Open Bug 1490469 Opened 6 years ago Updated 3 months ago

crash near null in [@ mozilla::HTMLEditor::DoInsertHTMLWithContext]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr68 --- affected
firefox63 --- wontfix
firefox64 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file, 1 obsolete file)

testcase.html
331 bytes, text/html
Details
Attached file testcase.html (obsolete) — 
==25376==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f96e1886cb1 bp 0x7ffd310a1220 sp 0x7ffd310a0180 T0)
==25376==The signal is caused by a READ memory access.
==25376==Hint: address points to the zero page.
    #0 0x7f96e1886cb0 in GetBoolFlag src/dom/base/nsINode.h:1596:12
    #1 0x7f96e1886cb0 in IsElement src/dom/base/nsINode.h:486
    #2 0x7f96e1886cb0 in IsHTMLElement src/dom/base/nsINode.h:731
    #3 0x7f96e1886cb0 in IsAnyOfHTMLElements<nsStaticAtom *, nsStaticAtom *, nsStaticAtom *> src/dom/base/nsINode.h:742
    #4 0x7f96e1886cb0 in IsList src/editor/libeditor/HTMLEditUtils.cpp:188
    #5 0x7f96e1886cb0 in mozilla::HTMLEditor::DoInsertHTMLWithContext(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIDocument*, nsINode*, int, bool, bool, bool) src/editor/libeditor/HTMLEditorDataTransfer.cpp:480
    #6 0x7f96e187e134 in InsertHTML src/editor/libeditor/HTMLEditorDataTransfer.cpp:180:10
    #7 0x7f96e187e134 in mozilla::InsertHTMLCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/HTMLEditorCommands.cpp:1482
    #8 0x7f96defcfc00 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #9 0x7f96defc5498 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #10 0x7f96defc5498 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp
    #11 0x7f96defcb8fd in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29
    #12 0x7f96df64ca77 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:3026:18
    #13 0x7f96de307820 in mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21
    #14 0x7f96de8b1529 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3296:13
    #15 0x7f96e772bf6b in CallJSNative src/js/src/vm/Interpreter.cpp:448:15
    #16 0x7f96e772bf6b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:536
    #17 0x7f96e77158b3 in CallFromStack src/js/src/vm/Interpreter.cpp:593:12
    #18 0x7f96e77158b3 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3266
    #19 0x7f96e76fb43e in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:428:12
    #20 0x7f96e772ca7e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560:15
    #21 0x7f96e772e812 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:10
    #22 0x7f96e67cf27d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2866:12
    #23 0x7f96ddeb1eca in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #24 0x7f96df17688a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #25 0x7f96df173c97 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #26 0x7f96df1275b5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:52
    #27 0x7f96df1296b7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20
    #28 0x7f96df10d159 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #29 0x7f96df10d159 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420
    #30 0x7f96df10b413 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16
    #31 0x7f96df111bfe in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9
    #32 0x7f96df114fa6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #33 0x7f96dba14c74 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1141:5
    #34 0x7f96df13cd79 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:205:13
    #35 0x7f96df08a8a8 in mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:72:12
    #36 0x7f96d7817465 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #37 0x7f96d78551a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #38 0x7f96d7852d96 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10
    #39 0x7f96d7852d96 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:334
    #40 0x7f96d7852d96 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871
    #41 0x7f96d78648f8 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:347:17
    #42 0x7f96d7829ecb in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1178:12
    #43 0x7f96d7829ecb in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1184
    #44 0x7f96d7829ecb in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1229
    #45 0x7f96d78551a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #46 0x7f96d7852d96 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10
    #47 0x7f96d7852d96 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:334
    #48 0x7f96d7852d96 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871
    #49 0x7f96d78648f8 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:347:17
    #50 0x7f96d7829ecb in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1178:12
    #51 0x7f96d7829ecb in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1184
    #52 0x7f96d7829ecb in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1229
    #53 0x7f96d78551a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #54 0x7f96d785df45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #55 0x7f96d8a6f9de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #56 0x7f96d897072c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #57 0x7f96d897072c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #58 0x7f96d897072c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #59 0x7f96e1528006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #60 0x7f96e59bc5ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #61 0x7f96d897072c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #62 0x7f96d897072c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #63 0x7f96d897072c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #64 0x7f96e59bb685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #65 0x563c93174ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #66 0x563c93174ba1 in main src/browser/app/nsBrowserApp.cpp:287
    #67 0x7f96f9b0a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #68 0x563c930a3f4c in _start (firefox+0x2cf4c)
Flags: in-testsuite?
Priority: -- → P2

I can get this to reliably crash in gmail on the latest nightly.

STR:

  1. Open Google Docs and create a formatted bulleted paragraph
    https://docs.google.com/document/d/1YZGu7aU9bAL-jxuG5H-CtgXZYK6oo59JT6lnxiSw62Y/edit?usp=sharing

  2. Create a new email in gmail

  3. Add a bullet

  4. Copy and paste content from the google doc into the bullet in gmail.

The tab crashes.

I tried this in Chrome and it pastes as expected.

Attached file testcase.html
Attachment #9008190 - Attachment is obsolete: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: