NULL pointer crash [@ nsTypedSelection::RemoveRange(nsIRange*) ] when detaching and removing a range from a selection

RESOLVED FIXED in mozilla2.0b7

Status

()

Core
Selection
P1
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: SkyLined, Assigned: bz)

Tracking

({crash, testcase})

Trunk
mozilla2.0b7
x86
Windows 7
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.55 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5) Gecko/20100101 Firefox/4.0b5

Repro:
<script>
  oSelection = window.getSelection();
  oRange = document.createRange();
  oSelection.addRange(oRange);
  oRange.detach();
  oSelection.removeRange(oRange);
</script>
The code above both detaches a range from the selection as well as remove it, which causes a NULL ptr crash. The code is probably missing a check somewhere.

Reproducible: Always

Steps to Reproduce:
1. Load the repro in Firefox 3/4
2. Crash FTW!
Actual Results:  
NULL pointer crash 

Expected Results:  
Nothing or JavaScript error thrown

Appears to work in Firefox 3.6 and 4.0. I will upload a crash report for both.
(Reporter)

Comment 1

7 years ago
Created attachment 473590 [details]
Repro
(Reporter)

Comment 2

7 years ago
Crash report uploaded. I put the URL  of this bug in the details field (https://bugzilla.mozilla.org/show_bug.cgi?id=594808).
On Trunk:
Signature	nsTypedSelection::RemoveRange(nsIRange*)
UUID	632280c2-21c3-4e82-b6d9-d7ef72100909
Time 	2010-09-09 13:46:43.294648
Uptime	310
Last Crash	15371 seconds (4.3 hours) before submission
Install Age	13868 seconds (3.9 hours) since version was first installed.
Product	Firefox
Version	4.0b6pre
Build ID	20100909041137
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	Bug 594808
App Notes 	AdapterVendorID: 1002, AdapterDeviceID: 7280
Processor Notes 	
EMCheckCompatibility	False

Frame  	Module  	Signature  	Source
0 	xul.dll 	nsTypedSelection::RemoveRange(nsIRange*) 	layout/generic/nsSelection.cpp:4808
1 	xul.dll 	nsTypedSelection::RemoveRange(nsIDOMRange*) 	layout/generic/nsSelection.cpp:4791
2 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
3 	xul.dll 	js::InvokeCommon<int (__cdecl*)(JSContext*,JSObject*,unsigned int,js::Value*,js::Value*)> 	js/src/jsinterp.cpp:566
4 	xul.dll 	js::Invoke(JSContext*,js::CallArgs const&,unsigned int) 	js/src/jsinterp.cpp:696
5 	xul.dll 	js::Interpret(JSContext*) 	js/src/jsinterp.cpp:4707
6 	xul.dll 	js::Execute(JSContext*,JSObject*,JSScript*,JSStackFrame*,unsigned int,js::Value*) 	js/src/jsinterp.cpp:881
7 	xul.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4801
8 	xul.dll 	nsJSContext::EvaluateString(nsAString_internal const&,void*,nsIPrincipal*,char const*,unsigned int,unsigned int,nsAString_internal*,int*) 	dom/base/nsJSEnvironment.cpp:1737
9 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest*,nsString const&) 	content/base/src/nsScriptLoader.cpp:767
10 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) 	content/base/src/nsScriptLoader.cpp:677
11 	xul.dll 	nsScriptLoader::ProcessScriptElement(nsIScriptElement*) 	content/base/src/nsScriptLoader.cpp:617
12 	xul.dll 	nsScriptElement::MaybeProcessScript() 	content/base/src/nsScriptElement.cpp:197
13 	xul.dll 	nsHTMLScriptElement::MaybeProcessScript() 	content/html/content/src/nsHTMLScriptElement.cpp:551
14 	xul.dll 	nsHTMLScriptElement::DoneAddingChildren(int) 	content/html/content/src/nsHTMLScriptElement.cpp:479
15 	xul.dll 	nsHtml5TreeOpExecutor::RunScript(nsIContent*) 	parser/html/nsHtml5TreeOpExecutor.cpp:730

On 1.9.2 Branch:
Signature	nsTypedSelection::RemoveRange(nsIRange*)
UUID	f2072bc6-3d9e-484c-96a9-3ce052100909
Time 	2010-09-09 13:50:06.614378
Uptime	15
Last Crash	204 seconds (3.4 minutes) before submission
Install Age	1208073 seconds (2.0 weeks) since version was first installed.
Product	Firefox
Version	3.6.9
Build ID	20100824153629
Branch	1.9
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	Bug 594808
Processor Notes 	
EMCheckCompatibility	False

Frame  	Module  	Signature  	Source
0 	xul.dll 	nsTypedSelection::RemoveRange(nsIRange*) 	layout/generic/nsSelection.cpp:5202
1 	xul.dll 	nsTypedSelection::RemoveRange(nsIDOMRange*) 	layout/generic/nsSelection.cpp:5185
2 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
3 	xul.dll 	XPCWrappedNative::CallMethod(XPCCallContext&,XPCWrappedNative::CallMode) 	js/src/xpconnect/src/xpcwrappednative.cpp:2722
4 	xul.dll 	XPC_WN_CallMethod(JSContext*,JSObject*,unsigned int,int*,int*) 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740
5 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1360
6 	js3250.dll 	js_Interpret 	js/src/jsops.cpp:2240
7 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1601
8 	js3250.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5072
9 	xul.dll 	nsJSContext::EvaluateString(nsAString_internal const&,void*,nsIPrincipal*,char const*,unsigned int,unsigned int,nsAString_internal*,int*) 	dom/base/nsJSEnvironment.cpp:1756
10 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest*,nsString const&) 	content/base/src/nsScriptLoader.cpp:711
11 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) 	content/base/src/nsScriptLoader.cpp:625
12 	xul.dll 	nsScriptLoader::ProcessScriptElement(nsIScriptElement*) 	content/base/src/nsScriptLoader.cpp:577
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Selection
Ever confirmed: true
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general → selection
Summary: NULL pointer crash when detaching and removing a range from a selection → NULL pointer crash [@ nsTypedSelection::RemoveRange(nsIRange*) ] when detaching and removing a range from a selection
Version: unspecified → Trunk
Created attachment 473923 [details] [diff] [review]
Fix
Attachment #473923 - Flags: review?(jonas)
Assignee: nobody → bzbarsky
Priority: -- → P1
Whiteboard: [need review]
Comment on attachment 473923 [details] [diff] [review]
Fix

Though please add a newline at the end of the test.
Attachment #473923 - Flags: review?(jonas) → review+
Whiteboard: [need review] → [need approval]
Attachment #473923 - Flags: approval2.0?
Jonas, want to approve this too?
Comment on attachment 473923 [details] [diff] [review]
Fix

just noticed the missing endline at the end of the testcase. please fix before checking in.
Attachment #473923 - Flags: approval2.0? → approval2.0+
Yes, you noticed that during review too.  And then I fixed it locally.  ;)
Whiteboard: [need approval] → [need landing]
Hey, at least I'm consistent :)
Pushed http://hg.mozilla.org/mozilla-central/rev/cb077620dd05
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7

Comment 11

7 years ago
Hey, I'm still getting this crash on FF 3.6.13.

Comment 12

7 years ago
(In reply to comment #11)
> Hey, I'm still getting this crash on FF 3.6.13.

The fix has not been backported to 3.6.
Crash Signature: [@ nsTypedSelection::RemoveRange(nsIRange*) ]
You need to log in before you can comment on or make changes to this bug.