Closed Bug 1443664 Opened 7 years ago Closed 7 years ago

crash near null in [@ mozilla::HTMLEditor::FindSelectionRoot]

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
form control might not have non-chrome only content
(deleted), patch
smaug
: review+
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file testcase.html (deleted) —
Found in m-c: BuildID=20180306215445 SourceStamp=bccdc684210431c233622650a91454c09f6af9eb ==64476==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7f445103a605 bp 0x7ffca0e758b0 sp 0x7ffca0e757e0 T0) ==64476==The signal is caused by a READ memory access. ==64476==Hint: address points to the zero page. #0 0x7f445103a604 in HasFlag src/obj-firefox/dist/include/nsWrapperCache.h:264:15 #1 0x7f445103a604 in IsInShadowTree src/obj-firefox/dist/include/nsINode.h:1337 #2 0x7f445103a604 in GetComposedDoc src/obj-firefox/dist/include/nsINode.h:602 #3 0x7f445103a604 in mozilla::HTMLEditor::FindSelectionRoot(nsINode*) src/editor/libeditor/HTMLEditor.cpp:384 #4 0x7f4450f64892 in mozilla::EditorEventListener::Focus(mozilla::InternalFocusEvent*) src/editor/libeditor/EditorEventListener.cpp:1113:53 #5 0x7f4450f6155e in mozilla::EditorEventListener::HandleEvent(nsIDOMEvent*) src/editor/libeditor/EditorEventListener.cpp:472:14 #6 0x7f444f14e2cc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1107:51 #7 0x7f444f14fc34 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1276:20 #8 0x7f444f13929f in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:481:12 #9 0x7f444f13d353 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:915:9 #10 0x7f444c2b5f52 in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:2082:12 #11 0x7f444bd869d5 in AddScriptRunner src/dom/base/nsContentUtils.cpp:5854:13 #12 0x7f444bd869d5 in nsContentUtils::AddScriptRunner(nsIRunnable*) src/dom/base/nsContentUtils.cpp:5861 #13 0x7f444c216c65 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2255:5 #14 0x7f444c214ed6 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsIDocument*, nsISupports*, unsigned int, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2220:3 #15 0x7f444c20cbac in nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool, nsIContent*) src/dom/base/nsFocusManager.cpp:2001:7 #16 0x7f444c20f0a8 in nsFocusManager::WindowRaised(mozIDOMWindowProxy*) src/dom/base/nsFocusManager.cpp:779:3 #17 0x7f4454d9c544 in Activate src/toolkit/components/browser/nsWebBrowser.cpp:1833:16 #18 0x7f4454d9c544 in non-virtual thunk to nsWebBrowser::Activate() src/toolkit/components/browser/nsWebBrowser.cpp #19 0x7f445063b6c0 in mozilla::dom::TabChild::RecvActivate() src/dom/ipc/TabChild.cpp:1488:12 #20 0x7f444a6ed7ca in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:7853:20 #21 0x7f4449f9821e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2133:25 #22 0x7f4449f951a1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2063:17 #23 0x7f4449f9699c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1909:5 #24 0x7f4449f96ff8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1942:15 #25 0x7f44490bd615 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14 #26 0x7f44490d9b80 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10 #27 0x7f4449fa0324 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5 #28 0x7f4449ef0639 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #29 0x7f4449ef0639 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #30 0x7f4449ef0639 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #31 0x7f4450def7aa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #32 0x7f44552d9b9b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #33 0x7f4449ef0639 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #34 0x7f4449ef0639 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #35 0x7f4449ef0639 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #36 0x7f44552d957a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #37 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #38 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:280 #39 0x7f446856582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #40 0x420f48 in _start (firefox+0x420f48)
status-firefox60: --- → affected
Flags: in-testsuite?
I guess that this is recent regression by bug 1066965?
Assignee: nobody → m_kato
Crash Signature: [@ nsINode::GetComposedDoc ]
Priority: -- → P1
Attachment #8960111 - Attachment is patch: true
Comment on attachment 8960111 [details] [diff] [review] form control might not have non-chrome only content FindFirstNonChromeOnlyAccessContent can return nullptr on test case, so we should check it.
Attachment #8960111 - Flags: review?(bugs)
Comment on attachment 8960111 [details] [diff] [review] form control might not have non-chrome only content Thanks
Attachment #8960111 - Flags: review?(bugs) → review+
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/mozilla-inbound/rev/7c62a4dbbaf3 Form control might not have non-chrome only content. r=smaug
I guess we need this on beta too.
https://hg.mozilla.org/mozilla-central/rev/7c62a4dbbaf3
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment on attachment 8960111 [details] [diff] [review] form control might not have non-chrome only content Approval Request Comment [Feature/Bug causing the regression]: Bug 1066965 [User impact if declined]: Firefox crashes by Javascript [Is this code covered by automated tests?]: Yes, I added crashtest [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: Unnecessary [List of other uplifts needed for the feature/fix]: N/A [Is the change risky?]: Low [Why is the change risky/not risky?]: Fix is nullptr check only for this situation. [String changes made/needed]: Nothing
Attachment #8960111 - Flags: approval-mozilla-beta?
Comment on attachment 8960111 [details] [diff] [review] form control might not have non-chrome only content low volume null deref regression, beta60+
Attachment #8960111 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: