Open Bug 1489764 Opened 2 years ago Updated 4 months ago

crash near null [@ InsertChildToChildList]

Categories

(Core :: DOM: Editor, defect, P3, critical)

defect

Tracking

()

Tracking Status
firefox-esr68 --- affected
firefox63 --- wontfix
firefox64 --- wontfix
firefox71 --- wontfix
firefox72 --- affected
firefox73 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file, 1 obsolete file)

Attached file testcase.html (obsolete) —
==8202==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fec53c6dcde bp 0x7fffdb879170 sp 0x7fffdb879160 T0)
==8202==The signal is caused by a READ memory access.
==8202==Hint: address points to the zero page.
    #0 0x7fec53c6dcdd in assign_assuming_AddRef src/xpcom/base/nsCOMPtr.h:350:27
    #1 0x7fec53c6dcdd in nsCOMPtr_base::assign_with_AddRef(nsISupports*) src/xpcom/base/nsCOMPtr.cpp:44
    #2 0x7fec57087774 in operator= src/obj-firefox/dist/include/nsCOMPtr.h:631:5
    #3 0x7fec57087774 in InsertChildToChildList src/dom/base/nsINode.cpp:1497
    #4 0x7fec57087774 in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) src/dom/base/nsINode.cpp:1406
    #5 0x7fec5716951e in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2503:14
    #6 0x7fec5bc9ab9e in InsertBefore src/dom/base/nsINode.h:1794:12
    #7 0x7fec5bc9ab9e in mozilla::EditorBase::DoSplitNode(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsIContent&, mozilla::ErrorResult&) src/editor/libeditor/EditorBase.cpp:3118
    #8 0x7fec5be6a6b3 in mozilla::SplitNodeTransaction::DoTransaction() src/editor/libeditor/SplitNodeTransaction.cpp:97:16
    #9 0x7fec5beefef5 in DoTransaction src/editor/txmgr/TransactionItem.cpp:162:26
    #10 0x7fec5beefef5 in mozilla::TransactionManager::BeginTransaction(nsITransaction*, nsISupports*) src/editor/txmgr/TransactionManager.cpp:700
    #11 0x7fec5beef88c in mozilla::TransactionManager::DoTransaction(nsITransaction*) src/editor/txmgr/TransactionManager.cpp:71:8
    #12 0x7fec5bc81003 in mozilla::EditorBase::DoTransaction(mozilla::dom::Selection*, nsITransaction*) src/editor/libeditor/EditorBase.cpp:799:32
    #13 0x7fec5bcd0fa3 in already_AddRefed<nsIContent> mozilla::EditorBase::SplitNodeWithTransaction<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::ErrorResult&) src/editor/libeditor/EditorBase.cpp:1543:12
    #14 0x7fec5bcd32b3 in mozilla::SplitNodeResult mozilla::EditorBase::SplitNodeDeepWithTransaction<nsINode*, nsIContent*>(nsIContent&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&, mozilla::SplitAtEdges) src/editor/libeditor/EditorBase.cpp:4049:9
    #15 0x7fec5bd8bdac in mozilla::HTMLEditRules::BustUpInlinesAtRangeEndpoints(mozilla::RangeItem&) src/editor/libeditor/HTMLEditRules.cpp:7728:23
    #16 0x7fec5bd18ca7 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::EditSubAction, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:7393:21
    #17 0x7fec5bd61946 in mozilla::HTMLEditRules::GetNodesFromSelection(mozilla::EditSubAction, nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::TouchContent) src/editor/libeditor/HTMLEditRules.cpp:7906:17
    #18 0x7fec5bd7d734 in mozilla::HTMLEditRules::AlignContentsAtSelection(nsTSubstring<char16_t> const&) src/editor/libeditor/HTMLEditRules.cpp:6090:5
    #19 0x7fec5bcf901e in WillAlign src/editor/libeditor/HTMLEditRules.cpp:6068:8
    #20 0x7fec5bcf901e in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::EditSubActionInfo&, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:720
    #21 0x7fec5bdcb84e in mozilla::HTMLEditor::Align(nsTSubstring<char16_t> const&) src/editor/libeditor/HTMLEditor.cpp:2558:11
    #22 0x7fec5bde33ba in mozilla::MultiStateCommandBase::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/HTMLEditorCommands.cpp:660:10
    #23 0x7fec59cf8e40 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #24 0x7fec59cee6d8 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #25 0x7fec59cee6d8 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp
    #26 0x7fec59cf4b3d in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29
    #27 0x7fec5a2096c2 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:3026:18
    #28 0x7fec5920858c in mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21
    #29 0x7fec596c0e95 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3296:13
    #30 0x7fec5faae02b in CallJSNative src/js/src/vm/Interpreter.cpp:449:15
    #31 0x7fec5faae02b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:537
    #32 0x7fec5fa97973 in CallFromStack src/js/src/vm/Interpreter.cpp:594:12
    #33 0x7fec5fa97973 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3266
    #34 0x7fec5fa7d4fe in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:429:12
    #35 0x7fec5faaeb3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:15
    #36 0x7fec5fab08d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:607:10
    #37 0x7fec6051ebfd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2917:12
    #38 0x7fec58e729ac in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #39 0x7fec59e49fdd in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #40 0x7fec59e478d6 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #41 0x7fec59e0d82c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:52
    #42 0x7fec59e0f402 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20
    #43 0x7fec59df8d18 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #44 0x7fec59df8d18 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420
    #45 0x7fec59df750c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16
    #46 0x7fec59dfca99 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9
    #47 0x7fec5c200a11 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1169:7
    #48 0x7fec5ed2840f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7056:21
    #49 0x7fec5ed248a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6849:7
    #50 0x7fec5ed2c10f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #51 0x7fec55c93fb7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3
    #52 0x7fec55c93057 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:856:14
    #53 0x7fec55c8fc58 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:745:9
    #54 0x7fec55c91c2a in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5
    #55 0x7fec55c92c2c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #56 0x7fec54018945 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
    #57 0x7fec570b6c7a in DoUnblockOnload src/dom/base/nsDocument.cpp:8299:18
    #58 0x7fec570b6c7a in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8221
    #59 0x7fec570968bd in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5093:3
    #60 0x7fec571b67d4 in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12
    #61 0x7fec571b67d4 in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #62 0x7fec571b67d4 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219
    #63 0x7fec53decf9e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #64 0x7fec53e1ae0f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
    #65 0x7fec53e21fa8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #66 0x7fec54d5cf3a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #67 0x7fec54cb0b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #68 0x7fec54cb0b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #69 0x7fec54cb0b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #70 0x7fec5bb4beca in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #71 0x7fec5f7dbe1f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #72 0x7fec54cb0b2c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #73 0x7fec54cb0b2c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #74 0x7fec54cb0b2c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #75 0x7fec5f7db6e9 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #76 0x4f2304 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #77 0x4f2304 in main src/browser/app/nsBrowserApp.cpp:287
    #78 0x7fec732f782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #79 0x421728 in _start (firefox+0x421728)
Flags: in-testsuite?
AddressSanitizer only?  No assertion even if debug build.  (InsertChildToChildList has null check on debug build)
Priority: -- → P3
Severity: normal → critical
Attached file testcase.html

Updated test case. This will trigger the issue on both debug and opt builds.

Attachment #9007444 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.