Closed Bug 1512691 Opened 6 years ago Closed 6 years ago

Crash in nsWebBrowserFind::SetSelectionAndScroll

Categories

(Core :: Find Backend, defect)

Product:
Core
Component:
Find Backend
Platform:
Unspecified
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1510485

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-fabd448b-3aa5-422d-867c-bf2870181207. ============================================================= Top 10 frames of crashing thread: 0 libxul.so nsWebBrowserFind::SetSelectionAndScroll dom/base/nsINode.h:1482 1 libxul.so nsWebBrowserFind::SearchInFrame toolkit/components/find/nsWebBrowserFind.cpp:696 2 libxul.so nsWebBrowserFind::FindNext toolkit/components/find/nsWebBrowserFind.cpp:108 3 libxul.so nsGlobalWindowOuter::FindOuter dom/base/nsGlobalWindowOuter.cpp:6084 4 libxul.so mozilla::dom::Window_Binding::find dom/bindings/WindowBinding.cpp:6148 5 libxul.so bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3063 6 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:443 7 libxul.so Interpret js/src/vm/Interpreter.cpp:590 8 libxul.so js::RunScript js/src/vm/Interpreter.cpp:423 9 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:563 ============================================================= This is a null deref. 23 crashes in the last week on Nightly. I can't tell from the crash report where in nsWebBrowserFind::SetSelectionAndScroll we're actually hitting the null deref. The top frame is GetBoolFlag(). Maybe this QI could fail: nsCOMPtr<nsIContent> content(do_QueryInterface(node)); nsIFrame* frame = content->GetPrimaryFrame(); That feels like something that could possibly have broken from Boris's de-COM stuff, though that's older than Nightly-only. I also see no null check for selCon (and no check for the success of the function that returns it), but that isn't a node, so I would think we wouldn't be calling GetBoolFlag() on it.
First crash showed up on Nightly in the 11-25 build, which would make this the regression window: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=204cda7581188cfc8c8ef11dce4680dadf2b43bb&tochange=5c66354bff282452a6f1a3c911fa8756b6e752af
Looks like there's a test case in bug 1510485.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.