Closed Bug 1579934 Opened 5 years ago Closed 3 years ago

crash near null in [@ mozilla::HTMLEditor::IsContainer]

Categories

(Core :: DOM: Editor, defect, P3)

defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox71 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Reduced with m-c:
BuildID=20190909153652
SourceStamp=6f423e980a92fd8961aad1f85f80e80d72437b0e

==58046==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fb83bdaa73e bp 0x7ffcbf9ce5b0 sp 0x7ffcbf9ce5a0 T0)
==58046==The signal is caused by a READ memory access.
==58046==Hint: address points to the zero page.
    #0 0x7fb83bdaa73d in get src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27
    #1 0x7fb83bdaa73d in operator-> src/obj-firefox/dist/include/mozilla/RefPtr.h:308
    #2 0x7fb83bdaa73d in NodeType src/dom/base/nsINode.h:654
    #3 0x7fb83bdaa73d in IsText src/dom/base/nsINode.h:507
    #4 0x7fb83bdaa73d in mozilla::HTMLEditor::IsContainer(nsINode*) const src/editor/libeditor/HTMLEditor.cpp:3408
    #5 0x7fb83bf2a10d in mozilla::WSRunScanner::GetPreviousWSNode(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, nsINode*) const src/editor/libeditor/WSRunObject.cpp:1095:21
    #6 0x7fb83bf26d61 in mozilla::WSRunScanner::GetWSNodes() src/editor/libeditor/WSRunObject.cpp:710:38
    #7 0x7fb83bf30c5b in mozilla::WSRunScanner::WSRunScanner<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::HTMLEditor const*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/WSRunObject.cpp:92:3
    #8 0x7fb83bf30e91 in mozilla::WSRunObject::WSRunObject<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::HTMLEditor*, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/WSRunObject.cpp:102:7
    #9 0x7fb83bd9fcbd in WSRunObject<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > src/editor/libeditor/WSRunObject.h:401:9
    #10 0x7fb83bd9fcbd in GetInvisibleBRElementAt<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > src/editor/libeditor/HTMLEditRules.cpp:6885
    #11 0x7fb83bd9fcbd in mozilla::HTMLEditor::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) src/editor/libeditor/HTMLEditRules.cpp:3720
    #12 0x7fb83bd97fa3 in mozilla::HTMLEditor::HandleDeleteCollapsedSelectionAtCurrentBlockBoundary(short, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) src/editor/libeditor/HTMLEditRules.cpp:3022:9
    #13 0x7fb83bd8c66d in mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection(short, short) src/editor/libeditor/HTMLEditRules.cpp:2521:9
    #14 0x7fb83bd58cb0 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) src/editor/libeditor/HTMLEditRules.cpp:2422:33
    #15 0x7fb83bd535fd in mozilla::HTMLEditRules::WillDoAction(mozilla::EditSubActionInfo&, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:780:21
    #16 0x7fb83bee6e46 in mozilla::TextEditor::DeleteSelectionAsSubAction(short, short) src/editor/libeditor/TextEditor.cpp:663:24
    #17 0x7fb83beee580 in mozilla::TextEditor::DeleteSelectionAsAction(short, short, nsIPrincipal*) src/editor/libeditor/TextEditor.cpp:636:17
    #18 0x7fb83685fe91 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/base/Document.cpp:4632:26
    #19 0x7fb8389daca7 in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Document*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:3579:36
    #20 0x7fb83912baad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3168:13
    #21 0x7fb83fd1c057 in CallJSNative src/js/src/vm/Interpreter.cpp:447:13
    #22 0x7fb83fd1c057 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:539
    #23 0x7fb83fd042fc in CallFromStack src/js/src/vm/Interpreter.cpp:598:10
    #24 0x7fb83fd042fc in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084
    #25 0x7fb83fce599f in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
    #26 0x7fb83fd1cb5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:567:13
    #27 0x7fb83fd1ed82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:610:8
    #28 0x7fb840885c68 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2723:10
    #29 0x7fb8389923f4 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #30 0x7fb839914d91 in Call<nsCOMPtr<mozilla::dom::EventTarget> > src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #31 0x7fb839914d91 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205
    #32 0x7fb8398cd87c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1038:22
    #33 0x7fb8398cf2c0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1230:17
    #34 0x7fb8398b609a in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #35 0x7fb8398b609a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349
    #36 0x7fb8398b48b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
    #37 0x7fb8398ba27b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1045:11
    #38 0x7fb83c25bcf4 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1170:7
    #39 0x7fb83eea2681 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6541:20
    #40 0x7fb83eea18fe in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6319:7
    #41 0x7fb83eea653f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #42 0x7fb8351983fc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1333:3
    #43 0x7fb83519749c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:892:14
    #44 0x7fb8351930bb in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
    #45 0x7fb835195f16 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
    #46 0x7fb83519707c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #47 0x7fb83299d970 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
    #48 0x7fb8368516c8 in DoUnblockOnload src/dom/base/Document.cpp:10691:18
    #49 0x7fb8368516c8 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10623
    #50 0x7fb83687cec4 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7184:3
    #51 0x7fb836962774 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #52 0x7fb836962774 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #53 0x7fb836962774 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #54 0x7fb8326ddb31 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
    #55 0x7fb83270f596 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #56 0x7fb832715498 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #57 0x7fb83393122f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #58 0x7fb83382def2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #59 0x7fb83382def2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #60 0x7fb83382def2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #61 0x7fb83bb6e749 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #62 0x7fb83fa6298f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #63 0x7fb83382def2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #64 0x7fb83382def2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #65 0x7fb83382def2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #66 0x7fb83fa62236 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #67 0x5560e5a47d5a in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #68 0x5560e5a47d5a in main src/browser/app/nsBrowserApp.cpp:272
Flags: in-testsuite?

Recent change made in Bug 1533293. Related?

Priority: -- → P3
Severity: normal → S3
Assertion failure: mChild->GetParentNode() == mParent, at m:/fx64-dbg/dist/include\mozilla/EditorDOMPoint.h:417
#01: mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement (m:\src\editor\libeditor\WSRunObject.cpp:275)
#02: mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:4362)
#03: mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:2724)
#04: mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:504)
#05: mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1825)
#06: mozilla::HTMLEditor::AutoDeleteRangesHandler::Run (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1597)
#07: mozilla::HTMLEditor::HandleDeleteSelection (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1086)
#08: mozilla::EditorBase::DeleteSelectionAsSubAction (m:\src\editor\libeditor\EditorBase.cpp:3773)
#09: mozilla::EditorBase::DeleteSelectionAsAction (m:\src\editor\libeditor\EditorBase.cpp:3736)
#10: mozilla::DeleteCommand::DoCommand (m:\src\editor\libeditor\EditorCommands.cpp:619)
#11: mozilla::dom::Document::ExecCommand (m:\src\dom\base\Document.cpp:5052)
#12: mozilla::dom::Document_Binding::execCommand (m:\fx64-dbg\dom\bindings\DocumentBinding.cpp:3473)
#13: mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> (m:\src\dom\bindings\BindingUtils.cpp:3231)
#14: CallJSNative (m:\src\js\src\vm\Interpreter.cpp:507)
#15: js::InternalCallOrConstruct (m:\src\js\src\vm\Interpreter.cpp:599)
#16: InternalCall (m:\src\js\src\vm\Interpreter.cpp:664)
#17: Interpret (m:\src\js\src\vm\Interpreter.cpp:3337)
#18: js::RunScript (m:\src\js\src\vm\Interpreter.cpp:477)
#19: js::InternalCallOrConstruct (m:\src\js\src\vm\Interpreter.cpp:636)
#20: InternalCall (m:\src\js\src\vm\Interpreter.cpp:664)
#21: js::Call (m:\src\js\src\vm\Interpreter.cpp:681)
#22: JS::Call (m:\src\js\src\jsapi.cpp:2830)
#23: mozilla::dom::EventHandlerNonNull::Call (m:\fx64-dbg\dom\bindings\EventHandlerBinding.cpp:278)
#24: mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> > (m:\fx64-dbg\dist\include\mozilla\dom\EventHandlerBinding.h:367)
#25: mozilla::JSEventHandler::HandleEvent (m:\src\dom\events\JSEventHandler.cpp:202)
#26: mozilla::EventListenerManager::HandleEventSubType (m:\src\dom\events\EventListenerManager.cpp:1078)
#27: mozilla::EventListenerManager::HandleEventInternal (m:\src\dom\events\EventListenerManager.cpp:1272)
#28: mozilla::EventTargetChainItem::HandleEvent (m:\src\dom\events\EventDispatcher.cpp:355)
#29: mozilla::EventTargetChainItem::HandleEventTargetChain (m:\src\dom\events\EventDispatcher.cpp:556)
#30: mozilla::EventDispatcher::Dispatch (m:\src\dom\events\EventDispatcher.cpp:1092)
#31: nsDocumentViewer::LoadComplete (m:\src\layout\base\nsDocumentViewer.cpp:1096)

Current stack is like this.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED

Ah, never crash with opt build, but hitting the assertion.

They join first line of a descendant block element into the line at the other
block contains the descendant block. First of all of their jobs, they call
DeleteInvisibleASCIIWhiteSpace() to clean up unnecessary whitespaces at
the other block. At this time, the point which tells whether the descendant
element is contained in the other block may become invalid if script runs
and it causes changing the DOM tree. Therefore, they should check the
given point is still valid after calling DeleteInvisibleASCIIWhiteSpace()
because AutoTrackDOMPoint requires valid point.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/70b0340e8165
Make `WhiteSpaceVisibilityKeeper::MergeFirstLineOf*()` stop handling their job if calling `DeleteInvisibleASCIIWhiteSpace()` makes the descendant block position changed r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: