Closed
Bug 1663725
Opened 4 years ago
Closed 4 years ago
crash near null in [@ mozilla::AutoRangeArray::ShrinkRangesIfStartFromOrEndAfterAtomicContent]
Categories
(Core :: DOM: Editor, defect, P3)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
84 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | wontfix |
| firefox84 | --- | fixed |
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(2 files)
==8862==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7f5214830fff bp 0x7fff6d5498f0 sp 0x7fff6d5498e0 T0)
==8862==The signal is caused by a READ memory access.
==8862==Hint: address points to the zero page.
#0 0x7f5214830fff in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:852:48
#1 0x7f5214830fff in operator nsIContent * /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:860:33
#2 0x7f5214830fff in GetNextSibling /gecko/dom/base/nsINode.h:1529:47
#3 0x7f5214830fff in mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::GetNextSiblingOfChildAtOffset() const /builds/worker/workspace/obj-build/dist/include/mozilla/RangeBoundary.h:127:9
#4 0x7f5214830ddc in mozilla::AutoRangeArray::ShrinkRangesIfStartFromOrEndAfterAtomicContent(mozilla::HTMLEditor const&, short, mozilla::AutoRangeArray::IfSelectingOnlyOneAtomicContent, mozilla::dom::Element const*) /gecko/editor/libeditor/EditorUtils.cpp:308:39
#5 0x7f5214876a42 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3403:25
#6 0x7f5214874a31 in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3105:43
#7 0x7f5214816616 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /gecko/editor/libeditor/EditorBase.cpp:3768:7
#8 0x7f52147ffcec in mozilla::EditorBase::DeleteSelectionAsAction(short, short, nsIPrincipal*) /gecko/editor/libeditor/EditorBase.cpp:3737:8
#9 0x7f52100f58ac in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /gecko/dom/base/Document.cpp:4912:26
#10 0x7f52119e12cb in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3470:36
#11 0x7f5211ec01f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
#12 0x7f5218594278 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
#13 0x7f5218594278 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
#14 0x7f521859659b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
#15 0x7f521857d311 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
#16 0x7f521857d311 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
#17 0x7f521855dee0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
#18 0x7f5218594409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
#19 0x7f521859659b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
#20 0x7f5218596920 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
#21 0x7f5218725c12 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2831:10
#22 0x7f5211c170a7 in mozilla::dom::BlobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/HTMLCanvasElementBinding.cpp:92:8
#23 0x7f521209c7d2 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
#24 0x7f521209c7d2 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlobImpl(already_AddRefed<mozilla::dom::BlobImpl>) /gecko/dom/canvas/CanvasRenderingContextHelper.cpp:51:17
#25 0x7f521023254c in mozilla::dom::EncodingCompleteEvent::Run() /gecko/dom/base/ImageEncoder.cpp:106:22
#26 0x7f520c6dceb9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
#27 0x7f520c6d93c7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
#28 0x7f520c6d7267 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
#29 0x7f520c6d76bd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
#30 0x7f520c6e8cc1 in operator() /gecko/xpcom/threads/TaskController.cpp:83:37
#31 0x7f520c6e8cc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#32 0x7f520c70cd14 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
#33 0x7f520c71749c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#34 0x7f520d9eaa0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#35 0x7f520d8ef401 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#36 0x7f520d8ef401 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#37 0x7f520d8ef401 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#38 0x7f5214659727 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#39 0x7f521832936f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#40 0x7f520d8ef401 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#41 0x7f520d8ef401 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#42 0x7f520d8ef401 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#43 0x7f521832890c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#44 0x55fab41248dd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#45 0x55fab4124d17 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
#46 0x7f5228c160b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#47 0x55fab4078279 in _start (/home/worker/builds/m-c-20200908095243-fuzzing-asan-opt/firefox+0x5c279)
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/5PFKc2D3ghatMOGwoaWOxA/index.html
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200908215255-dc90a7a18c07
> mozilla-central 20200908030802-80ac8d8c74d5
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 3•4 years ago
|
||
The crash is dup of bug 1663601. But this bug has a tricky testcase. So, I'll be back here after fixing bug 1663601.
|
||
Updated•4 years ago
|
Keywords: regression
|
||
Updated•4 years ago
|
status-firefox80:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•4 years ago
|
||
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/2876425c75f7
Add reported test as a crashtest (the crash bug itself was fixed by bug 1663601) r=m_kato
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
|
|
||
Comment 7•4 years ago
|
||
Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.
status-firefox83:
--- → ?
|
||
Updated•4 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•