Closed Bug 1464251 Opened 7 years ago Closed 6 years ago

crash near null in [@ mozilla::HTMLEditor::SplitStyleAbovePoint]

Categories

(Core :: DOM: Editor, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html
Reproduced with m-c: BuildID=20180523220103 SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc ==37483==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f818736cb6b bp 0x7ffe48e3ece0 sp 0x7ffe48e3e920 T0) ==37483==The signal is caused by a READ memory access. ==37483==Hint: address points to the zero page. #0 0x7f818736cb6a in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1651:12 #1 0x7f818736cb6a in GetParent src/obj-firefox/dist/include/nsINode.h:1006 #2 0x7f818736cb6a in mozilla::HTMLEditor::SplitStyleAbovePoint(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*, nsIContent**, nsIContent**) src/editor/libeditor/HTMLStyleEditor.cpp:553 #3 0x7f818739a229 in mozilla::HTMLEditor::ClearStyle(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*) src/editor/libeditor/HTMLStyleEditor.cpp:604:17 #4 0x7f818733ff6c in mozilla::HTMLEditRules::CreateStyleForInsertText(nsIDocument&) src/editor/libeditor/HTMLEditRules.cpp:6041:25 #5 0x7f818731766e in mozilla::HTMLEditRules::WillInsertText(mozilla::EditAction, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int) src/editor/libeditor/HTMLEditRules.cpp:1489:8 #6 0x7f81873165ad in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:697:14 #7 0x7f8187481f62 in mozilla::TextEditor::InsertTextAsAction(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:968:24 #8 0x7f81872cfc97 in mozilla::InsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/EditorCommands.cpp:1130:20 #9 0x7f818540133c in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26 #10 0x7f81853f7493 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25 #11 0x7f81853f7493 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp #12 0x7f81853fdb1a in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29 #13 0x7f81858fcfc4 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2952:18 #14 0x7f818490e676 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21 #15 0x7f8184de8911 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3280:13 #16 0x1eafb497e33f (<unknown module>)
Flags: in-testsuite?
Priority: -- → P1
Crash Signature: [@ mozilla::HTMLEditor::SplitStyleAbovePoint ]
SplitStyleAbovePoint calls SplitNodeDeepWithTransaction repeatedly. If SplitNodeDeepWithTransaction creates orphan node like this test case, this crash occurs. So we should check whether node becomes orphan node.
Makoto-san: After I commented in Fabricator, you have not updated anything. Did you receive some notifications about the comment?
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Comment on attachment 8990173 [details] Bug 1464251 - SplitNodeDeepWithTransaction might create orphan node. r?masayuki Masayuki Nakano [:masayuki] (JST, +0900) has approved the revision.
Attachment #8990173 - Flags: review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/147cb3ed71f8 SplitNodeDeepWithTransaction might create orphan node. r=masayuki
Flags: needinfo?(m_kato)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: