Closed Bug 622596 Opened 15 years ago Closed 13 years ago

Firefox 3.5.16 Crash Report [@ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) ]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
1.9.1 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: cbook, Assigned: bc)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase
161 bytes, text/html
Details
Running Mz's fuzzer on 3.5.16 caused a crash in @ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) http://crash-stats.mozilla.com/report/index/b7ad94d8-b87a-40e8-a680-4c1cd2110103 need to find the url for the testcase Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll nsTypedSelection::ContainsNode layout/generic/nsSelection.cpp:6064 1 xul.dll nsCOMPtr_base::~nsCOMPtr_base obj-firefox/xpcom/build/nsCOMPtr.cpp:81 2 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2456
null dereference, but does that stack make sense?
Keywords: testcase-wanted
Whiteboard: [sg:needinfo]
lets put all the cross_fuzz bugs as blocking on bug 581539 for now.
Blocks: crossfuzz
No longer blocks: 622456
so far this looks like only 3.5.16 Windows NT 6.1.7600, and maybe all three reports are tomcat. nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html CrashCat http://crash-stats.mozilla.com/report/index/83f5a97c-2fb3-4df2-99cd-3f0732110103 nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html crashcat windows 7 http://crash-stats.mozilla.com/report/index/b7ad94d8-b87a-40e8-a680-4c1cd2110103 nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) 3.5.16 Windows NT 6.1.7600 wyciwyg://19/http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20100729_seed.html CrashCat http://crash-stats.mozilla.com/report/index/3431aead-bcab-4590-802b-1d3302110103
Blocks: crossfuzz-pvt
No longer blocks: crossfuzz
(In reply to comment #3) > so far this looks like only 3.5.16 Windows NT 6.1.7600, and maybe all three > reports are tomcat. > yeah all 3 were from me - just look at crashcat at the user comments. i use "crashcat" there to identify my crashes
I reproduced this on 32bit linux with seed -1992972524
OS: Windows 7 → All
Attached file testcase
t2 = window.open(); t2.document.documentElement.childNodes.item(undefined).contentEditable = true; t2.getSelection().containsNode([], false); I reduced this on mac, fwiw.
Keywords: testcase-wantedtestcase
Crash Signature: [@ nsTypedSelection::ContainsNode(nsIDOMNode*, int, int*) ]
I think this is fixed but haven't narrowed down when.
WFM in recent Nightly builds on Linux64, OSX and Win7. Also in local ASan debug build on Linux64. I don't see any reports matching "nsTypedSelection::ContainsNode" in the past 4 weeks on crash-stats, in any version.
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/b8efd7688256
Group: core-security
Flags: in-testsuite? → in-testsuite+
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: