Closed
Bug 1446043
Opened 6 years ago
Closed 6 years ago
Crash [@ GetNextSibling]
Categories
(Core :: Spelling checker, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1497480
People
(Reporter: jkratzer, Assigned: edgar)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Crash Data
Attachments
(1 file)
|
918 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev fcb11e93adf5.
==7845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2ac7e8ba70 bp 0x7ffdf8d77ab0 sp 0x7ffdf8d77a80 T0)
==7845==The signal is caused by a READ memory access.
==7845==Hint: address points to the zero page.
#0 0x7f2ac7e8ba6f in GetNextSibling /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1490:47
#1 0x7f2ac7e8ba6f in GetNextNodeImpl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1554
#2 0x7f2ac7e8ba6f in GetNextNonChildNode /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1514
#3 0x7f2ac7e8ba6f in FindNextTextNode /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp:143
#4 0x7f2ac7e8ba6f in mozInlineSpellWordUtil::SetEnd(nsINode*, int) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp:180
#5 0x7f2ac7e8a1ab in mozInlineSpellChecker::DoSpellCheck(mozInlineSpellWordUtil&, mozilla::dom::Selection*, mozilla::UniquePtr<mozInlineSpellStatus, mozilla::DefaultDelete<mozInlineSpellStatus> > const&, bool*) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:1408:15
#6 0x7f2ac7e8db56 in mozInlineSpellChecker::ResumeCheck(mozilla::UniquePtr<mozInlineSpellStatus, mozilla::DefaultDelete<mozInlineSpellStatus> >&&) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:1610:10
#7 0x7f2ac7ea0cf5 in mozInlineSpellResume::Run() /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:492:31
#8 0x7f2abc46671a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:343:22
#9 0x7f2abc443268 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#10 0x7f2abc45f5d0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#11 0x7f2abd31e5aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#12 0x7f2abd26cc39 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#13 0x7f2abd26cc39 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#14 0x7f2abd26cc39 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#15 0x7f2ac3ff68fa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#16 0x7f2ac850a56b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#17 0x7f2abd26cc39 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#18 0x7f2abd26cc39 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#19 0x7f2abd26cc39 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#20 0x7f2ac8509f4a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#21 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#22 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#23 0x7f2adc03b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
||
Updated•6 years ago
|
Keywords: csectype-nullptr
Priority: -- → P2
|
||
Updated•6 years ago
|
Crash Signature: [@ FindNextTextNode]
status-firefox61:
--- → wontfix
status-firefox62:
--- → affected
status-firefox63:
--- → affected
status-firefox-esr60:
--- → affected
|
||
Comment 1•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 2•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats. Other resolutions may be appropriate for other reasons. (Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes. The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
||
Comment 4•6 years ago
|
||
Looks like this testcase needs custom elements to reproduce. Is this something you'd be interested in looking at, Emilio? Still insta-crashes for me on current Nightly.
status-firefox64:
--- → fix-optional
Flags: needinfo?(emilio)
|
||
Comment 5•6 years ago
|
||
Pretty sure it's the same bug as bug 1497480, which is being worked on.
Flags: needinfo?(emilio)
|
|
||
Updated•6 years ago
|
status-firefox65:
--- → affected
|
Assignee | |
Comment 6•6 years ago
|
||
I couldn't reproduce this crash after bug 1497480, so mark as dulicated.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
No longer depends on: 1497480
Resolution: --- → DUPLICATE
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → echen
|
|
||
Updated•6 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•