Closed Bug 1464251 Opened 3 years ago Closed 3 years ago

crash near null in [@ mozilla::HTMLEditor::SplitStyleAbovePoint]

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
331 bytes, text/html
Details
Bug 1464251 - SplitNodeDeepWithTransaction might create orphan node. r?masayuki
46 bytes, text/x-phabricator-request
masayuki
: review+
Details | Review
Attached file testcase.html 
Reproduced with m-c:
BuildID=20180523220103
SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc

==37483==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f818736cb6b bp 0x7ffe48e3ece0 sp 0x7ffe48e3e920 T0)
==37483==The signal is caused by a READ memory access.
==37483==Hint: address points to the zero page.
    #0 0x7f818736cb6a in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1651:12
    #1 0x7f818736cb6a in GetParent src/obj-firefox/dist/include/nsINode.h:1006
    #2 0x7f818736cb6a in mozilla::HTMLEditor::SplitStyleAbovePoint(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*, nsIContent**, nsIContent**) src/editor/libeditor/HTMLStyleEditor.cpp:553
    #3 0x7f818739a229 in mozilla::HTMLEditor::ClearStyle(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*) src/editor/libeditor/HTMLStyleEditor.cpp:604:17
    #4 0x7f818733ff6c in mozilla::HTMLEditRules::CreateStyleForInsertText(nsIDocument&) src/editor/libeditor/HTMLEditRules.cpp:6041:25
    #5 0x7f818731766e in mozilla::HTMLEditRules::WillInsertText(mozilla::EditAction, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int) src/editor/libeditor/HTMLEditRules.cpp:1489:8
    #6 0x7f81873165ad in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:697:14
    #7 0x7f8187481f62 in mozilla::TextEditor::InsertTextAsAction(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:968:24
    #8 0x7f81872cfc97 in mozilla::InsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/EditorCommands.cpp:1130:20
    #9 0x7f818540133c in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #10 0x7f81853f7493 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #11 0x7f81853f7493 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp
    #12 0x7f81853fdb1a in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29
    #13 0x7f81858fcfc4 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2952:18
    #14 0x7f818490e676 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21
    #15 0x7f8184de8911 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3280:13
    #16 0x1eafb497e33f  (<unknown module>)
Flags: in-testsuite?
Priority: -- → P1
Crash Signature: [@ mozilla::HTMLEditor::SplitStyleAbovePoint ]
SplitStyleAbovePoint calls SplitNodeDeepWithTransaction repeatedly. If
SplitNodeDeepWithTransaction creates orphan node like this test case,
this crash occurs.  So we should check whether node becomes orphan node.
Makoto-san:

After I commented in Fabricator, you have not updated anything. Did you receive some notifications about the comment?
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Comment on attachment 8990173 [details]
Bug 1464251 - SplitNodeDeepWithTransaction might create orphan node. r?masayuki

Masayuki Nakano [:masayuki] (JST, +0900) has approved the revision.
Attachment #8990173 - Flags: review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/147cb3ed71f8
SplitNodeDeepWithTransaction might create orphan node. r=masayuki
Flags: needinfo?(m_kato)
https://hg.mozilla.org/mozilla-central/rev/147cb3ed71f8
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
status-firefox61: --- → wontfix
status-firefox62: affectedwontfix
status-firefox-esr52: --- → wontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.