Closed Bug 1557607 Opened 6 years ago Closed 6 years ago

crash near null in [@ nsPresContext::GetDocShell]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1558412
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
211 bytes, text/html
Details
Attached file testcase.html

Found with m-c 20190606-fee989d27558

==31692==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fb92a6c8070 bp 0x7ffd17ac2670 sp 0x7ffd17ac2670 T0)
==31692==The signal is caused by a READ memory access.
==31692==Hint: address points to the zero page.
    #0 0x7fb92a6c806f in get /src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
    #1 0x7fb92a6c806f in operator-> /src/obj-firefox/dist/include/mozilla/RefPtr.h:298
    #2 0x7fb92a6c806f in nsPresContext::GetDocShell() const /src/layout/base/nsPresContext.cpp:1133
    #3 0x7fb92350ee9a in nsContentUtils::GetHTMLEditor(nsPresContext*) /src/dom/base/nsContentUtils.cpp:6796:48
    #4 0x7fb927b815c8 in nsGenericHTMLElement::ChangeEditableState(int) /src/dom/html/nsGenericHTMLElement.cpp:2476:13
    #5 0x7fb927b80a22 in nsGenericHTMLElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /src/dom/html/nsGenericHTMLElement.cpp:691:7
    #6 0x7fb923933486 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) /src/dom/base/Element.cpp:2502:10
    #7 0x7fb923929d40 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /src/dom/base/Element.cpp:2366:10
    #8 0x7fb9268931b5 in SetAttr /src/obj-firefox/dist/include/mozilla/dom/Element.h:836:12
    #9 0x7fb9268931b5 in SetAttr /src/obj-firefox/dist/include/mozilla/dom/Element.h:832
    #10 0x7fb9268931b5 in SetAttr /src/obj-firefox/dist/include/mozilla/dom/Element.h:1559
    #11 0x7fb9268931b5 in SetHTMLAttr /src/dom/html/nsGenericHTMLElement.h:712
    #12 0x7fb9268931b5 in nsGenericHTMLElement::SetContentEditable(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/html/nsGenericHTMLElement.h:120
    #13 0x7fb926892958 in mozilla::dom::HTMLElement_Binding::set_contentEditable(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitSetterCallArgs) /src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:863:24
    #14 0x7fb926dd68c8 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3124:8
    #15 0x7fb92e6c2057 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #16 0x7fb92e6c2057 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #17 0x7fb92e6c80ed in InternalCall /src/js/src/vm/Interpreter.cpp:595:10
    #18 0x7fb92e6c80ed in Call /src/js/src/vm/Interpreter.cpp:611
    #19 0x7fb92e6c80ed in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/js/src/vm/Interpreter.cpp:749
    #20 0x7fb92ed48733 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2926:8
    #21 0x7fb92ed41211 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/js/src/vm/NativeObject.cpp:2955:14
    #22 0x7fb92e69d070 in SetProperty /src/js/src/vm/ObjectOperations-inl.h:283:10
    #23 0x7fb92e69d070 in SetPropertyOperation /src/js/src/vm/Interpreter.cpp:270
    #24 0x7fb92e69d070 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:2852
    #25 0x7fb92e68c2c8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #26 0x7fb92e6c2b5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #27 0x7fb92e6c4d82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #28 0x7fb92f342c98 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2667:10
    #29 0x7fb9263b21e9 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #30 0x7fb9276b3105 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #31 0x7fb9276b3105 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /src/dom/events/JSEventHandler.cpp:205
    #32 0x7fb927662aca in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1028:22
    #33 0x7fb9276646c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1220:17
    #34 0x7fb927645431 in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #35 0x7fb927645431 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
    #36 0x7fb927643666 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
    #37 0x7fb92764a3d4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
    #38 0x7fb92a6653bd in nsDocumentViewer::PageHide(bool) /src/layout/base/nsDocumentViewer.cpp:1469:5
    #39 0x7fb92d4a0fd7 in nsDocShell::FirePageHideNotificationInternal(bool, bool) /src/docshell/base/nsDocShell.cpp:935:20
    #40 0x7fb92d48d351 in FirePageHideNotification /src/docshell/base/nsDocShell.cpp:919:3
    #41 0x7fb92d48d351 in nsDocShell::Destroy() /src/docshell/base/nsDocShell.cpp:5011
    ...
Flags: in-testsuite?
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: