Closed
Bug 1450694
Opened 6 years ago
Closed 3 years ago
Crash [@ get] near mozilla::EditorBase::IsTextNode
Categories
(Core :: DOM: Editor, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | affected |
| firefox60 | --- | unaffected |
| firefox61 | --- | unaffected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(1 file)
|
689 bytes,
text/html
|
Details |
Testcase found while fuzzing esr52 rev d61516b059c1.
==5756==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f27ba534308 bp 0x7ffc639552b0 sp 0x7ffc639552b0 T0)
#0 0x7f27ba534307 in get /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:283:27
#1 0x7f27ba534307 in operator-> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:320
#2 0x7f27ba534307 in NodeType /home/worker/workspace/build/src/dom/base/nsINode.h:566
#3 0x7f27ba534307 in mozilla::EditorBase::IsTextNode(nsINode*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3647
#4 0x7f27ba5a98d9 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, mozilla::HTMLEditRules::TouchContent) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:5620:12
#5 0x7f27ba59d3a9 in GetNodesFromSelection /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6112:17
#6 0x7f27ba59d3a9 in mozilla::HTMLEditRules::WillAlign(mozilla::dom::Selection&, nsAString_internal const&, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:4526
#7 0x7f27ba586b3b in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:632:14
#8 0x7f27ba61bdba in mozilla::HTMLEditor::Align(nsAString_internal const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2266:17
#9 0x7f27ba6fb704 in nsAlignCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:962:10
#10 0x7f27ba6f5a80 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
#11 0x7f27bbb6e513 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsControllerCommandTable.cpp:162:10
#12 0x7f27bbb6533e in DoCommandWithParams /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:152:10
#13 0x7f27bbb6533e in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:140
#14 0x7f27bbb6b60a in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/embedding/components/commandhandler/nsCommandManager.cpp:212:10
#15 0x7f27b8f05fe5 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3257:10
#16 0x7f27b8383734 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:829:15
#17 0x7f27b871ffe9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#18 0x7f27beaaee65 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#19 0x7f27beaaee65 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#20 0x7f27bea8f26f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#21 0x7f27bea8f26f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#22 0x7f27bea7442d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#23 0x7f27beab1352 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
#24 0x7f27beab1beb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:718:12
#25 0x7f27be5931c4 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4439:19
#26 0x7f27be593f1b in Evaluate /home/worker/workspace/build/src/js/src/jsapi.cpp:4466:12
#27 0x7f27be593f1b in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4524
#28 0x7f27b6d11580 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:207:12
#29 0x7f27b6d12699 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:274:10
#30 0x7f27b6da91d1 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:2193:14
#31 0x7f27b6da60de in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1979:10
#32 0x7f27b6d8d435 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1712:10
#33 0x7f27b6d89da1 in nsScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/base/nsScriptElement.cpp:149:10
#34 0x7f27b5dfa7d3 in AttemptToExecute /home/worker/workspace/build/src/dom/base/nsIScriptElement.h:222:18
#35 0x7f27b5dfa7d3 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
#36 0x7f27b5df8f55 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:7
#37 0x7f27b5dfdbcb in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
#38 0x7f27b3f8dcab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#39 0x7f27b400fdec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#40 0x7f27b4dc8d5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#41 0x7f27b4d3a8b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#42 0x7f27b4d3a8b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#43 0x7f27b4d3a8b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#44 0x7f27ba3db75f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#45 0x7f27bc5f8b77 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:12
#46 0x7f27b4d3a8b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#47 0x7f27b4d3a8b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#48 0x7f27b4d3a8b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#49 0x7f27bc5f8182 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:698:7
#50 0x4dfbab in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
#51 0x4dfbab in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
#52 0x7f27d014a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
||
Updated•6 years ago
|
status-firefox61:
--- → unaffected
Priority: -- → P3
|
|
||
Updated•6 years ago
|
status-firefox60:
--- → unaffected
Version: 59 Branch → 52 Branch
|
|
||
Updated•6 years ago
|
status-firefox-esr52:
--- → affected
|
Reporter | |
Updated•3 years ago
|
Attachment #8964290 -
Attachment description: trigger.html → testcase
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210224162107-27f574662450
mozilla-central 20200226092757-7f41334e1044
Whiteboard: [bugmon:confirmed]
|
||
Comment 2•3 years ago
|
||
This seems to have been fixed somewhere more than a year ago.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•