Closed Bug 1581246 Opened 5 years ago Closed 4 years ago

stack-overflow in [@ mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary]

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox68 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
258 bytes, text/html
Details
Bug 1581246 - Add reported testcase as a crashtest (the crash was fixed by bug 1666556) r=m_kato!
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190913214459
SourceStamp=598d441e4ebaa93ab098d266035a396057c82129

==29219==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee610beb8 (pc 0x5591b56dde0c bp 0x7ffee610c720 sp 0x7ffee610bec0 T0)
    ...
    #253 0x7f589bb6dacd in mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection(short, short) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2527:9
    #254 0x7f589bb66860 in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2442:33
    #255 0x7f589bb781b7 in mozilla::HTMLEditor::HandleDeleteCollapsedSelectionAtOtherBlockBoundary(short, short, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::WSRunObject&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2985:9
    #256 0x7f589bb6dacd in mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection(short, short) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2527:9
    #257 0x7f589bb66860 in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2442:33
    #258 0x7f589bb781b7 in mozilla::HTMLEditor::HandleDeleteCollapsedSelectionAtOtherBlockBoundary(short, short, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::WSRunObject&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2985:9
    #259 0x7f589bb6dacd in mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection(short, short) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2527:9
Flags: in-testsuite?
Priority: -- → P1

https://crash-stats.mozilla.org/report/index/11c3fa74-951d-4023-9a32-d8aa80190917
This is also reproducible with Firefox 68 (The old method name of them is HTMLEditRules::WillDeleteSelection().)

status-firefox68: --- → affected
Priority: P1 → P2
Crash Signature: [@ mozilla::HTMLEditor::GetActiveEditingHost ] [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection]
Crash Signature: [@ mozilla::HTMLEditor::GetActiveEditingHost ] [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection] → [@ mozilla::HTMLEditor::GetActiveEditingHost ] [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection] [@ mozilla::SelectionState::Clear ]
Severity: normal → S2

S1 or S2 bugs needs an assignee - could you find someone for this bug?

Flags: needinfo?(htsai)
Severity: S2 → --
Flags: needinfo?(htsai)
Severity: -- → S3

Here is stack trace with the new deletion classes.
https://crash-stats.mozilla.org/report/index/003b40d2-9686-4fea-81b5-4c8e60201030

Crash Signature: [@ mozilla::HTMLEditor::GetActiveEditingHost ] [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection] [@ mozilla::SelectionState::Clear ] → [@ mozilla::HTMLEditor::GetActiveEditingHost ] [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection] [@ mozilla::SelectionState::Clear ] [@ mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary ]
Summary: stack-overflow in [@ mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection] → stack-overflow in [@ mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary]

Okay, the crash point and reason is same as bug 1666556. I'll add the reported tests in this bug.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
status-firefox68: affectedwontfix
status-firefox70: affectedwontfix
status-firefox71: affectedwontfix
status-firefox81: --- → wontfix
status-firefox82: --- → wontfix
status-firefox83: --- → wontfix
status-firefox84: --- → affected
Depends on: 1666556

This does not require recursive call of execCommand so that this does not
set the pref.

Depends on D95268

Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/5929c86e628c Add reported testcase as a crashtest (the crash was fixed by bug 1666556) r=m_kato

https://hg.mozilla.org/mozilla-central/rev/5929c86e628c

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: