Closed Bug 1452704 Opened 6 years ago Closed 6 years ago

crash near null in [@ HandleValueChanged]

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1454126
Tracking Flags:
Tracking Status
firefox60 --- affected
firefox61 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(2 files)

testcase.html
405 bytes, text/html
Details
beta opt linux crash on test case
2.45 KB, text/plain
Details
Attached file testcase.html 
Found with m-c 20180407-aacc170ff3f6

==9385==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000003c (pc 0x7f64c0b10c63 bp 0x7fff6ac11380 sp 0x7fff6ac10ea0 T0)
==9385==The signal is caused by a READ memory access.
==9385==Hint: address points to the zero page.
    #0 0x7f64c0b10c62 in HandleValueChanged dom/html/nsTextEditorState.cpp:1021:7
    #1 0x7f64c0b10c62 in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) dom/html/nsTextEditorState.cpp:2449
    #2 0x7f64c0a7301d in SetValue dom/html/nsTextEditorState.h:190:12
    #3 0x7f64c0a7301d in SetValueInternal dom/html/HTMLTextAreaElement.cpp:342
    #4 0x7f64c0a7301d in SetValueFromSetRangeText dom/html/HTMLTextAreaElement.cpp:780
    #5 0x7f64c0a7301d in non-virtual thunk to mozilla::dom::HTMLTextAreaElement::SetValueFromSetRangeText(nsTSubstring<char16_t> const&) dom/html/HTMLTextAreaElement.cpp
    #6 0x7f64c0b0ed36 in nsTextEditorState::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&, mozilla::Maybe<unsigned int> const&, mozilla::Maybe<unsigned int> const&) dom/html/nsTextEditorState.cpp:1933:35
    #7 0x7f64c0b0e6f0 in nsTextEditorState::SetRangeText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) dom/html/nsTextEditorState.cpp:1890:3
    #8 0x7f64bfde6dd7 in mozilla::dom::HTMLTextAreaElementBinding::setRangeText(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLTextAreaElement*, JSJitMethodCallArgs const&) obj-firefox/dom/bindings/HTMLTextAreaElementBinding.cpp:1656:13
    #9 0x7f64bffd5621 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:3191:13
    #10 0x7f64c68eba67 in CallJSNative js/src/vm/JSContext-inl.h:290:15
    #11 0x7f64c68eba67 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:467
    #12 0x7f64c68d6521 in CallFromStack js/src/vm/Interpreter.cpp:522:12
    #13 0x7f64c68d6521 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3084
    #14 0x7f64c68bc96a in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:417:12
    #15 0x7f64c68eb7e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:489:15
    #16 0x7f64c68eca62 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:535:10
    #17 0x7f64c74166ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:3003:12
    #18 0x7f64bf719c1e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #19 0x7f64c0742a09 in Call<nsISupports *> obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #20 0x7f64c0742a09 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) dom/events/JSEventHandler.cpp:215
    #21 0x7f64c070a42c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:1107:51
    #22 0x7f64c070bca5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1276:20
    #23 0x7f64c06f6037 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:527:16
    #24 0x7f64c06f9dd7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) dom/events/EventDispatcher.cpp:914:9
    #25 0x7f64c06fc0ec in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:993:12
    #26 0x7f64bdabeab8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) dom/base/nsINode.cpp:1084:5
    #27 0x7f64bd606984 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) dom/base/nsContentUtils.cpp:4480:28
    #28 0x7f64bd606744 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) dom/base/nsContentUtils.cpp:4448:10
    #29 0x7f64c09eee0f in mozilla::dom::HTMLMediaElement::DispatchEvent(nsTSubstring<char16_t> const&) dom/html/HTMLMediaElement.cpp:6168:10
    #30 0x7f64ba7e3198 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1096:14
    #31 0x7f64ba7ff5d0 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:519:10
    #32 0x7f64bb6d283a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21
    #33 0x7f64bb622609 in RunInternal ipc/chromium/src/base/message_loop.cc:326:10
    #34 0x7f64bb622609 in RunHandler ipc/chromium/src/base/message_loop.cc:319
    #35 0x7f64bb622609 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299
    #36 0x7f64c2343eaa in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:157:27
    #37 0x7f64c63f186b in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:290:30
    #38 0x7f64c65fd8ec in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4834:22
    #39 0x7f64c6600a2d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4979:8
    #40 0x7f64c6601ef4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5071:21
    #41 0x4f4ef5 in do_main browser/app/nsBrowserApp.cpp:231:22
    #42 0x4f4ef5 in main browser/app/nsBrowserApp.cpp:304
    #43 0x7f64da2aa82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #44 0x42476c in _start (firefox+0x42476c)
Flags: in-testsuite?
Crash Signature: [@ mozilla::TextInputListener::HandleValueChanged ]
Priority: -- → P1
Bughunter reproduces this crash on beta/60, nightly/61 on Linux, Windows on this test case.

Also

Assertion failure: (last == doc) == wasInComposedDoc || (IsRemoveNotification::Yes == IsRemoveNotification::Yes && !strcmp("ContentRemoved", "NativeAnonymousChildListChange"))

@ nsNodeUtils::ContentRemoved nsINode::doRemoveChildAt mozilla::dom::FragmentOrElement::RemoveChildAt_Deprecated nsINode::RemoveChild mozilla::DeleteNodeTransaction::DoTransaction
status-firefox60: --- → affected
Crash Signature: [@ mozilla::TextInputListener::HandleValueChanged ] → [@ mozilla::TextInputListener::HandleValueChanged ] [@ nsTextEditorState::SetValue ]
fixed by bug 1454126
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: