Closed
Bug 1441619
Opened 6 years ago
Closed 5 years ago
Crash near null [@ get]
Categories
(Core :: DOM: Editor, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | affected |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | unaffected |
| firefox66 | --- | unaffected |
People
(Reporter: jkratzer, Assigned: m_kato)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [fuzzblocker])
Attachments
(2 files)
Found while fuzzing esr52 rev fe9968b35619. Currently reducing the testcase and will update shortly.
=================================================================
==24583==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f2526449418 bp 0x7fff83f5f670 sp 0x7fff83f5f670 T0)
#0 0x7f2526449417 in get /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:283:27
#1 0x7f2526449417 in operator-> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:320
#2 0x7f2526449417 in NodeType /home/worker/workspace/build/src/dom/base/nsINode.h:566
#3 0x7f2526449417 in mozilla::EditorBase::IsTextNode(nsINode*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3654
#4 0x7f25264be9e9 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, mozilla::HTMLEditRules::TouchContent) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:5620:12
#5 0x7f25264b24b9 in GetNodesFromSelection /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6112:17
#6 0x7f25264b24b9 in mozilla::HTMLEditRules::WillAlign(mozilla::dom::Selection&, nsAString_internal const&, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:4526
#7 0x7f252649bc4b in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:632:14
#8 0x7f2526530eca in mozilla::HTMLEditor::Align(nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2266:17
#9 0x7f2526610814 in nsAlignCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:962:10
#10 0x7f252660ab90 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
#11 0x7f2527a840c3 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsControllerCommandTable.cpp:162:10
#12 0x7f2527a7aeee in DoCommandWithParams /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:152:10
#13 0x7f2527a7aeee in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:140
#14 0x7f2527a811ba in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsCommandManager.cpp:212:10
#15 0x7f2524e1dbc5 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3257:10
#16 0x7f252429adf4 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:829:15
#17 0x7f25246376a9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#18 0x7f252a9c7085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#19 0x7f252a9c7085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#20 0x7f252a9a748f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#21 0x7f252a9a748f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#22 0x7f252a98c64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#23 0x7f252a9c9572 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
#24 0x7f2529c194d2 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
#25 0x7f2529c1792c in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12
#26 0x7f24daf4c699 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:283:27 in get
==24583==ABORTING
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Flags: in-testsuite?
|
Assignee | |
Updated•6 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → affected
Version: 59 Branch → 52 Branch
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P3
|
|
Assignee | |
Updated•6 years ago
|
Priority: P3 → P2
|
||
Comment 2•5 years ago
|
||
This issue still occurs in v52.9.0esr using the trigger.html attached file, but it does not occur on either of the newer versions (Latest ESR v60.3.0esr, Firefox Release v63.0.3, Firefox Beta v64.0 or Nightly v66.0a1). Does this issue still need to be addressed, considering that the official ESR is now v60.3.0esr?
status-firefox64:
--- → unaffected
status-firefox65:
--- → unaffected
status-firefox66:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: needinfo?(jkratzer)
Keywords: testcase-wanted
OS: Unspecified → All
Hardware: Unspecified → Desktop
|
|
Reporter | |
Updated•5 years ago
|
Flags: needinfo?(jkratzer) → needinfo?(m_kato)
|
|
Assignee | |
Comment 3•5 years ago
|
||
(In reply to Bodea Daniel [:danibodea] from comment #2) > This issue still occurs in v52.9.0esr using the trigger.html attached file, > but it does not occur on either of the newer versions (Latest ESR > v60.3.0esr, Firefox Release v63.0.3, Firefox Beta v64.0 or Nightly v66.0a1). > > Does this issue still need to be addressed, considering that the official > ESR is now v60.3.0esr? We added a lot of fix for GetNodesForOperation, so think that this issue is already fixed. But we should add crash test to our tree.
Flags: needinfo?(m_kato)
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → m_kato
|
|
Assignee | |
Comment 4•5 years ago
|
||
The latest version of Gecko doesn't crash by this HTML, but I would like to add this for feature.
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/mozilla-inbound/rev/87079a2e372b Add crashtest. r=masayuki
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/87079a2e372b
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in
before you can comment on or make changes to this bug.
Description
•