Assertion failure: !mMightHaveUnreportedJSException, at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ErrorResult.h:486

RESOLVED FIXED in Firefox 58

Status

()

defect
RESOLVED FIXED
2 years ago
3 months ago

People

(Reporter: jkratzer, Assigned: bzbarsky)

Tracking

(Blocks 1 bug, {assertion, testcase})

57 Branch
mozilla58
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox56 unaffected, firefox57 wontfix, firefox58 fixed)

Details

Attachments

(2 attachments)

Reporter

Description

2 years ago
Posted file trigger.html
Testcase found while fuzzing mozilla-central rev 083a9c84fbd0 (20171030).

Bisects back to bug 1393806.

==16149==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7febefd67772 bp 0x7ffcf948e7d0 sp 0x7ffcf948e7c0 T0)
==16149==The signal is caused by a WRITE memory access.
==16149==Hint: address points to the zero page.
    #0 0x7febefd67771 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::AssertReportedOrSuppressed() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ErrorResult.h:485:5
    #1 0x7febefd51d55 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ErrorResult.h:138:7
    #2 0x7febf45cc5fa in mozilla::InsertNodeTransaction::DoTransaction() /builds/worker/workspace/build/src/editor/libeditor/InsertNodeTransaction.cpp:81:1
    #3 0x7febf4617b75 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:661:21
    #4 0x7febf461782c in nsTransactionManager::DoTransaction(nsITransaction*) /builds/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:74:8
    #5 0x7febf44d9ab7 in mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:760:20
    #6 0x7febf44e051e in mozilla::EditorBase::InsertNode(nsIContent&, nsINode&, int) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1489:17
    #7 0x7febf44e3dde in mozilla::EditorBase::InsertContainerAbove(nsIContent*, nsAtom*, nsAtom*, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1781:10
    #8 0x7febf45b1d98 in mozilla::HTMLEditor::SetInlinePropertyOnNodeImpl(nsIContent&, nsAtom&, nsTSubstring<char16_t> const*, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:416:27
    #9 0x7febf4564b5d in mozilla::HTMLEditor::SetInlinePropertyOnNode(nsIContent&, nsAtom&, nsTSubstring<char16_t> const*, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:439:12
    #10 0x7febf4588ed3 in mozilla::HTMLEditor::SetInlineProperty(nsAtom*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:160:14
    #11 0x7febf461e2d2 in SetTextProperty(mozilla::HTMLEditor*, nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:1633:23
    #12 0x7febf461d9d2 in nsStyleUpdatingCommand::ToggleState(mozilla::HTMLEditor*) /builds/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:275:12
    #13 0x7febf461c819 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:105:10
    #14 0x7febf2e060fe in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #15 0x7febf2dfee9c in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #16 0x7febf2e0399f in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22
    #17 0x7febf31a63ca in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3349:18
    #18 0x7febf28f3b0b in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:891:21
    #19 0x7febf2b8530e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #20 0x7febf7b5bea1 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #21 0x7febf7b5ba7a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:16
    #22 0x7febf7b5cb25 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #23 0x7febf7b510bf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066:18
    #24 0x7febf7b3c7e4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #25 0x7febf7b5e7a2 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
Flags: in-testsuite?
Blocks: 1393806
Has Regression Range: --- → yes
See Also: → 1408444
Version: 58 Branch → 57 Branch
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #8925160 - Flags: review?(peterv) → review+

Comment 2

2 years ago
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fd793c9da072
Make sure to make it clear that we'd report a JS exception on the ErrorResult in InsertNodeTransaction::DoTransaction.  r=peterv

Comment 3

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/fd793c9da072
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.