stack-overflow in [@ mozilla::HTMLEditor::AutoDeleteRangesHandler::Run]
Categories
(Core :: DOM: Editor, defect, P3)
Tracking
()
People
(Reporter: tsmith, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
The attached testcase is fairly reliable but may take a few tries.
==13119==ERROR: AddressSanitizer: stack-overflow on address 0x7fffbf5eaea8 (pc 0x5583df83ef8b bp 0x7fffbf5eb6f0 sp 0x7fffbf5eaeb0 T0)
#0 0x5583df83ef8b in __asan_memset /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
#1 0x7f11cecc8e72 in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:88:9
#2 0x7f11cecc8e72 in TopLevelEditSubActionData /gecko/editor/libeditor/EditorBase.h:778:5
#3 0x7f11cecc8e72 in mozilla::EditorBase::AutoEditActionDataSetter::AutoEditActionDataSetter(mozilla::EditorBase const&, mozilla::EditAction, nsIPrincipal*) /gecko/editor/libeditor/EditorBase.cpp:5116:39
#4 0x7f11cecf4897 in mozilla::HTMLEditor::GetActiveEditingHost() const /gecko/editor/libeditor/HTMLEditor.cpp:6005:28
#5 0x7f11ced4287d in mozilla::dom::HTMLBRElement* mozilla::WSRunScanner::GetPrecedingBRElementUnlessVisibleContentFound<mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > >(mozilla::HTMLEditor const&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&) /gecko/editor/libeditor/WSRunObject.h:437:51
#6 0x7f11ced2fcc0 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Prepare(mozilla::HTMLEditor const&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:6817:9
#7 0x7f11ced31049 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:4694:47
#8 0x7f11ced2a48f in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2770:37
#9 0x7f11ced252f7 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3974:16
#10 0x7f11ced20b6b in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3764:33
#11 0x7f11ced316ef in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:4763:31
#12 0x7f11ced2a48f in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2770:37
#13 0x7f11ced252f7 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3974:16
#14 0x7f11ced20b6b in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3764:33
#15 0x7f11ced316ef in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:4763:31
#16 0x7f11ced2a48f in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, short, short, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:2770:37
#17 0x7f11ced252f7 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&, mozilla::WSRunScanner const&, mozilla::WSScanResult const&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3974:16
#18 0x7f11ced20b6b in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoRangeArray&) /gecko/editor/libeditor/HTMLEditSubActionHandler.cpp:3764:33
...
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
I did not bisect, but could the patches of bug 1658536 be related here?
Assignee | ||
Comment 3•4 years ago
|
||
It's also reproduced with 81.0 and ESR 78.3.0. The crash reports are:
- https://crash-stats.mozilla.org/report/index/a56e376c-1368-454d-9c24-5be400200924
- https://crash-stats.mozilla.org/report/index/d9fe8846-84f4-472f-a7b1-8751f0200924
So, this is not a new regression. As soon as possible, we should stop doing this kind of recursive handling, and the newer design makes it possible fortunately.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
HTMLEditor
ignores input events when a text control element in an editing
host has focus.
https://searchfox.org/mozilla-central/rev/d866b96d74ec2a63f09ee418f048d23f4fd379a2/editor/libeditor/HTMLEditor.cpp#6322
However, focus event does not check it and modifies ancestor limiter of
Selection
for the document. And even in this case, public methods for
handling some edit actions are open for execCommand
requests. Then,
edit action handlers may set selection outside the elements, but new focus
event to update the selection ancestor limiter will be handled later.
Therefore, until getting next focus event, HTMLEditor
does not work as
expected since Selection::*InLimiter()
APIs refuse to change selection.
Ideally, we should make nsFocusManager
notifies editor of focus change
synchronously, but I cannot fix it quickly because it needs to touch security
sensitive area. Therefore, this patch makes HTMLEditor
do not set
ancestor limiter when a text control in any editing host gets focus.
Additionally, this patch makes
HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtOtherBlockBoundary
stop handling leaf node deletion if it cannot change caret position.
Comment 6•4 years ago
|
||
bugherder |
Comment 7•4 years ago
|
||
The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
|
||
I think that this is a long standing bug so riding on the train must be enough.
Updated•4 years ago
|
Description
•