Closed Bug 1446043 Opened 2 years ago Closed 1 year ago

Crash [@ GetNextSibling]

Categories

(Core :: Spelling checker, defect, P2, critical)

59 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1497480
Tracking Status
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fix-optional
firefox65 --- fixed

People

(Reporter: jkratzer, Assigned: edgar)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev fcb11e93adf5.

==7845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2ac7e8ba70 bp 0x7ffdf8d77ab0 sp 0x7ffdf8d77a80 T0)
==7845==The signal is caused by a READ memory access.
==7845==Hint: address points to the zero page.
    #0 0x7f2ac7e8ba6f in GetNextSibling /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1490:47
    #1 0x7f2ac7e8ba6f in GetNextNodeImpl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1554
    #2 0x7f2ac7e8ba6f in GetNextNonChildNode /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1514
    #3 0x7f2ac7e8ba6f in FindNextTextNode /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp:143
    #4 0x7f2ac7e8ba6f in mozInlineSpellWordUtil::SetEnd(nsINode*, int) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp:180
    #5 0x7f2ac7e8a1ab in mozInlineSpellChecker::DoSpellCheck(mozInlineSpellWordUtil&, mozilla::dom::Selection*, mozilla::UniquePtr<mozInlineSpellStatus, mozilla::DefaultDelete<mozInlineSpellStatus> > const&, bool*) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:1408:15
    #6 0x7f2ac7e8db56 in mozInlineSpellChecker::ResumeCheck(mozilla::UniquePtr<mozInlineSpellStatus, mozilla::DefaultDelete<mozInlineSpellStatus> >&&) /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:1610:10
    #7 0x7f2ac7ea0cf5 in mozInlineSpellResume::Run() /builds/worker/workspace/build/src/extensions/spellcheck/src/mozInlineSpellChecker.cpp:492:31
    #8 0x7f2abc46671a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:343:22
    #9 0x7f2abc443268 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #10 0x7f2abc45f5d0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #11 0x7f2abd31e5aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #12 0x7f2abd26cc39 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7f2abd26cc39 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7f2abd26cc39 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7f2ac3ff68fa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #16 0x7f2ac850a56b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #17 0x7f2abd26cc39 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f2abd26cc39 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f2abd26cc39 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f2ac8509f4a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #21 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #22 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #23 0x7f2adc03b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Priority: -- → P2
Crash Signature: [@ FindNextTextNode]
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Looks like this testcase needs custom elements to reproduce. Is this something you'd be interested in looking at, Emilio? Still insta-crashes for me on current Nightly.
Pretty sure it's the same bug as bug 1497480, which is being worked on.
Flags: needinfo?(emilio)
See Also: → 1497480
See Also: 1497480
I couldn't reproduce this crash after bug 1497480, so mark as dulicated.
Status: REOPENED → RESOLVED
Closed: 2 years ago1 year ago
No longer depends on: 1497480
Resolution: --- → DUPLICATE
Duplicate of bug: 1497480
Assignee: nobody → echen
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.