Closed
Bug 1464251
Opened 3 years ago
Closed 3 years ago
crash near null in [@ mozilla::HTMLEditor::SplitStyleAbovePoint]
Categories
(Core :: DOM: Editor, defect, P1)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: tsmith, Assigned: m_kato)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
Reproduced with m-c: BuildID=20180523220103 SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc ==37483==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f818736cb6b bp 0x7ffe48e3ece0 sp 0x7ffe48e3e920 T0) ==37483==The signal is caused by a READ memory access. ==37483==Hint: address points to the zero page. #0 0x7f818736cb6a in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1651:12 #1 0x7f818736cb6a in GetParent src/obj-firefox/dist/include/nsINode.h:1006 #2 0x7f818736cb6a in mozilla::HTMLEditor::SplitStyleAbovePoint(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*, nsIContent**, nsIContent**) src/editor/libeditor/HTMLStyleEditor.cpp:553 #3 0x7f818739a229 in mozilla::HTMLEditor::ClearStyle(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*) src/editor/libeditor/HTMLStyleEditor.cpp:604:17 #4 0x7f818733ff6c in mozilla::HTMLEditRules::CreateStyleForInsertText(nsIDocument&) src/editor/libeditor/HTMLEditRules.cpp:6041:25 #5 0x7f818731766e in mozilla::HTMLEditRules::WillInsertText(mozilla::EditAction, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int) src/editor/libeditor/HTMLEditRules.cpp:1489:8 #6 0x7f81873165ad in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:697:14 #7 0x7f8187481f62 in mozilla::TextEditor::InsertTextAsAction(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:968:24 #8 0x7f81872cfc97 in mozilla::InsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/EditorCommands.cpp:1130:20 #9 0x7f818540133c in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26 #10 0x7f81853f7493 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25 #11 0x7f81853f7493 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp #12 0x7f81853fdb1a in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29 #13 0x7f81858fcfc4 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2952:18 #14 0x7f818490e676 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21 #15 0x7f8184de8911 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3280:13 #16 0x1eafb497e33f (<unknown module>)
Flags: in-testsuite?
Assignee | ||
Updated•3 years ago
|
Priority: -- → P1
Assignee | ||
Updated•3 years ago
|
Crash Signature: [@ mozilla::HTMLEditor::SplitStyleAbovePoint ]
Assignee | ||
Comment 1•3 years ago
|
||
SplitStyleAbovePoint calls SplitNodeDeepWithTransaction repeatedly. If SplitNodeDeepWithTransaction creates orphan node like this test case, this crash occurs. So we should check whether node becomes orphan node.
Comment 2•3 years ago
|
||
Makoto-san: After I commented in Fabricator, you have not updated anything. Did you receive some notifications about the comment?
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Comment 3•3 years ago
|
||
Comment on attachment 8990173 [details] Bug 1464251 - SplitNodeDeepWithTransaction might create orphan node. r?masayuki Masayuki Nakano [:masayuki] (JST, +0900) has approved the revision.
Attachment #8990173 -
Flags: review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/147cb3ed71f8 SplitNodeDeepWithTransaction might create orphan node. r=masayuki
Assignee | ||
Updated•3 years ago
|
Flags: needinfo?(m_kato)
Comment 5•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/147cb3ed71f8
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•3 years ago
|
status-firefox61:
--- → wontfix
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•