Open
Bug 1473616
Opened 7 years ago
Updated 2 years ago
Assertion failure: range->IsInSelection(), at /builds/worker/workspace/build/src/dom/base/Selection.cpp:2894
Categories
(Core :: DOM: Selection, defect, P3)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
|
971 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev cc3401e78e8b.
rax = 0x0000000000000000 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007fb1549c3f40
rsi = 0x00007fb1745b18b0 rdi = 0x00007fb1745b0680
rbp = 0x00007ffecb240310 rsp = 0x00007ffecb240260
r8 = 0x00007fb1745b18b0 r9 = 0x00007fb17572b740
r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000
r12 = 0x00007ffecb2403d0 r13 = 0x0000000000000002
r14 = 0x00007fb1549c3f80 r15 = 0x00007fb1549f9a00
rip = 0x00007fb163c8e31b
OS|Linux|0.0.0 Linux 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|2894|0x18
0|1|libxul.so|mozilla::dom::Selection::ExtendJS(nsINode&, unsigned int, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Selection.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|2617|0x5
0|2|libxul.so|mozilla::dom::Selection_Binding::extend|s3:gecko-generated-sources:7993e48c30769a0cab90926ab79dab2e7618b3823b7ce437505c2583d213cd1ec7f03dce937e948413a4480adfc2ade4a5a30635374f7b46aa98687493bceb3b/dom/bindings/SelectionBinding.cpp:|673|0x18
0|3|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|3319|0x9
0|4|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|443|0x3
0|5|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|531|0xf
0|6|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|582|0xd
0|7|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|588|0xf
0|8|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|423|0xb
0|9|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|555|0xf
0|10|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|582|0xd
0|11|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|601|0x5
0|12|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|2887|0x20
0|13|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:ccbadb8791154c00d5d9f3f34300a418cdfa4b3b0b60424e60394883162a95118b3edbfce81cbc7a5b48193d5a2618fc449143e250bd5c61dd1340709a3af189/dom/bindings/EventListenerBinding.cpp:|51|0x5
0|14|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:df09d9cc306a083595346f6d0dae2f0ce3f5fd435f6f7a4c0c4316b1859a44f5dd95d604614ce612b37891bd9d49c6084a65a1469d48132cf498398ec46b46ca/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|15|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1121|0x26
0|16|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1298|0x15
0|17|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|393|0xa
0|18|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|622|0x12
0|19|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1089|0xb
0|20|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1172|0x19
0|21|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1089|0x5
0|22|libxul.so|nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|4480|0x28
0|23|libxul.so|nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|4445|0xc
0|24|libxul.so|nsIDocument::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|4970|0x5
0|25|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1166|0x13
0|26|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|337|0x15
0|27|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|1051|0x15
0|28|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|519|0x11
0|29|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|97|0xa
0|30|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|325|0x17
0|31|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|318|0x8
0|32|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|158|0xd
0|33|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|920|0x11
0|34|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|269|0x5
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|325|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|318|0x8
0|37|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|746|0x8
0|38|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|50|0x14
0|39|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|287|0x11
0|40|libc-2.27.so||||0x21b97
0|41|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:cc3401e78e8bbae22e6dbc854e525ceae4923bcf|164|0x5
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•