macOS Crash in [@ nsTextFragment::CharAt]
Categories
(Core :: DOM: Editor, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox107 | --- | unaffected |
| firefox108 | --- | wontfix |
| firefox109 | --- | fixed |
| firefox110 | --- | fixed |
People
(Reporter: aryx, Assigned: jjaschke)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
13 crashes on macOS since development of Firefox v108 began, all with Nightly or Developer Edition but no reports for Beta. The have been a few crashes with this signature for earlier versions on Windows.
Crash report: https://crash-stats.mozilla.org/report/index/bf2dab70-6fa0-4e0f-8730-20fe60221130
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 XUL nsTextFragment::CharAt const dom/base/nsTextFragment.h:221
0 XUL mozilla::EditorDOMPointBase<nsINode*, nsIContent*>::Char const editor/libeditor/EditorDOMPoint.h:390
0 XUL mozilla::EditorDOMPointBase<nsINode*, nsIContent*>::IsCharASCIISpaceOrNBSP const editor/libeditor/EditorDOMPoint.h:397
1 XUL mozilla::DeleteRangeTransaction::MaybeExtendDeletingRangeWithSurroundingWhitespace const editor/libeditor/DeleteRangeTransaction.cpp:75
1 XUL mozilla::DeleteRangeTransaction::DoTransaction editor/libeditor/DeleteRangeTransaction.cpp:124
2 XUL mozilla::EditAggregateTransaction::DoTransaction editor/libeditor/EditAggregateTransaction.cpp:38
3 XUL mozilla::TransactionItem::DoTransaction editor/txmgr/TransactionItem.cpp:83
3 XUL mozilla::TransactionManager::BeginTransaction editor/txmgr/TransactionManager.cpp:422
4 XUL mozilla::TransactionManager::DoTransaction editor/txmgr/TransactionManager.cpp:74
5 XUL mozilla::EditorBase::DoTransactionInternal editor/libeditor/EditorBase.cpp:908
Jan, could you take a look? This is a regression of bug 1783641.
|
Assignee | |
Comment 2•1 year ago
|
||
Yep, that would be me. On it!
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1783641
|
||
Updated•1 year ago
|
Pushed by jjaschke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/59b89f27d204 Simplified check if a range to delete is start/end of a text node. r=masayuki
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 7•1 year ago
|
||
The patch landed in nightly and beta is affected.
:jjaschke, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox109towontfix.
For more information, please visit auto_nag documentation.
Comment on attachment 9307590 [details]
Bug 1803336: Simplified check if a range to delete is start/end of a text node. r=masayuki
Beta/Release Uplift Approval Request
- User impact if declined: This is a crash bug while user edits something in
contenteditable. - Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Unfortunately, we've not found how to reproduce this crash though. The patch makes the code check the boundary (
!IsEndOfContainer()for end boundary,!IsStartOfContainer()for start boundary to access there or previous character in a text node). - String changes made/needed: none
- Is Android affected?: No
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 9•1 year ago
|
||
Comment on attachment 9307590 [details]
Bug 1803336: Simplified check if a range to delete is start/end of a text node. r=masayuki
Approved for 109.0b4.
|
|
||
Comment 10•1 year ago
|
||
| bugherder uplift | ||
Description
•