Closed Bug 1512691 Opened 2 years ago Closed 2 years ago

Crash in nsWebBrowserFind::SetSelectionAndScroll

Categories

(Core :: Find Backend, defect)

Unspecified
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1510485

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is
report bp-fabd448b-3aa5-422d-867c-bf2870181207.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so nsWebBrowserFind::SetSelectionAndScroll dom/base/nsINode.h:1482
1 libxul.so nsWebBrowserFind::SearchInFrame toolkit/components/find/nsWebBrowserFind.cpp:696
2 libxul.so nsWebBrowserFind::FindNext toolkit/components/find/nsWebBrowserFind.cpp:108
3 libxul.so nsGlobalWindowOuter::FindOuter dom/base/nsGlobalWindowOuter.cpp:6084
4 libxul.so mozilla::dom::Window_Binding::find dom/bindings/WindowBinding.cpp:6148
5 libxul.so bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3063
6 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:443
7 libxul.so Interpret js/src/vm/Interpreter.cpp:590
8 libxul.so js::RunScript js/src/vm/Interpreter.cpp:423
9 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:563

=============================================================

This is a null deref. 23 crashes in the last week on Nightly.

I can't tell from the crash report where in nsWebBrowserFind::SetSelectionAndScroll we're actually hitting the null deref. The top frame is GetBoolFlag().

Maybe this QI could fail:
  nsCOMPtr<nsIContent> content(do_QueryInterface(node));
  nsIFrame* frame = content->GetPrimaryFrame();

That feels like something that could possibly have broken from Boris's de-COM stuff, though that's older than Nightly-only.

I also see no null check for selCon (and no check for the success of the function that returns it), but that isn't a node, so I would think we wouldn't be calling GetBoolFlag() on it.
First crash showed up on Nightly in the 11-25 build, which would make this the regression window:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=204cda7581188cfc8c8ef11dce4680dadf2b43bb&tochange=5c66354bff282452a6f1a3c911fa8756b6e752af
Looks like there's a test case in bug 1510485.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1510485
You need to log in before you can comment on or make changes to this bug.