==96240==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6dc8957887 bp 0x7ffe8bd8aaf0 sp 0x7ffe8bd8aaa0 T0) ==96240==The signal is caused by a READ memory access. ==96240==Hint: address points to the zero page. #0 0x7f6dc8957886 in nsCOMPtr /src/obj-firefox/dist/include/nsCOMPtr.h:486:7 #1 0x7f6dc8957886 in ChangeStyleTransaction /src/editor/libeditor/ChangeStyleTransaction.cpp:127 #2 0x7f6dc8957886 in mozilla::CSSEditUtils::CreateCSSPropertyTxn(mozilla::dom::Element&, nsAtom&, nsTSubstring<char16_t> const&, mozilla::ChangeStyleTransaction::EChangeType) /src/editor/libeditor/CSSEditUtils.cpp:503 #3 0x7f6dc8959049 in SetCSSProperty /src/editor/libeditor/CSSEditUtils.cpp:458:5 #4 0x7f6dc8959049 in mozilla::CSSEditUtils::SetCSSPropertyPixels(mozilla::dom::Element&, nsAtom&, int) /src/editor/libeditor/CSSEditUtils.cpp:473 #5 0x7f6dc89d4505 in mozilla::HTMLEditor::SetAnonymousElementPosition(int, int, mozilla::dom::Element*) /src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:551:18 #6 0x7f6dc89bf837 in mozilla::HTMLEditor::RefreshGrabber() /src/editor/libeditor/HTMLAbsPositionEditor.cpp:295:3 #7 0x7f6dc89cb939 in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:450:21 #8 0x7f6dc8a87db3 in mozilla::HTMLEditor::EndUpdateViewBatch() /src/editor/libeditor/HTMLEditor.cpp:4581:10 #9 0x7f6dc897d96c in mozilla::EditorBase::EndTransaction() /src/editor/libeditor/EditorBase.cpp:956:3 #10 0x7f6dc8b43ef4 in nsStyleUpdatingCommand::ToggleState(mozilla::HTMLEditor*) /src/editor/composer/nsComposerCommands.cpp:277:18 #11 0x7f6dc8b42576 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /src/editor/composer/nsComposerCommands.cpp:105:10 #12 0x7f6dc6cddf05 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /src/dom/commandhandler/nsControllerCommandTable.cpp:147:26 #13 0x7f6dc6cd4bee in nsBaseCommandController::DoCommand(char const*) /src/dom/commandhandler/nsBaseCommandController.cpp:136:25 #14 0x7f6dc6cdb1f4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /src/dom/commandhandler/nsCommandManager.cpp:212:22 #15 0x7f6dc720c892 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /src/dom/html/nsHTMLDocument.cpp:3349:18 #16 0x7f6dc6728170 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:891:21 #17 0x7f6dc6a18dd0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13 #18 0x7f6dcd042ce0 in CallJSNative /src/js/src/jscntxtinlines.h:291:15 #19 0x7f6dcd042ce0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:472 #20 0x7f6dcd02d937 in CallFromStack /src/js/src/vm/Interpreter.cpp:527:12 #21 0x7f6dcd02d937 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3066 #22 0x7f6dcd01563a in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:12 #23 0x7f6dcd042ddf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:494:15 #24 0x7f6dcd043cd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:540:10 #25 0x7f6dcda8890b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3019:12 #26 0x7f6dc64342a5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #27 0x7f6dc6e2d0ed in Call<nsISupports *> /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #28 0x7f6dc6e2d0ed in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /src/dom/events/JSEventHandler.cpp:215 #29 0x7f6dc6df5e16 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1118:51 #30 0x7f6dc6df7fe2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1293:20 #31 0x7f6dc6dd76c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16 #32 0x7f6dc6ddab92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9 #33 0x7f6dc6da9d8a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:895:12 #34 0x7f6dc4f8ad51 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1356:5 #35 0x7f6dc6d78475 in mozilla::AsyncEventDispatcher::Run() /src/dom/events/AsyncEventDispatcher.cpp:70:12 #36 0x7f6dc20c1216 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14 #37 0x7f6dc20db6d8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #38 0x7f6dc2eadc41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21 #39 0x7f6dc2e0e3ab in RunInternal /src/ipc/chromium/src/base/message_loop.cc:326:10 #40 0x7f6dc2e0e3ab in RunHandler /src/ipc/chromium/src/base/message_loop.cc:319 #41 0x7f6dc2e0e3ab in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299 #42 0x7f6dc884af9f in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:158:27 #43 0x7f6dccb98d31 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:288:30 #44 0x7f6dccd8ee9b in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4686:22 #45 0x7f6dccd90a65 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4848:8 #46 0x7f6dccd91e16 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4943:21 #47 0x4ec4ec in do_main /src/browser/app/nsBrowserApp.cpp:231:22 #48 0x4ec4ec in main /src/browser/app/nsBrowserApp.cpp:304 #49 0x7f6ddfdb482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #50 0x41dbc8 in _start (firefox+0x41dbc8)

I haven't been able to reproduce this one on Win10 or Ubuntu 17.10 :(

(In reply to Ryan VanderMeulen [:RyanVM] from comment #1) > I haven't been able to reproduce this one on Win10 or Ubuntu 17.10 :( I'm not sure what is wrong. I just double checked the testcase does repro for me on 16.04 with an ASan opt build (SourceStamp=0a7ff6e19bcc229500d92597fac9340d9bdef959)

Cannot crash. I think that mGrabber might be nullptr.

Closing because no crash reported since 12 weeks.

Closing because no crash reported since 12 weeks.

Please don't close bugs with test-cases.