crash in [@ nsRange::UnregisterCommonAncestor]
Categories
(Core :: DOM: Selection, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 3 open bugs)
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
595 bytes,
text/html
|
Details |
Not sure if this is actually a dup of bug 1394516 or not. In any case I have a test case for this one :) ==54901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fdaae6e4d31 bp 0x7ffeefb89b90 sp 0x7ffeefb89b70 T0) ==54901==The signal is caused by a READ memory access. ==54901==Hint: address points to the zero page. #0 0x7fdaae6e4d30 in HasSlots src/dom/base/nsINode.h:1797:34 #1 0x7fdaae6e4d30 in GetExistingCommonAncestorRanges src/dom/base/nsINode.h:1777 #2 0x7fdaae6e4d30 in nsRange::UnregisterCommonAncestor(nsINode*, bool) src/dom/base/nsRange.cpp:425 #3 0x7fdaae6f076b in nsRange::SetSelection(mozilla::dom::Selection*) src/dom/base/nsRange.cpp:1023:5 #4 0x7fdaae387829 in mozilla::dom::Selection::Clear(nsPresContext*) src/dom/base/Selection.cpp:1165:24 #5 0x7fdaae37f758 in mozilla::dom::Selection::RemoveAllRanges(mozilla::ErrorResult&) src/dom/base/Selection.cpp:1917:21 #6 0x7fdaae37f465 in mozilla::dom::Selection::cycleCollection::Unlink(void*) src/dom/base/Selection.cpp:703:8 #7 0x7fdaa9f14254 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3084:26 #8 0x7fdaa9f187e4 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3430:24 #9 0x7fdaa9f1db1f in nsCycleCollector_collectSlice(js::SliceBudget&, bool) src/xpcom/base/nsCycleCollector.cpp:3955:21 #10 0x7fdaae65647a in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1468:3 #11 0x7fdaae65c1cc in CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1851:7 #12 0x7fdaaa0af819 in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14 #13 0x7fdaaa0af819 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:58 #14 0x7fdaaa110298 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14 #15 0x7fdaaa11904d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10 #16 0x7fdaab3a265f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21 #17 0x7fdaab294c2e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10 #18 0x7fdaab294c2e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307 #19 0x7fdaab294c2e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289 #20 0x7fdab449dd63 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27 #21 0x7fdab8f1af1e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20 #22 0x7fdaab294c2e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10 #23 0x7fdaab294c2e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307 #24 0x7fdaab294c2e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289 #25 0x7fdab8f19f6e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34 #26 0x55f9ca3f7864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28 #27 0x55f9ca3f7864 in main src/browser/app/nsBrowserApp.cpp:265 #28 0x7fdace1f582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #29 0x55f9ca31ceec in _start (firefox+0x2deec)
Reporter | ||
Comment 1•5 years ago
|
||
The attached test case also triggers: Assertion failure: aNode (bad arg), at src/dom/base/nsRange.cpp:422
Comment 2•5 years ago
|
||
Could you take a look, or could you suggest someone who could?
Comment 3•5 years ago
|
||
I think this has a lot of chances of being a regression from bug 1513547.
I couldn't reproduce the crash with current Nightly on Ubuntu 18.04.
tsmith: which OS were you using? Moreover it would be interesting if you can reproduce the crash with current Nightly.
Reporter | ||
Comment 5•5 years ago
•
|
||
(In reply to Mirko Brodesser (:mbrodesser) from comment #4)
which OS were you using?
It would have been found on linux
Moreover it would be interesting if you can reproduce the crash with current Nightly.
No I cannot reproduce this on an up to date build. FWIW the fuzzers last reported this issue on March 29 after reporting it frequently (multiple times a day) for months.
Comment 6•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Comment 7•5 years ago
|
||
https://wiki.mozilla.org/BMO/UserGuide/BugStatuses#Resolutions
INVALID
The problem described is not a bug.
WORKSFORME seems like a more appropriate resolution for reports like this.
Probably worth landing the testcase as a crashtest so we can detect if the problem comes back.
Mats: thanks for the correction.
Reporter | ||
Comment 9•4 years ago
|
||
This was last seen by fuzzers in March 2019 with m-c build 20190324-5dc0652cd024
Description
•