Closed Bug 622596 Opened 13 years ago Closed 11 years ago

Firefox 3.5.16 Crash Report [@ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) ]

Categories

(Core :: General, defect)

1.9.1 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: cbook, Assigned: bc)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Running Mz's fuzzer on 3.5.16 caused a crash in @ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*)

http://crash-stats.mozilla.com/report/index/b7ad94d8-b87a-40e8-a680-4c1cd2110103

need to find the url for the testcase

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsTypedSelection::ContainsNode 	layout/generic/nsSelection.cpp:6064
1 	xul.dll 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
2 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2456
null dereference, but does that stack make sense?
Keywords: testcase-wanted
Whiteboard: [sg:needinfo]
lets put all the cross_fuzz bugs as blocking on bug 581539 for now.
Blocks: crossfuzz
No longer blocks: 622456
so far this looks like only 3.5.16 Windows NT 6.1.7600, and maybe all three reports are tomcat.

nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 
http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html CrashCat
 http://crash-stats.mozilla.com/report/index/83f5a97c-2fb3-4df2-99cd-3f0732110103

nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 
http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html crashcat windows 7
 http://crash-stats.mozilla.com/report/index/b7ad94d8-b87a-40e8-a680-4c1cd2110103

nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 
wyciwyg://19/http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20100729_seed.html CrashCat
 http://crash-stats.mozilla.com/report/index/3431aead-bcab-4590-802b-1d3302110103
No longer blocks: crossfuzz
(In reply to comment #3)
> so far this looks like only 3.5.16 Windows NT 6.1.7600, and maybe all three
> reports are tomcat.
> 

yeah all 3 were from me - just look at crashcat at the user comments. i use "crashcat" there to identify my crashes
I reproduced this on 32bit linux with seed -1992972524
OS: Windows 7 → All
Attached file testcase
t2 = window.open();
t2.document.documentElement.childNodes.item(undefined).contentEditable = true;
t2.getSelection().containsNode([], false);

I reduced this on mac, fwiw.
Crash Signature: [@ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) ]
I think this is fixed but haven't narrowed down when.
WFM in recent Nightly builds on Linux64, OSX and Win7.  Also in local ASan debug
build on Linux64.  I don't see any reports matching "nsTypedSelection::ContainsNode"
in the past 4 weeks on crash-stats, in any version.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b8efd7688256
Group: core-security
Flags: in-testsuite? → in-testsuite+
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.