Closed
Bug 1461497
Opened 7 years ago
Closed 7 years ago
crash near null in [@ mozilla::SplitNodeResult mozilla::EditorBase::SplitNodeDeepWithTransaction]
Categories
(Core :: DOM: Editor, defect, P1)
Core
DOM: Editor
Tracking
()
RESOLVED
DUPLICATE
of bug 1423767
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
601 bytes,
text/html
|
Details |
==126114==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f7d3039bf69 bp 0x7ffecca12a90 sp 0x7ffecca12a90 T0)
==126114==The signal is caused by a READ memory access.
==126114==Hint: address points to the zero page.
#0 0x7f7d3039bf68 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/dom/base/nsINode.h:1644:12
#1 0x7f7d308a5572 in nsINode::GetParent() const src/dom/base/nsINode.h:999:12
#2 0x7f7d34d2348d in mozilla::SplitNodeResult mozilla::EditorBase::SplitNodeDeepWithTransaction<nsINode*, nsIContent*>(nsIContent&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::SplitAtEdges) src/editor/libeditor/EditorBase.cpp:4022:9
#3 0x7f7d34d7ca76 in mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints(mozilla::RangeItem&) src/editor/libeditor/HTMLEditRules.cpp:6816:19
#4 0x7f7d34d518db in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::EditAction, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:6475:12
#5 0x7f7d34d53396 in mozilla::HTMLEditRules::GetNodesFromSelection(mozilla::dom::Selection&, mozilla::EditAction, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:6991:17
#6 0x7f7d34d59a05 in mozilla::HTMLEditRules::MakeBasicBlock(mozilla::dom::Selection&, nsAtom&) src/editor/libeditor/HTMLEditRules.cpp:4053:8
#7 0x7f7d34d4c35b in mozilla::HTMLEditRules::WillMakeBasicBlock(mozilla::dom::Selection&, nsTSubstring<char16_t> const&, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:4035:17
#8 0x7f7d34d3c5f8 in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:654:14
#9 0x7f7d34d94474 in mozilla::HTMLEditor::InsertBasicBlockWithTransaction(nsAtom&) src/editor/libeditor/HTMLEditor.cpp:2191:24
#10 0x7f7d34d93ad4 in mozilla::HTMLEditor::SetParagraphFormat(nsTSubstring<char16_t> const&) src/editor/libeditor/HTMLEditor.cpp:1768:10
#11 0x7f7d34e54436 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/composer/nsComposerCommands.cpp:636:10
#12 0x7f7d3349978f in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
#13 0x7f7d3349206b in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp:152:25
#14 0x7f7d33496d27 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29
#15 0x7f7d3382e342 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2967:18
#16 0x7f7d32c3c90d in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21
#17 0x7f7d32f281c3 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3260:13
#18 0x7f7d37f1dbff in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/JSContext-inl.h:280:15
#19 0x7f7d37f1d591 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467:16
#20 0x7f7d37f1e98c in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#21 0x7f7d37f14a50 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3086:18
#22 0x7f7d37efe61b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#23 0x7f7d37f1d758 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#24 0x7f7d37f1e98c in InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#25 0x7f7d37f1eb95 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#26 0x7f7d3884f6ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2989:12
#27 0x7f7d329f90d7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#28 0x7f7d3356ae1e in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#29 0x7f7d3356974e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#30 0x7f7d335432c1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1121:52
#31 0x7f7d3354486e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1288:20
#32 0x7f7d335365fb in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#33 0x7f7d33535c03 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:528:16
#34 0x7f7d33537b30 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:961:9
#35 0x7f7d350aec9f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1064:7
#36 0x7f7d37532667 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7171:21
#37 0x7f7d3752fbeb in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6964:7
#38 0x7f7d3753406f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#39 0x7f7d30768a39 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
#40 0x7f7d30767f89 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
#41 0x7f7d307657f7 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9
#42 0x7f7d307670c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
#43 0x7f7d30767adc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#44 0x7f7d2f138eb5 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
#45 0x7f7d312dd64d in imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:446:15
#46 0x7f7d312e3419 in imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1131:7
#47 0x7f7d312cef5b in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}>(void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}) src/image/ProgressTracker.cpp:295:9
#48 0x7f7d312cdc90 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:369:5
#49 0x7f7d312cd913 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::$_1::operator()(mozilla::image::ObserverTable const*) const src/image/ProgressTracker.cpp:390:5
#50 0x7f7d312696f4 in _ZNK7mozilla5image11CopyOnWriteINS0_13ObserverTableEE4ReadIZNS0_15ProgressTracker18SyncNotifyProgressEjRKNS_3gfx12IntRectTypedINS6_12UnknownUnitsEEEE3$_1EEDTclfp_scPKS2_LDnEEET_ src/image/CopyOnWrite.h:154:12
#51 0x7f7d31263afa in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:389:14
#52 0x7f7d3126d72a in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1709:28
#53 0x7f7d31275179 in mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) src/image/RasterImage.cpp:979:3
#54 0x7f7d31278f70 in mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1796:7
#55 0x7f7d3125dd4d in mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2::operator()() const src/image/IDecodingTask.cpp:130:12
#56 0x7f7d3125d5ec in mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2>::Run() src/xpcom/threads/nsThreadUtils.h:552:5
#57 0x7f7d2ef4651d in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#58 0x7f7d2ef649d3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
#59 0x7f7d2ef87968 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#60 0x7f7d2fbe3113 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#61 0x7f7d2fb25288 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#62 0x7f7d2fb2510c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#63 0x7f7d34bf62fa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#64 0x7f7d37cc2a60 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#65 0x7f7d2fbe3d35 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#66 0x7f7d2fb25288 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#67 0x7f7d2fb2510c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#68 0x7f7d37cc21ae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#69 0x4f3616 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#70 0x4f389e in main src/browser/app/nsBrowserApp.cpp:282:18
#71 0x7f7d4ec0782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#72 0x423444 in _start (firefox+0x423444)
Flags: in-testsuite?
|
||
Updated•7 years ago
|
Crash Signature: [@ mozilla::EditorBase::SplitNodeDeepWithTransaction<T> ]
|
|
||
Updated•7 years ago
|
Priority: -- → P1
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•