Closed Bug 1515442 Opened 5 years ago Closed 4 years ago

crash in [@ nsRange::UnregisterCommonAncestor]

Categories

(Core :: DOM: Selection, defect, P3)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox66 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

testcase.html
595 bytes, text/html
Details
Attached file testcase.html 
Not sure if this is actually a dup of bug 1394516 or not. In any case I have a test case for this one :)

==54901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fdaae6e4d31 bp 0x7ffeefb89b90 sp 0x7ffeefb89b70 T0)
==54901==The signal is caused by a READ memory access.
==54901==Hint: address points to the zero page.
    #0 0x7fdaae6e4d30 in HasSlots src/dom/base/nsINode.h:1797:34
    #1 0x7fdaae6e4d30 in GetExistingCommonAncestorRanges src/dom/base/nsINode.h:1777
    #2 0x7fdaae6e4d30 in nsRange::UnregisterCommonAncestor(nsINode*, bool) src/dom/base/nsRange.cpp:425
    #3 0x7fdaae6f076b in nsRange::SetSelection(mozilla::dom::Selection*) src/dom/base/nsRange.cpp:1023:5
    #4 0x7fdaae387829 in mozilla::dom::Selection::Clear(nsPresContext*) src/dom/base/Selection.cpp:1165:24
    #5 0x7fdaae37f758 in mozilla::dom::Selection::RemoveAllRanges(mozilla::ErrorResult&) src/dom/base/Selection.cpp:1917:21
    #6 0x7fdaae37f465 in mozilla::dom::Selection::cycleCollection::Unlink(void*) src/dom/base/Selection.cpp:703:8
    #7 0x7fdaa9f14254 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3084:26
    #8 0x7fdaa9f187e4 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3430:24
    #9 0x7fdaa9f1db1f in nsCycleCollector_collectSlice(js::SliceBudget&, bool) src/xpcom/base/nsCycleCollector.cpp:3955:21
    #10 0x7fdaae65647a in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1468:3
    #11 0x7fdaae65c1cc in CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1851:7
    #12 0x7fdaaa0af819 in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #13 0x7fdaaa0af819 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:58
    #14 0x7fdaaa110298 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
    #15 0x7fdaaa11904d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
    #16 0x7fdaab3a265f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #17 0x7fdaab294c2e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #18 0x7fdaab294c2e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #19 0x7fdaab294c2e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #20 0x7fdab449dd63 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #21 0x7fdab8f1af1e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #22 0x7fdaab294c2e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #23 0x7fdaab294c2e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #24 0x7fdaab294c2e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #25 0x7fdab8f19f6e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #26 0x55f9ca3f7864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #27 0x55f9ca3f7864 in main src/browser/app/nsBrowserApp.cpp:265
    #28 0x7fdace1f582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0x55f9ca31ceec in _start (firefox+0x2deec)
Flags: in-testsuite?
The attached test case also triggers:
Assertion failure: aNode (bad arg), at src/dom/base/nsRange.cpp:422
Could you take a look, or could you suggest someone who could?
Flags: needinfo?(mats)
Priority: -- → P3
I think this has a lot of chances of being a regression from bug 1513547.

I couldn't reproduce the crash with current Nightly on Ubuntu 18.04.

tsmith: which OS were you using? Moreover it would be interesting if you can reproduce the crash with current Nightly.

Flags: needinfo?(twsmith)

(In reply to Mirko Brodesser (:mbrodesser) from comment #4)

which OS were you using?

It would have been found on linux

Moreover it would be interesting if you can reproduce the crash with current Nightly.

No I cannot reproduce this on an up to date build. FWIW the fuzzers last reported this issue on March 29 after reporting it frequently (multiple times a day) for months.

Flags: needinfo?(twsmith)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

https://wiki.mozilla.org/BMO/UserGuide/BugStatuses#Resolutions

INVALID
The problem described is not a bug.

WORKSFORME seems like a more appropriate resolution for reports like this.

Probably worth landing the testcase as a crashtest so we can detect if the problem comes back.

Flags: needinfo?(mats)
Resolution: INVALID → WORKSFORME

Mats: thanks for the correction.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

This was last seen by fuzzers in March 2019 with m-c build 20190324-5dc0652cd024

Status: REOPENED → RESOLVED
Closed: 5 years ago4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: