Last Comment Bug 385715 - ReadAV from formatblock with memory corruption evidence
: ReadAV from formatblock with memory corruption evidence
[sg:critical?] fixed by bug 382778
: assertion, fixed1.8.1.5, verified1.8.0.13
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: x86 Windows XP
-- critical (vote)
: ---
Assigned To: Peter Van der Beken [:peterv]
: Makoto Kato [:m_kato]
Depends on: 382778
  Show dependency treegraph
Reported: 2007-06-25 00:08 PDT by Paul Nickerson
Modified: 2007-12-01 14:15 PST (History)
6 users (show)
dbaron: blocking1.9+
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

basic.css - needed by unreduced testcase (10.40 KB, text/css)
2007-06-25 00:20 PDT, Paul Nickerson
no flags Details
imported.css - needed by unreduced testcase (1.32 KB, text/css)
2007-06-25 00:20 PDT, Paul Nickerson
no flags Details

Description User image Paul Nickerson 2007-06-25 00:08:37 PDT
Created attachment 269636 [details]
reduced testcase

0079E2A7  mov         eax,dword ptr [ecx+0Ch] 
0079E2AA  test        eax,eax 
0079E2AC  mov         dword ptr [edx],eax 
0079E2AE  je          0079E2B6 
0079E2B0  mov         ecx,dword ptr [eax] 
0079E2B2  push        eax  
0079E2B3  call        dword ptr [ecx+4]    <---- crashes here

 	00000236()   <---- this seems to be random before reduction
>	firefox.exe!0079e2b6() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for firefox.exe]	

Sorry I couldn't provide more information. This doesn't seem crash on my Linux box, which is what I use for debugging Firefox.
Comment 1 User image Paul Nickerson 2007-06-25 00:19:55 PDT
Created attachment 269639 [details]
unreduced testcase

attached to show the unpredictability of the bug. notice how eip becomes essentially random.
Comment 2 User image Paul Nickerson 2007-06-25 00:20:35 PDT
Created attachment 269640 [details]
basic.css - needed by unreduced testcase
Comment 3 User image Paul Nickerson 2007-06-25 00:20:57 PDT
Created attachment 269642 [details]
imported.css - needed by unreduced testcase
Comment 4 User image Paul Nickerson 2007-06-25 00:21:21 PDT
Created attachment 269643 [details]
fuss.js - needed by unreduced testcase
Comment 5 User image Paul Nickerson 2007-06-25 00:21:48 PDT
Created attachment 269644 [details]
fuzzer-combined-dm.js - needed by unreduced testcase
Comment 6 User image Paul Nickerson 2007-06-25 00:25:23 PDT
Created attachment 269645 [details]
unreduced testcase

reattached as zip since bugzilla doesnt preserve attachment filenames
Comment 7 User image Jeff Walden [:Waldo] (remove +bmo to email) 2007-06-25 01:37:46 PDT
Note for the future: if you put all the files for a testcase in a zip and use only relative hyperlinks, as though the files weren't inside a zip but rather were inside a single directory, you can just upload the zip and point to a single URL within the zip, using a jar: URL (not cross-browser, but works in Moz-based stuff).  For example, using the zip you posted:


Here's most of a Mac stacktrace.  It's crashing on the NS_IF_RELEASE in nsEditor::InsertNode:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x5590c3d1

Thread 0 Crashed:
0   libgklayout.dylib        	0x1815c1ed nsEditor::InsertNode(nsIDOMNode*, nsIDOMNode*, int) + 247 (nsEditor.cpp:1435)
1   libgklayout.dylib        	0x18163c68 nsEditor::ReplaceContainer(nsIDOMNode*, nsCOMPtr<nsIDOMNode>*, nsAString_internal const&, nsAString_internal const*, nsAString_internal const*, int) + 1022 (nsEditor.cpp:1613)
2   libgklayout.dylib        	0x182e1e8a nsHTMLEditRules::ApplyBlockStyle(nsCOMArray<nsIDOMNode>&, nsAString_internal const*) + 640 (nsHTMLEditRules.cpp:6867)
3   libgklayout.dylib        	0x182e7a38 nsHTMLEditRules::WillMakeBasicBlock(nsISelection*, nsAString_internal const*, int*, int*) + 2600 (nsHTMLEditRules.cpp:3400)
4   libgklayout.dylib        	0x182f250a nsHTMLEditRules::WillDoAction(nsISelection*, nsRulesInfo*, int*, int*) + 932 (nsHTMLEditRules.cpp:619)
5   libgklayout.dylib        	0x182b676a nsHTMLEditor::InsertBasicBlock(nsAString_internal const&) + 334 (nsHTMLEditor.cpp:2711)
6   libgklayout.dylib        	0x182b6eb6 nsHTMLEditor::SetParagraphFormat(nsAString_internal const&) + 190 (nsHTMLEditor.cpp:2178)
7   libcomposer.dylib        	0x3d48baa9 nsParagraphStateCommand::SetState(nsIEditor*, nsString&) + 161 (nsComposerCommands.cpp:725)
8   libcomposer.dylib        	0x3d48a55c nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) + 324 (nsComposerCommands.cpp:666)
9   libembedcomponents.dylib 	0x16cd9270 nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) + 222 (nsControllerCommandTable.cpp:208)
10  libembedcomponents.dylib 	0x16cd4774 nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) + 324 (nsBaseCommandController.cpp:185)
11  libembedcomponents.dylib 	0x16cd74e2 nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) + 242 (nsCommandManager.cpp:270)
12  libgklayout.dylib        	0x18018c01 nsHTMLDocument::ExecCommand(nsAString_internal const&, int, nsAString_internal const&, int*) + 1293 (nsHTMLDocument.cpp:4129)
13  libxpcom_core.dylib      	0x0136c762 NS_InvokeByIndex_P + 98 (xptcinvoke_unixish_x86.cpp:179)
14  libxpconnect.dylib       	0x12a43d3c XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 4832 (xpcwrappednative.cpp:2229)
15  libxpconnect.dylib       	0x12a4b7d4 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 398 (xpcwrappednativejsops.cpp:1467)
16  libmozjs.dylib           	0x0105eb4b js_Invoke + 2768 (jsinterp.c:1306)
17  libmozjs.dylib           	0x0106ff81 js_Interpret + 64306 (jsinterp.c:3992)
18  libmozjs.dylib           	0x0105ebd6 js_Invoke + 2907 (jsinterp.c:1325)
19  libmozjs.dylib           	0x0105ef6c js_InternalInvoke + 309 (jsinterp.c:1400)
20  libmozjs.dylib           	0x0101e048 JS_CallFunctionValue + 60 (jsapi.c:4855)
21  libgklayout.dylib        	0x180e6bd6 nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 1228 (nsJSEnvironment.cpp:1825)
22  libgklayout.dylib        	0x1810a2fc nsGlobalWindow::RunTimeout(nsTimeout*) + 1778 (nsGlobalWindow.cpp:6857)
Comment 8 User image Jeff Walden [:Waldo] (remove +bmo to email) 2007-06-25 01:54:01 PDT
This triggers the following assertion twice:

###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file /Users/jwalden/moz/trunk/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 385

...followed by a few screenfuls of the following warning, and then the crash:

WARNING: NS_ENSURE_TRUE(newRoot) failed: file /Users/jwalden/moz/trunk/mozilla/content/base/src/nsRange.cpp, line 738
Comment 9 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2007-06-25 02:02:08 PDT
Patch in bug 382778 should fix this one too.
Comment 10 User image Daniel Veditz [:dveditz] 2007-06-25 10:35:57 PDT
I don't crash on the branch with bug 382778, but the branch crashes on this one. In a debug build I appear to have gotten an uninitialized (0xcccccccc) address for txn in nsEditor::InsertNode

However, if bug 382778 is a potential fix I'll assign this to the same assignee (peterv)
Comment 11 User image Daniel Veditz [:dveditz] 2007-06-28 11:05:44 PDT
Putting on blocking list unless we learn this is not a branch problem
Comment 12 User image Daniel Veditz [:dveditz] 2007-07-09 15:56:13 PDT
Do we need a separate 1.8 branch patch for this one, or will back-porting bug 382778 do the trick?
Comment 13 User image Daniel Veditz [:dveditz] 2007-07-11 17:33:33 PDT
bug 382778 is fixed on trunk and landed on 1.8 branches
Comment 14 User image Al Billings [:abillings] 2007-08-21 17:43:23 PDT
Verification of this for is difficult. The reduced case cannot be accessed via Thunder Browse (the only vehicle is Thunderbird) and the unreduced case is huge and doesn't seem to do anything. Because the reduced test case was attached as an html file, it is nearly impossible to save it off and preserve it.
Comment 15 User image Carsten Book [:Tomcat] 2007-08-23 08:09:44 PDT
verified fixed using the testcase in this bug - no crash on Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20070822 Firefox/

Adding verified keyword

Note You need to log in before you can comment on or make changes to this bug.