Closed
Bug 937512
Opened 11 years ago
Closed 2 years ago
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170
Categories
(Core :: DOM: Editor, defect)
Tracking
()
People
(Reporter: 41.w4r10r, Unassigned)
References
Details
(Keywords: crash, testcase)
Attachments
(1 file)
1.29 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Steps to reproduce:
Load Attached File
Actual results:
Crashes FireFox 25.0 & ESR 17.0.10:
Stack Trace From ESR 17.0.10
(cc4.870): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=08c61700 ebx=0531a600 ecx=0029b478 edx=0531a600 esi=00000000 edi=80000000
eip=676ae173 esp=0029b49c ebp=0029b4c4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** WARNING: Unable to verify checksum for C:\Program Files\Mozilla Firefox\xul.dll
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170:
676ae173 8b06 mov eax,dword ptr [esi] ds:0023:00000000=????????
0:000> ub
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x156 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4440]:
676ae159 740a je xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x162 (676ae165)
676ae15b 8d4df8 lea ecx,[ebp-8]
676ae15e e8ef1f98ff call xul!nsCOMPtr<nsISHEntry>::~nsCOMPtr<nsISHEntry> (67030152)
676ae163 eb88 jmp xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0xea (676ae0ed)
676ae165 8d4508 lea eax,[ebp+8]
676ae168 e8f0907aff call xul!nsCOMPtr<nsIBaseWindow>::operator-> (66e5725d)
676ae16d 8b7010 mov esi,dword ptr [eax+10h]
676ae170 ff7508 push dword ptr [ebp+8]
0:000> u
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4442]:
676ae173 8b06 mov eax,dword ptr [esi]
676ae175 8bce mov ecx,esi
676ae177 ff5064 call dword ptr [eax+64h]
676ae17a 8b4dfc mov ecx,dword ptr [ebp-4]
676ae17d 50 push eax
676ae17e 56 push esi
676ae17f e89c8085ff call xul!mozilla::Selection::Collapse (66f06220)
676ae184 8bf0 mov esi,eax
0:000> kb
ChildEBP RetAddr Args to Child
0029b4c4 676b3358 08c61700 0531a6c4 00000000 xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4442]
0029b544 674169e7 0531a6c4 06472780 00000001 xul!nsHTMLEditor::InsertElementAtSelection+0x183 [e:\builds\moz2_slave\yyy\build\editor\libeditor\html\nshtmleditor.cpp @ 1529]
0029b570 6776abb3 06472780 0029b680 0531a6c4 xul!nsInsertTagCommand::DoCommand+0x65 [e:\builds\moz2_slave\yyy\build\editor\composer\src\nscomposercommands.cpp @ 1395]
0029b58c 6738aa3e 0609e240 0029b680 0531a600 xul!nsControllerCommandTable::DoCommand+0x42 [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nscontrollercommandtable.cpp @ 158]
0029b5b0 6771d6b4 0531a600 0029b680 80000000 xul!nsBaseCommandController::DoCommand+0x5b [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nsbasecommandcontroller.cpp @ 137]
0029b5cc 677355a3 085ba200 0029b680 00000000 xul!nsCommandManager::DoCommand+0x6e [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nscommandmanager.cpp @ 237]
0029b6c4 67133860 08ad1f64 0029b9b8 0029b900 xul!nsHTMLDocument::ExecCommand+0x191 [e:\builds\moz2_slave\yyy\build\content\html\document\src\nshtmldocument.cpp @ 3216]
0029b6f0 66f6f238 08ad1f64 0000007d 00000004 xul!NS_InvokeByIndex_P+0x27 [e:\builds\moz2_slave\yyy\build\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 71]
0029b92c 66f7129b 00000000 0029ba34 66f711c0 xul!XPCWrappedNative::CallMethod+0x338 [e:\builds\moz2_slave\yyy\build\js\xpconnect\src\xpcwrappednative.cpp @ 2374]
*** WARNING: Unable to verify checksum for C:\Program Files\Mozilla Firefox\mozjs.dll
0029b9f4 69e96a49 0804f040 00000003 03ca0118 xul!XPC_WN_CallMethod+0xdb [e:\builds\moz2_slave\yyy\build\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1478]
0029ba68 69e98579 0804f040 00000000 03ca0128 mozjs!js::InvokeKernel+0x59 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 352]
0029c374 69e96ffa 0804f040 03ca0028 00000000 mozjs!js::Interpret+0x959 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 2414]
0029c3e8 69ea66a9 0804f040 00000000 03ca0020 mozjs!js::InvokeKernel+0x60a [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 363]
0029c438 69eb4551 0804f040 0029c460 0029c47c mozjs!js::Invoke+0x209 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 396]
0029c46c 66f22daa 0804f040 09c32040 09c403e0 mozjs!JS_CallFunctionValue+0x41 [e:\builds\moz2_slave\yyy\build\js\src\jsapi.cpp @ 5853]
0029c5c0 66ee05df 0708b300 09c32040 09c403e0 xul!nsJSContext::CallEventHandler+0x44a [e:\builds\moz2_slave\yyy\build\dom\base\nsjsenvironment.cpp @ 1931]
0029c6b0 66f67c3a 08b1a980 09d69580 0029c798 xul!nsJSEventListener::HandleEvent+0x10f [e:\builds\moz2_slave\yyy\build\dom\src\events\nsjseventlistener.cpp @ 188]
0029c6fc 66f75392 08ae59c0 08ad2c00 0029c7a0 xul!nsEventListenerManager::HandleEventInternal+0x18a [e:\builds\moz2_slave\yyy\build\content\events\src\nseventlistenermanager.cpp @ 886]
0029c744 66f6ac3b 01257204 00000006 00000000 xul!nsEventTargetChainItem::HandleEventTargetChain+0x6b2 [e:\builds\moz2_slave\yyy\build\content\events\src\nseventdispatcher.cpp @ 317]
0029c7dc 66ed9256 0708b0e0 08ad2c00 0029c820 xul!nsEventDispatcher::Dispatch+0x23b [e:\builds\moz2_slave\yyy\build\content\events\src\nseventdispatcher.cpp @ 644]
Expected results:
Run File Perfectly
Updated•11 years ago
|
status-firefox25:
--- → affected
status-firefox26:
--- → ?
status-firefox27:
--- → ?
status-firefox-esr17:
--- → affected
status-firefox-esr24:
--- → affected
Updated•11 years ago
|
Component: Untriaged → Editor
Product: Firefox → Core
Comment 1•11 years ago
|
||
Why is this marked as security sensitive?
Comment 2•11 years ago
|
||
bp-40f5e70d-2603-478e-8224-415882131120
The crashes I get appear to be null derefs (in nightly). What were you seeing that looked exploitable?
Definitely a stability issue though.
Updated•11 years ago
|
Group: core-security
Updated•11 years ago
|
Severity: normal → critical
Comment 3•11 years ago
|
||
these are the crashes from the last 6 months.
bp-3ba54e4e-09b9-4602-bfce-c9bab2140710
bp-940b1ec9-6376-495e-be1e-deb542140222
bp-3cd1fcef-28ab-4d19-9a0e-4aae72140224
Flags: needinfo?(41.w4r10r)
Updated•9 years ago
|
Crash Signature: [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ] → [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ]
[@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree ]
Comment 4•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Comment 5•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats. Other resolutions may be appropriate for other reasons.
(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes. The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Comment 7•6 years ago
|
||
Original case's crash is nsEditor::DeleteSelectionAndPrepareToCreateNode (mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode). But crash signature of this issue is [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree ] by comment #2. Why?
Updated•2 years ago
|
Severity: critical → S2
Comment 8•2 years ago
|
||
Since the crash volume is low (less than 5 per week), the severity is downgraded to S3
. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Severity: S2 → S3
Comment 9•2 years ago
|
||
This is never reproducible because recursive Document.execCommand
call is not allowed (bug 1611374).
Status: REOPENED → RESOLVED
Crash Signature: [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ]
[@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree ]
Closed: 6 years ago → 2 years ago
Depends on: 1611374
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•