Closed Bug 1879441 Opened 1 year ago Closed 1 year ago

Crash in [@ nsTArray_base<T>::Length | mozilla::dom::Selection::StyledRanges::Length]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Platform:
x86
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox123 --- unaffected
firefox124 --- fixed
firefox125 --- fixed

People

(Reporter: mccr8, Assigned: jjaschke)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Bug 1879441: Added null check for selections in nsINode::IsSelected(). r=smaug,#dom-core
48 bytes, text/x-phabricator-request
Details | Review
Bug 1879441: Added null check for selections in nsINode::IsSelected(). r=smaug,#dom-core
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/50404a86-f211-495d-868b-7e51e0240128

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::Length const  xpcom/ds/nsTArray.h:409
0  xul.dll  mozilla::dom::Selection::StyledRanges::Length const  dom/base/Selection.cpp:2062
0  xul.dll  mozilla::dom::Selection::RangeCount const  dom/base/Selection.h:372
0  xul.dll  nsINode::IsSelected const  dom/base/nsINode.cpp:374
1  xul.dll  nsTextFrame::IsFrameSelected const  layout/generic/nsTextFrame.cpp:7447
2  xul.dll  nsIFrame::IsSelected const  xpcom/ds/nsMathUtils.h:68
2  xul.dll  nsTextFrame::UnionAdditionalOverflow  layout/generic/nsTextFrame.cpp:5384
2  xul.dll  nsTextFrame::ReflowText  layout/generic/nsTextFrame.cpp:9775
3  xul.dll  nsLineLayout::ReflowFrame  layout/generic/nsLineLayout.cpp:894
4  xul.dll  nsInlineFrame::ReflowInlineFrame  layout/generic/nsInlineFrame.cpp:667

It looks like there's a possible regression on this signature in 124, as null derefs started showing up. I'm not sure if that's a problem in the DOM selection code or something higher up.

jjaschke, can you guess a regressor?

Flags: needinfo?(jjaschke)

Selections are stored here as WeakPtr to save refcount overhead, which means that a selection can be null.

Assignee: nobody → jjaschke
Status: NEW → ASSIGNED

It looks like this crash is caused by nsINode::IsSelected() not checking the ancestorSelections (which are stored as WeakPtr) for being null. Accessing a null Selection would lead to this crash signature.

Flags: needinfo?(jjaschke)
Severity: -- → S3
Pushed by jjaschke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b2e3ebe0ebad Added null check for selections in nsINode::IsSelected(). r=smaug

Selections are stored here as WeakPtr to save refcount overhead, which means that a selection can be null.

Original Revision: https://phabricator.services.mozilla.com/D202143

Attachment #9380823 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Explanation of risk level: This is just a nullptr check.
  • Risk associated with taking this patch: None.
  • User impact if declined: Occasional (few) crashes
  • String changes made/needed: -
  • Steps to reproduce for manual QE testing: -
  • Fix verified in Nightly: no
  • Is Android affected?: yes
  • Needs manual QE test: no
  • Code covered by automated testing: no

https://hg.mozilla.org/mozilla-central/rev/b2e3ebe0ebad

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox125: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Attachment #9380823 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: