==117581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fc10fbf49b9 bp 0x7fff1bed15b0 sp 0x7fff1bed1590 T0) ==117581==The signal is caused by a READ memory access. ==117581==Hint: address points to the zero page. #0 0x7fc10fbf49b8 in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27 #1 0x7fc10fbf49b8 in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:319 #2 0x7fc10fbf49b8 in OwnerDoc /src/dom/base/nsINode.h:535 #3 0x7fc10fbf49b8 in nsRange::nsRange(nsINode*) /src/dom/base/nsRange.cpp:273 #4 0x7fc113e766c4 in mozilla::RangeItem::GetRange() /src/editor/libeditor/SelectionState.cpp:670:31 #5 0x7fc113d658b9 in mozilla::HTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6147:37 #6 0x7fc113d6092c in GetNodesFromSelection /src/editor/libeditor/HTMLEditRules.cpp:6653:17 #7 0x7fc113d6092c in mozilla::HTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, mozilla::HTMLEditRules::EntireList, mozilla::HTMLEditRules::TouchContent) /src/editor/libeditor/HTMLEditRules.cpp:6297 #8 0x7fc113d4ad57 in mozilla::HTMLEditRules::WillMakeList(mozilla::dom::Selection*, nsTSubstring<char16_t> const*, bool, nsTSubstring<char16_t> const*, bool*, bool*, nsTSubstring<char16_t> const*) /src/editor/libeditor/HTMLEditRules.cpp:3471:8 #9 0x7fc113d3531a in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /src/editor/libeditor/HTMLEditRules.cpp:656:14 #10 0x7fc113df1809 in mozilla::HTMLEditor::MakeOrChangeList(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&) /src/editor/libeditor/HTMLEditor.cpp:1950:24 #11 0x7fc113ed9f3b in nsListCommand::ToggleState(mozilla::HTMLEditor*) /src/editor/composer/nsComposerCommands.cpp:332:23 #12 0x7fc113ed7097 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /src/editor/composer/nsComposerCommands.cpp:105:10 #13 0x7fc111df9a50 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /src/dom/commandhandler/nsControllerCommandTable.cpp:147:26 #14 0x7fc111def926 in nsBaseCommandController::DoCommand(char const*) /src/dom/commandhandler/nsBaseCommandController.cpp:136:25 #15 0x7fc111df64a4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /src/dom/commandhandler/nsCommandManager.cpp:212:22 #16 0x7fc11232abdb in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /src/dom/html/nsHTMLDocument.cpp:3276:18 #17 0x7fc1117128e1 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:854:21 #18 0x7fc111ab4ad7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3042:13 #19 0x1fb530e3ae85 (<unknown module>)

Comment on attachment 8982985 [details] Bug 1423776 - Return error when splitted node might be orphan. https://reviewboard.mozilla.org/r/248828/#review254970 ::: editor/libeditor/HTMLEditRules.cpp:7828 (Diff revision 1) > if (NS_WARN_IF(splitEndInlineResult.Failed())) { > return splitEndInlineResult.Rv(); > } > EditorRawDOMPoint splitPointAtEnd(splitEndInlineResult.SplitPoint()); > + if (NS_WARN_IF(!splitPointAtEnd.IsSet())) { > + return NS_ERROR_FAILURE; Perhaps, we need another error such as NS_ERROR_DOM_TREE_CHANGED_UNEXPECTEDLY or something, but it's out of scope of this bug.

Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/988847e0ed2e Return error when splitted node might be orphan. r=masayuki

Not seeing any obvious indication in crash-stats that this is hitting us in the wild, so let's let it ride the trains.