Closed
Bug 998532
Opened 10 years ago
Closed 10 years ago
crash in nsEditor::DetermineCurrentDirection()
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
People
(Reporter: martijn.martijn, Assigned: ehsan.akhgari)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
|
810 bytes,
patch
|
roc
:
review+
martijn.martijn
:
feedback+
|
Details | Diff | Splinter Review |
|
4.24 KB,
patch
|
Details | Diff | Splinter Review |
I'm seeing this crash in current trunk build. I don't have a testcase, atm. This bug was filed from the Socorro interface and is report bp-38f42156-dea1-4efc-bfff-743922140418. ============================================================= 0 XUL nsEditor::DetermineCurrentDirection() obj-firefox/x86_64/dist/include/nsINode.h 1 XUL nsEditor::SwitchTextDirection() editor/libeditor/base/nsEditor.cpp 2 XUL NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp 3 XUL XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp 4 XUL XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp 5 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h 6 XUL Interpret js/src/vm/Interpreter.cpp 7 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
|
Reporter | |
Comment 1•10 years ago
|
||
Let me know if you need a testcase, I have a case where it's crashing reproducibly, but getting a testcase from it, might be quite some work. I could test a patch for it, though, to see if it would fix the crash.
Flags: needinfo?(ehsan)
|
Assignee | |
Comment 2•10 years ago
|
||
Can you please attach the test case even if it's not minimal? I think this is a simple missing null check, I can attach a patch in a sec.
Flags: needinfo?(ehsan) → needinfo?(martijn.martijn)
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8409483 -
Flags: feedback?(martijn.martijn)
|
|
Reporter | |
Comment 4•10 years ago
|
||
Sorry for the delay! The testcase is not even not minimal, it's part of a fuzzing framework and it would take quite some time to get it even a little bit isolated. But I'll try out the patch and see if it fixes this crash, ok?
Flags: needinfo?(martijn.martijn)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Comment on attachment 8409483 [details] [diff] [review] Patch (v1) Review of attachment 8409483 [details] [diff] [review]: ----------------------------------------------------------------- Yes, this patch seems to fix the crash. I tested without and with the patch in a debug build on MacOS X.
Attachment #8409483 -
Flags: feedback?(martijn.martijn) → feedback+
|
|
Reporter | |
Updated•10 years ago
|
Assignee: nobody → ehsan
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Comment on attachment 8409483 [details] [diff] [review] Patch (v1) Thanks Martijn.
Attachment #8409483 -
Flags: review?(roc)
Flags: needinfo?(ehsan)
Comment on attachment 8409483 [details] [diff] [review] Patch (v1) Review of attachment 8409483 [details] [diff] [review]: ----------------------------------------------------------------- Seems like it should be fairly easy to come up with a testcase. Just remove the root element from the document and do some editing stuff that hits this code path.
Attachment #8409483 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
I tried to write a test and failed. Will attach my patch so far for future reference...
|
|
Assignee | |
Comment 9•10 years ago
|
||
|
|
Assignee | |
Comment 10•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0857ad15c4d7
https://hg.mozilla.org/mozilla-central/rev/0857ad15c4d7
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
|
Reporter | |
Comment 12•10 years ago
|
||
It doesn't crash anymore in today's trunk build on the unminimized testcase.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•