The default bug view has changed. See this FAQ.

Crash [@ nsEditor::RemoveContainer]

RESOLVED FIXED in Firefox 16

Status

()

Core
Editor
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: ayg)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

16 Branch
mozilla16
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 unaffected, firefox16+ fixed)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 639918 [details]
testcase (requires focus)

Probably a regression in 4b1249ae1906:6d7fae9764b3
(Reporter)

Comment 1

5 years ago
Created attachment 639919 [details]
stack trace (gdb)

Updated

5 years ago
Crash Signature: [@ nsEditor::RemoveContainer]
This is a regression from bug 756750:

-  nsCOMPtr<nsIDOMNode> child;
-  while (bHasMoreChildren)
-  {
-    inNode->GetLastChild(getter_AddRefs(child));
-    res = DeleteNode(child);
-    NS_ENSURE_SUCCESS(res, res);
-    res = InsertNode(child, parent, offset);
+  while (aNode->HasChildren()) {
+    nsIContent* child = aNode->GetLastChild();
+    nsresult rv = DeleteNode(child->AsDOMNode());
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = InsertNode(child->AsDOMNode(), parent->AsDOMNode(), offset);

If you assign a node to nsIContent* and then remove it from its parent, it is not wise to try to dereference the pointer afterwards.
Assignee: nobody → ayg
Blocks: 756750
Status: NEW → ASSIGNED
Keywords: regression
OS: Mac OS X → All
Hardware: x86_64 → All
Created attachment 640047 [details] [diff] [review]
Patch

Try: https://tbpl.mozilla.org/?tree=Try&rev=46387258d3c6
Attachment #640047 - Flags: review?(ehsan)

Updated

5 years ago
status-firefox15: --- → unaffected
status-firefox16: --- → affected
Version: Trunk → 16 Branch

Updated

5 years ago
Attachment #640047 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/519bc7e30a7b
Flags: in-testsuite+
Target Milestone: --- → mozilla16
https://hg.mozilla.org/mozilla-central/rev/519bc7e30a7b
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox16: affected → ---

Updated

5 years ago
status-firefox16: --- → fixed
tracking-firefox16: --- → +
(In reply to Jesse Ruderman from comment #0)
> Created attachment 639918 [details]
> testcase (requires focus)
> 
> Probably a regression in 4b1249ae1906:6d7fae9764b3

Not able to reproduce on nightly 2012-07-06. Any ideas ?
(Reporter)

Comment 7

5 years ago
Try a debug or ASan build?  It's a pointer lifetime bug (causing a use-after-free) so it's not guaranteed to crash, especially in nightly builds.
Already tried the debug build and no success. I can't find older ASan builds, could you please point me to them?
You need to log in before you can comment on or make changes to this bug.