMLDocument::MaybeEditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2506:7 #16 0x7f6b724bb182 in applyImpl<nsHTMLDocument, void (nsHTMLDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1158:12 #17 0x7f6b724bb182 in apply<nsHTMLDocument, void (nsHTMLDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164 #18 0x7f6b724bb182 in mozilla::detail::RunnableMethodImpl<nsHTMLDocument*, void (nsHTMLDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1207 #19 0x7f6b6fe0a26f in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5637:15 #20 0x7f6b70180a39 in ~nsAutoScriptBlocker /home/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3357:5
Flags: in-testsuite?
Assignee | ||
Updated•7 years ago
|
Crash Signature: [@ mozilla::HTMLEditor::DeleteRefToAnonymousNode ]
Priority: -- → P1
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8890775 [details] Bug 1383755 - Part 2. Add crash test for object resizer. https://reviewboard.mozilla.org/r/161962/#review167276 ::: editor/libeditor/crashtests/1383755.html:4 (Diff revision 1) > + let table = document.createElement('table'); > + document.documentElement.appendChild(table); > + let tr = document.createElement('tr'); > + table.appendChild(tr); > + let input = document.createElement('input'); > + document.documentElement.appendChild(input); > + > + let img = document.createElement('img'); > + input.appendChild(img); > + img.contentEditable = 'true' > + tr.appendChild(img); > + img.offsetParent; > + > + window.getSelection().selectAllChildren(tr); Could you insert a comment line where before causing creating anonymous content. Like: // This causes creating editor creating anonymous elements. ::: editor/libeditor/crashtests/1383755.html:18 (Diff revision 1) > + img.contentEditable = 'true' > + tr.appendChild(img); > + img.offsetParent; > + > + window.getSelection().selectAllChildren(tr); > + document.implementation.createDocument('', '').adoptNode(table); And could you insert a comment before this line to explain that it will remove the anonymous nodes, e.g., // Document.adoptNode() will remove anonymous elements and it shouldn't cause crash. Then, it becomes clearer that what is being tested by this file.
Attachment #8890775 -
Flags: review?(masayuki) → review+
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8890774 [details] Bug 1383755 - Part 1. NAC property might be removed by nsIDocument::AdoptNode. https://reviewboard.mozilla.org/r/161960/#review167278 ::: editor/libeditor/HTMLAnonymousNodeEditor.cpp:331 (Diff revision 1) > > // Remove reference from the parent element. > auto nac = static_cast<mozilla::ManualNAC*>( > parentContent->GetProperty(nsGkAtoms::manualNACProperty)); > - MOZ_ASSERT(nac); > + // nsIDocument::AdoptNode might remove all properties before destroying > + // editor. So we have to consider that NAC is already removed. s/is already/could be already
Attachment #8890774 -
Flags: review?(masayuki) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/1b4c1019f2ab Part 1. NAC property might be removed by nsIDocument::AdoptNode. r=masayuki https://hg.mozilla.org/integration/autoland/rev/9aa80b8b5650 Part 2. Add crash test for object resizer. r=masayuki
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → m_kato
Assignee | ||
Updated•7 years ago
|
status-firefox55:
--- → unaffected
status-firefox56:
--- → affected
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1b4c1019f2ab https://hg.mozilla.org/mozilla-central/rev/9aa80b8b5650
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•