Closed Bug 1605741 Opened 5 years ago Closed 4 years ago

crash near null in [@ mozilla::HTMLEditor::NodeIsBlockStatic]

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [tbird crash])

Crash Data

Attachments

(2 files)

testcase.html
239 bytes, text/html
Details
Bug 1605741 - Make all callers of `HTMLEditor::InsertBRElementIfHardLineIsEmptyAndEndsWithBlockBoundary()` check whether there is a caret or not r=m_kato!
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c 20191220-1759c1b2fa6b

editor/libeditor/HTMLEditSubActionHandler.cpp:3432:38: runtime error: reference binding to null pointer of type 'const nsINode'
    #0 0x7f51ecc5be0b in mozilla::HTMLEditor::InsertBRElementIfHardLineIsEmptyAndEndsWithBlockBoundary(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) editor/libeditor/HTMLEditSubActionHandler.cpp:3432:8
    #1 0x7f51ecc723ff in mozilla::HTMLEditor::HandleDeleteCollapsedSelectionAtTextNode(short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) editor/libeditor/HTMLEditSubActionHandler.cpp:2643:8
    #2 0x7f51ecc6fc2b in mozilla::HTMLEditor::HandleDeleteAroundCollapsedSelection(short, short) editor/libeditor/HTMLEditSubActionHandler.cpp:2478:31
    #3 0x7f51ecc6cfc8 in mozilla::HTMLEditor::HandleDeleteSelectionInternal(short, short) editor/libeditor/HTMLEditSubActionHandler.cpp:2419:33
    #4 0x7f51ecc6c6db in mozilla::HTMLEditor::HandleDeleteSelection(short, short) editor/libeditor/HTMLEditSubActionHandler.cpp:2288:7
    #5 0x7f51ecd18d21 in mozilla::TextEditor::DeleteSelectionAsSubAction(short, short) editor/libeditor/TextEditor.cpp:664:7
    #6 0x7f51ecd1de93 in mozilla::TextEditor::DeleteSelectionAsAction(short, short, nsIPrincipal*) editor/libeditor/TextEditor.cpp:636:17
    #7 0x7f51e880ef3d in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) dom/base/Document.cpp:4807:26
    #8 0x7f51e9e20ebd in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) objdir-ff-ubsan/dom/bindings/DocumentBinding.cpp:3429:36
    #9 0x7f51ea2c9b11 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:3151:13
    #10 0x7f51f0ecf922 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:452:13
    #11 0x7f51f0ecf922 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:544:12
    #12 0x7f51f0ed095a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:608:10
    #13 0x7f51f0eba583 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3042:16
    #14 0x7f51f0e9dce5 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:10
    #15 0x7f51f0ecf7ad in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:580:13
    #16 0x7f51f0ed095a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:608:10
    #17 0x7f51f0ed0b4d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) js/src/vm/Interpreter.cpp:625:8
    #18 0x7f51f113f4eb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:2753:10
    #19 0x7f51e9dfb607 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) objdir-ff-ubsan/dom/bindings/EventHandlerBinding.cpp:267:37
    #20 0x7f51ea9efccf in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) objdir-ff-ubsan/dist/include/mozilla/dom/EventHandlerBinding.h:364:12
    #21 0x7f51ea9d41cd in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) dom/events/JSEventHandler.cpp:201:12
    #22 0x7f51ea9adf24 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:1071:22
    #23 0x7f51ea9af11d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) dom/events/EventListenerManager.cpp:1263:17
    #24 0x7f51ea9e23b7 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:356:17
    #25 0x7f51ea9a1c22 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:558:16
    #26 0x7f51ea9a4868 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) dom/events/EventDispatcher.cpp:1056:11
    #27 0x7f51ecfdf691 in nsDocumentViewer::LoadComplete(nsresult) layout/base/nsDocumentViewer.cpp:1142:7
    #28 0x7f51f019bdcb in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) docshell/base/nsDocShell.cpp:6116:20
    #29 0x7f51f019b1e2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp:5899:7
    #30 0x7f51f019d99f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp
    #31 0x7f51e7134e6d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) uriloader/base/nsDocLoader.cpp:1347:3
    #32 0x7f51e71341b2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:906:14
    #33 0x7f51e7131757 in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:726:9
    #34 0x7f51e713344d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:614:5
    #35 0x7f51e7133f9c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp
    #36 0x7f51e459f4a7 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) netwerk/base/nsLoadGroup.cpp:594:22
    #37 0x7f51e45a1766 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) netwerk/base/nsLoadGroup.cpp:501:10
    #38 0x7f51e88364dd in mozilla::dom::Document::DoUnblockOnload() dom/base/Document.cpp:10663:18
    #39 0x7f51e880a2d2 in mozilla::dom::Document::UnblockOnload(bool) dom/base/Document.cpp:10595:9
    #40 0x7f51e881ed7a in mozilla::dom::Document::DispatchContentLoadedEvents() dom/base/Document.cpp:7272:3
    #41 0x7f51e88fbcba in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() objdir-ff-ubsan/dist/include/nsThreadUtils.h:1217:13
    #42 0x7f51e42ea80c in mozilla::SchedulerGroup::Runnable::Run() xpcom/threads/SchedulerGroup.cpp:282:20
    #43 0x7f51e431cf44 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1241:14
    #44 0x7f51e4323a6e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #45 0x7f51e572144e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:87:21
    #46 0x7f51e5563d14 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #47 0x7f51ecad261a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:137:27
    #48 0x7f51f0bcb939 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:946:20
    #49 0x7f51e5722a61 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:237:9
    #50 0x7f51e5563d14 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #51 0x7f51f0bcad87 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:781:34
    #52 0x55e7d8bfd1c5 in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #53 0x55e7d8bfd3ef in main browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/iVUynKCPyKWUuTgfVUqtnQ/index.html

Also I'm not sure if this is a dupe of bug 1578916.

Perhaps whoever looks at bug 1578916 could take a look at this too.

Flags: needinfo?(m_kato)
Priority: -- → P3
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)

I believe this is a regression. First buildids
20190925095053 bp-9ca50758-db67-40b4-82ff-731260191008
20191009103354 bp-ceeff784-9d64-4107-8333-f2acb0191027

Flags: needinfo?(m_kato)
Keywords: regression, regressionwindow-wanted
Whiteboard: [tbird crash]

(In reply to Wayne Mery (:wsmwk) from comment #3)

I believe this is a regression. First buildids
20190925095053 bp-9ca50758-db67-40b4-82ff-731260191008
20191009103354 bp-ceeff784-9d64-4107-8333-f2acb019102

Thanks. I will handle this this week.

Tested in Wind 10 x64:

2020-04-08T15:49:07: INFO : Narrowed integration regression window from [df07b412, 21a5dd1e] (3 builds) to [f92faadb, 21a5dd1e] (2 builds) (~1 steps left)
2020-04-08T15:49:07: DEBUG : Starting merge handling...
2020-04-08T15:49:07: DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=21a5dd1e0ad3416b3fd98ed8abe46835c0aad935&full=1
2020-04-08T15:49:08: DEBUG : Found commit message:
Bug 1574852 - part 41: Move `HTMLEditRules::InsertBRIfNeeded(nsINode&)` to `HTMLEditor` r=m_kato
Differential Revision: https://phabricator.services.mozilla.com/D44178
2020-04-08T15:49:08: DEBUG : Did not find a branch, checking all integration branches
2020-04-08T15:49:08: INFO : The bisection is done.
2020-04-08T15:49:08: INFO : Stopped.

Thank you.

Has Regression Range: --- → yes
Has STR: --- → yes
status-firefox74: --- → affected
status-firefox75: --- → affected
status-firefox76: --- → affected
status-firefox77: --- → affected
Keywords: regressionwindow-wanted
Regressed by: 1574852

Must be same as bug 1578916. So, I'll just add the testcase into crashtests.

Assignee: m_kato → masayuki
Status: NEW → ASSIGNED
Depends on: 1627175
Flags: needinfo?(m_kato)
See Also: → 1578916

Oh, but this hits an assertion now.

[Child 29204, Main Thread] WARNING: '!aSelection.RangeCount()', file m:/src/editor/libeditor/EditorBase.cpp:3108
Assertion failure: aPointToInsert.IsSet(), at m:/src/editor/libeditor/HTMLEditSubActionHandler.cpp:2246
#01: mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1752)
#02: mozilla::HTMLEditor::AutoDeleteRangesHandler::Run (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1597)
#03: mozilla::HTMLEditor::HandleDeleteSelection (m:\src\editor\libeditor\HTMLEditorDeleteHandler.cpp:1086)
#04: mozilla::EditorBase::DeleteSelectionAsSubAction (m:\src\editor\libeditor\EditorBase.cpp:3773)
#05: mozilla::EditorBase::DeleteSelectionAsAction (m:\src\editor\libeditor\EditorBase.cpp:3736)
#06: mozilla::DeleteCommand::DoCommand (m:\src\editor\libeditor\EditorCommands.cpp:619)
#07: mozilla::dom::Document::ExecCommand (m:\src\dom\base\Document.cpp:5052)
#08: mozilla::dom::Document_Binding::execCommand (m:\fx64-dbg\dom\bindings\DocumentBinding

It's caused disappearing selection range.

InsertBRElementIfHardLineIsEmptyAndEndsWithBlockBoundary() checks whether
a line containing aPointToInsert requires invisible <br> element.
Therefore, aPointToInsert must be set and valid. However, all selection
ranges may be removed by somebody when modifying the DOM tree before that.

Therefore, this patch makes all callers of it check whether they succeeded
to retrieve caret position or not.

Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/45c91eee83ca Make all callers of `HTMLEditor::InsertBRElementIfHardLineIsEmptyAndEndsWithBlockBoundary()` check whether there is a caret or not r=m_kato

https://hg.mozilla.org/mozilla-central/rev/45c91eee83ca

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
status-firefox82: --- → wontfix
status-firefox83: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: