771749 - Crash [@ nsEditor::RemoveContainer]

Status: RESOLVED FIXED

(Core :: DOM: Editor, defect)

Description

[Jesse Ruderman]

Attachment: testcase (requires focus)

Probably a regression in 4b1249ae1906:6d7fae9764b3

Comment 1

[Jesse Ruderman]

Attachment: stack trace (gdb)

Comment 2

[Aryeh Gregor (:ayg) (no longer with Mozilla)]

This is a regression from bug 756750:

-  nsCOMPtr<nsIDOMNode> child;
-  while (bHasMoreChildren)
-  {
-    inNode->GetLastChild(getter_AddRefs(child));
-    res = DeleteNode(child);
-    NS_ENSURE_SUCCESS(res, res);
-    res = InsertNode(child, parent, offset);
+  while (aNode->HasChildren()) {
+    nsIContent* child = aNode->GetLastChild();
+    nsresult rv = DeleteNode(child->AsDOMNode());
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = InsertNode(child->AsDOMNode(), parent->AsDOMNode(), offset);

If you assign a node to nsIContent* and then remove it from its parent, it is not wise to try to dereference the pointer afterwards.

Comment 3

[Aryeh Gregor (:ayg) (no longer with Mozilla)]

Attachment: Patch

Try: https://tbpl.mozilla.org/?tree=Try&rev=46387258d3c6

Comment 4

[Aryeh Gregor (:ayg) (no longer with Mozilla)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/519bc7e30a7b

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/519bc7e30a7b

Comment 6

[Paul Silaghi, QA [:pauly]]

(In reply to Jesse Ruderman from comment #0)
> Created attachment 639918 [details]
> testcase (requires focus)
> 
> Probably a regression in 4b1249ae1906:6d7fae9764b3

Not able to reproduce on nightly 2012-07-06. Any ideas ?

Comment 7

[Jesse Ruderman]

Try a debug or ASan build?  It's a pointer lifetime bug (causing a use-after-free) so it's not guaranteed to crash, especially in nightly builds.

Comment 8

[Paul Silaghi, QA [:pauly]]

Already tried the debug build and no success. I can't find older ASan builds, could you please point me to them?