Closed Bug 1470926 Opened 2 years ago Closed 11 months ago

crash near null in [@ nsTextControlFrame::ScrollSelectionIntoView]

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed
firefox67 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

No description provided.
Reduced with m-c:
BuildID=20180625094946
SourceStamp=4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a

Requires attached prefs.js and may need to be refreshed a couple times.

==77390==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f8053f682d5 bp 0x7ffe3140cbb0 sp 0x7ffe3140cb00 T0)
==77390==The signal is caused by a READ memory access.
==77390==Hint: address points to the zero page.
    #0 0x7f8053f682d4 in nsCOMPtr_base src/obj-firefox/dist/include/nsCOMPtr.h:307:60
    #1 0x7f8053f682d4 in nsCOMPtr src/obj-firefox/dist/include/nsCOMPtr.h:537
    #2 0x7f8053f682d4 in nsTextControlFrame::ScrollSelectionIntoView() src/layout/forms/nsTextControlFrame.cpp:914
    #3 0x7f8051b93f97 in nsTextEditorState::SetSelectionRange(unsigned int, unsigned int, nsITextControlFrame::SelectionDirection, mozilla::ErrorResult&) src/dom/html/nsTextEditorState.cpp:1711:23
    #4 0x7f8051b966f0 in SetSelectionRange src/dom/html/nsTextEditorState.cpp:1864:3
    #5 0x7f8051b966f0 in nsTextEditorState::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&, mozilla::Maybe<unsigned int> const&, mozilla::Maybe<unsigned int> const&) src/dom/html/nsTextEditorState.cpp:1965
    #6 0x7f8051b95f3a in nsTextEditorState::SetRangeText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/html/nsTextEditorState.cpp:1877:3
    #7 0x7f8050e5bf7c in mozilla::dom::HTMLTextAreaElementBinding::setRangeText(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLTextAreaElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLTextAreaElementBinding.cpp:1649:13
    #8 0x7f8051056f75 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3285:13
    #9 0x7f805799f213 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/JSContext-inl.h:274:15
    #10 0x7f8057989f51 in CallFromStack src/js/src/vm/Interpreter.cpp:526:12
    #11 0x7f8057989f51 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3122
    #12 0x7f805797082a in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:421:12
    #13 0x7f805799fa02 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:493:15
    #14 0x7f80579a0802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:539:10
    #15 0x7f80584c3b2a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2887:12
    #16 0x7f80507d90bc in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #17 0x7f80517c89dc in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #18 0x7f80517c62ca in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #19 0x7f805178c7ee in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1124:52
    #20 0x7f805178df0c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1298:20
    #21 0x7f805177693c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:622:16
    #22 0x7f805177bedd in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1088:9
    #23 0x7f8053aca561 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1166:7
    #24 0x7f8056c4267f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7072:21
    #25 0x7f8056c3ea64 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6865:7
    #26 0x7f8056c4624f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #27 0x7f804d7918b7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1309:3
    #28 0x7f804d790957 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:852:14
    #29 0x7f804d78d558 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:741:9
    #30 0x7f804d78f52a in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5
    #31 0x7f804d79052c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #32 0x7f804bbfb5a5 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #33 0x7f804eb5f74e in DoUnblockOnload src/dom/base/nsDocument.cpp:8298:18
    #34 0x7f804eb5f74e in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8220
    #35 0x7f8052e6506d in nsBindingManager::DoProcessAttachedQueue() src/dom/xbl/nsBindingManager.cpp:414:10
    #36 0x7f8052ec8424 in applyImpl<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #37 0x7f8052ec8424 in apply<nsBindingManager, void (nsBindingManager::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #38 0x7f8052ec8424 in mozilla::detail::RunnableMethodImpl<nsBindingManager*, void (nsBindingManager::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #39 0x7f804b9f433e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #40 0x7f804ba20449 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #41 0x7f804ba27228 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #42 0x7f804c9173ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #43 0x7f804c86c0dc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #44 0x7f804c86c0dc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #45 0x7f804c86c0dc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #46 0x7f805340007a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #47 0x7f80576d07ef in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:896:22
    #48 0x7f804c86c0dc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #49 0x7f804c86c0dc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #50 0x7f804c86c0dc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #51 0x7f80576d01a6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:722:34
    #52 0x4f1ca4 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #53 0x4f1ca4 in main src/browser/app/nsBrowserApp.cpp:287
    #54 0x7f806b41d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #55 0x4210e8 in _start (firefox+0x4210e8)
Flags: in-testsuite?
Keywords: crash, testcase
Summary: nsTextControlFrame::ScrollSelectionIntoView → crash near null in [@ nsTextControlFrame::ScrollSelectionIntoView]
Attached file testcase.html
Attached file prefs.js
Crash Signature: [@ nsTextControlFrame::ScrollSelectionIntoView]
Priority: -- → P3

Requires layout.accessiblecaret.enabled=true

Assignee: nobody → emilio

This code was already handling the world going away, but did not handle the case
of just getting unbound, which can happen if some selection listener (e.g.,
AccessibleCaret) flushes layout.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/65ed5c9d6bd8
Null-check mBoundFrame after calling SetSelectionRange on it. r=TYLin
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Depends on: 1529616

Emilio, is this something you think would be safe to uplift to beta?

Flags: needinfo?(emilio)

Comment on attachment 9045210 [details]
Bug 1470926 - Null-check mBoundFrame after calling SetSelectionRange on it. r=masayuki,TYLin

I think so, yeah.

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: N/A
  • User impact if declined: Null crashes in some edge-cases.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adds a null-check.
  • String changes made/needed: none
Flags: needinfo?(emilio)
Attachment #9045210 - Flags: approval-mozilla-beta?
Flags: in-testsuite? → in-testsuite+

Comment on attachment 9045210 [details]
Bug 1470926 - Null-check mBoundFrame after calling SetSelectionRange on it. r=masayuki,TYLin

Fix for low volume crash, adds a null check.
OK for uplift for beta 12.

Attachment #9045210 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.