Closed Bug 1900506 Opened 8 months ago Closed 6 months ago

Crash in [@ mozilla::dom::CrossShadowBoundaryRange::ContentRemoved]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Platform:
Other
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1908306
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox126 --- unaffected
firefox127 --- unaffected
firefox128 --- disabled
firefox129 --- disabled

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/d4ce9c01-178e-4707-af7d-8d6600240601

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(mOwner)

Top 10 frames of crashing thread:

0  xul.dll  mozilla::dom::CrossShadowBoundaryRange::ContentRemoved  dom/base/CrossShadowBoundaryRange.cpp:145
1  xul.dll  mozilla::dom::MutationObservers::NotifyContentRemoved::<lambda_8>::operator const  dom/base/MutationObservers.cpp:188
1  xul.dll  ForEachAncestorObserver  dom/base/MutationObservers.cpp:60
1  xul.dll  Notify  dom/base/MutationObservers.cpp:94
1  xul.dll  mozilla::dom::MutationObservers::NotifyContentRemoved  dom/base/MutationObservers.cpp:187
1  xul.dll  nsINode::RemoveChildNode  dom/base/nsINode.cpp:2299
2  xul.dll  nsContentUtils::SetNodeTextContent  dom/base/nsContentUtils.cpp:5891
3  xul.dll  mozilla::dom::HTMLTextAreaElement::SetDefaultValue  dom/html/HTMLTextAreaElement.cpp:331
4  xul.dll  mozilla::dom::HTMLTextAreaElement_Binding::set_defaultValue  dom/bindings/HTMLTextAreaElementBinding.cpp:1107
5  xul.dll  js::jit::CallDOMSetter  js/src/jit/VMFunctions.cpp:1610

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-06-01
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 1 out of 2 crashes happened on null or near null memory address

By analyzing the backtrace, the regression may have been introduced by a patch [1] to fix Bug 1890899.

[1] https://hg.mozilla.org/mozilla-central/rev?node=9efed96f1bf9

:sefeng, since you are the author of the potential regressor, could you please take a look?

Flags: needinfo?(sefeng)

Note: this is a MOZ_DIAGNOSTIC_ASSERT, but that diagnostic is a null-check for a pointer that we then go on to potentially dereference, so it'll potentially result in a null-deref in release builds.

Thanks Daniel, though CrossShadowBoundaryRange only exists in Nightly builds, it's behind the dom.shadowdom.selection_across_boundary.enabled pref.

I expect the patch I landed in bug 1908306 also fixes this, so I am closing this bug to indicate that.

Please re-open and let me know if this occurs again.

Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1908306
Flags: needinfo?(sefeng)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.