Closed Bug 1423776 Opened 6 years ago Closed 6 years ago

crash near null in [@ nsRange::nsRange]

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
453 bytes, text/html
Details
Bug 1423776 - Return error when splitted node might be orphan.
59 bytes, text/x-review-board-request
masayuki
: review+
Details
Attached file testcase.html 
==117581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc10fbf49b9 bp 0x7fff1bed15b0 sp 0x7fff1bed1590 T0)
==117581==The signal is caused by a READ memory access.
==117581==Hint: address points to the zero page.
    #0 0x7fc10fbf49b8 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7fc10fbf49b8 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7fc10fbf49b8 in OwnerDoc /src/dom/base/nsINode.h:535
    #3 0x7fc10fbf49b8 in nsRange::nsRange(nsINode*) /src/dom/base/nsRange.cpp:273
    #4 0x7fc113e766c4 in mozilla::RangeItem::GetRange() /src/editor/libeditor/SelectionState.cpp:670:31
    #5 0x7fc113d658b9 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6147:37
    #6 0x7fc113d6092c in GetNodesFromSelection /src/editor/libeditor/HTMLEditRules.cpp:6653:17
    #7 0x7fc113d6092c in mozilla::HTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::EntireList, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6297
    #8 0x7fc113d4ad57 in mozilla::HTMLEditRules::WillMakeList(mozilla::dom::Selection*, nsTSubstring<char16_t> const*, bool, nsTSubstring<char16_t> const*, bool*, bool*, nsTSubstring<char16_t> const*) /src/editor/libeditor/HTMLEditRules.cpp:3471:8
    #9 0x7fc113d3531a in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /src/editor/libeditor/HTMLEditRules.cpp:656:14
    #10 0x7fc113df1809 in mozilla::HTMLEditor::MakeOrChangeList(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&) /src/editor/libeditor/HTMLEditor.cpp:1950:24
    #11 0x7fc113ed9f3b in nsListCommand::ToggleState(mozilla::HTMLEditor*) /src/editor/composer/nsComposerCommands.cpp:332:23
    #12 0x7fc113ed7097 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /src/editor/composer/nsComposerCommands.cpp:105:10
    #13 0x7fc111df9a50 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #14 0x7fc111def926 in nsBaseCommandController::DoCommand(char const*) /src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #15 0x7fc111df64a4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /src/dom/commandhandler/nsCommandManager.cpp:212:22
    #16 0x7fc11232abdb in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /src/dom/html/nsHTMLDocument.cpp:3276:18
    #17 0x7fc1117128e1 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:854:21
    #18 0x7fc111ab4ad7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3042:13
    #19 0x1fb530e3ae85  (<unknown module>)
Flags: in-testsuite?
Crash Signature: [@ nsRange::nsRange ]
Priority: -- → P1
Assignee: nobody → m_kato
Comment on attachment 8982985 [details]
Bug 1423776 - Return error when splitted node might be orphan.

https://reviewboard.mozilla.org/r/248828/#review254970

::: editor/libeditor/HTMLEditRules.cpp:7828
(Diff revision 1)
>      if (NS_WARN_IF(splitEndInlineResult.Failed())) {
>        return splitEndInlineResult.Rv();
>      }
>      EditorRawDOMPoint splitPointAtEnd(splitEndInlineResult.SplitPoint());
> +    if (NS_WARN_IF(!splitPointAtEnd.IsSet())) {
> +      return NS_ERROR_FAILURE;

Perhaps, we need another error such as NS_ERROR_DOM_TREE_CHANGED_UNEXPECTEDLY or something, but it's out of scope of this bug.
Attachment #8982985 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/988847e0ed2e
Return error when splitted node might be orphan. r=masayuki
https://hg.mozilla.org/mozilla-central/rev/988847e0ed2e
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Not seeing any obvious indication in crash-stats that this is hitting us in the wild, so let's let it ride the trains.
status-firefox59: affectedwontfix
status-firefox60: --- → wontfix
status-firefox61: --- → wontfix
status-firefox-esr52: --- → wontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: