Reproduced with m-c: BuildID=20180523220103 SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc ==37483==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f818736cb6b bp 0x7ffe48e3ece0 sp 0x7ffe48e3e920 T0) ==37483==The signal is caused by a READ memory access. ==37483==Hint: address points to the zero page. #0 0x7f818736cb6a in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1651:12 #1 0x7f818736cb6a in GetParent src/obj-firefox/dist/include/nsINode.h:1006 #2 0x7f818736cb6a in mozilla::HTMLEditor::SplitStyleAbovePoint(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*, nsIContent**, nsIContent**) src/editor/libeditor/HTMLStyleEditor.cpp:553 #3 0x7f818739a229 in mozilla::HTMLEditor::ClearStyle(nsCOMPtr<nsINode>*, int*, nsAtom*, nsAtom*) src/editor/libeditor/HTMLStyleEditor.cpp:604:17 #4 0x7f818733ff6c in mozilla::HTMLEditRules::CreateStyleForInsertText(nsIDocument&) src/editor/libeditor/HTMLEditRules.cpp:6041:25 #5 0x7f818731766e in mozilla::HTMLEditRules::WillInsertText(mozilla::EditAction, bool*, bool*, nsTSubstring<char16_t> const*, nsTSubstring<char16_t>*, int) src/editor/libeditor/HTMLEditRules.cpp:1489:8 #6 0x7f81873165ad in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) src/editor/libeditor/HTMLEditRules.cpp:697:14 #7 0x7f8187481f62 in mozilla::TextEditor::InsertTextAsAction(nsTSubstring<char16_t> const&) src/editor/libeditor/TextEditor.cpp:968:24 #8 0x7f81872cfc97 in mozilla::InsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/libeditor/EditorCommands.cpp:1130:20 #9 0x7f818540133c in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:162:26 #10 0x7f81853f7493 in DoCommandWithParams src/dom/commandhandler/nsBaseCommandController.cpp:152:25 #11 0x7f81853f7493 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/dom/commandhandler/nsBaseCommandController.cpp #12 0x7f81853fdb1a in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:210:29 #13 0x7f81858fcfc4 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2952:18 #14 0x7f818490e676 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:577:21 #15 0x7f8184de8911 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3280:13 #16 0x1eafb497e33f (<unknown module>)

SplitStyleAbovePoint calls SplitNodeDeepWithTransaction repeatedly. If SplitNodeDeepWithTransaction creates orphan node like this test case, this crash occurs. So we should check whether node becomes orphan node.

Makoto-san: After I commented in Fabricator, you have not updated anything. Did you receive some notifications about the comment?

Comment on attachment 8990173 [details] Bug 1464251 - SplitNodeDeepWithTransaction might create orphan node. r?masayuki Masayuki Nakano [:masayuki] (JST, +0900) has approved the revision.

Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/147cb3ed71f8 SplitNodeDeepWithTransaction might create orphan node. r=masayuki