Closed Bug 1270235 Opened 4 years ago Closed 3 years ago

Firefox crashes when typing into removed contentedtiable text node

Categories

(Core :: DOM: Editor, defect, P2)

48 Branch
x86_64
macOS
defect

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox48 --- wontfix
firefox49 --- wontfix
firefox-esr45 --- affected
firefox51 --- wontfix
firefox52 --- fixed
firefox-esr52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: jhchen7, Assigned: m_kato)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Steps to reproduce:

1. Visit: http://codepen.io/quill/pen/xVmqbE
2. Click on the button
3. Type 'a' (any printable character should do)

FF 46.0.1: https://crash-stats.mozilla.com/report/index/7fcb93fc-520c-4e31-a6f8-ae0d62160504
FF 48.0a2: https://crash-stats.mozilla.com/report/index/c9bbb09f-947f-4b7e-b50e-d1f6a2160504


Actual results:

Firefox crashes


Expected results:

Probably nothing since the selection was added to a node that is no longer in the DOM, typing into it should do nothing.
WFM in Fx47b2, 48(2016-05-02) and 49(2016-05-03) on Win10.
Severity: normal → critical
Crash Signature: [@ nsHTMLEditRules::RemoveEmptyNodes ]
Keywords: crash
Product: Firefox → Core
It does look like it's a Mac only issue. I tried to reproduce on various platforms on Sauce Labs and no issues occur in Windows 7/8/8.1/10 and Linux. The crash can be observed on OSX Mountain Lion [1], Mavericks [2], and Yosemite [3]. All were using FF46, except Linux was using FF45.

[1] https://saucelabs.com/beta/tests/f73bce1b010b49719bc80d4d351748cc/watch
[2] https://saucelabs.com/beta/tests/63784922cecf4b64958783ea5bcb48fd/watch
[3] https://saucelabs.com/beta/tests/d765d28db8ba4e7b9ad9157086d2a6b7/watch
User Agent 	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0

The issue is indeed reproducible on Mac OS X 10.9 and 10.11 on the Nightly(49.0a1, Build ID 20160510030240) channel as well. The only other mention I can make is that in the case of Nightly, only the tab crashes.
Status: UNCONFIRMED → NEW
Component: Untriaged → Editor
Ever confirmed: true
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Crash volume for signature 'nsHTMLEditRules::RemoveEmptyNodes':
 - nightly (version 51): 0 crashes from 2016-08-01.
 - aurora  (version 50): 0 crashes from 2016-08-01.
 - beta    (version 49): 12 crashes from 2016-08-02.
 - release (version 48): 104 crashes from 2016-07-25.
 - esr     (version 45): 94 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       0
 - aurora        0       0       0
 - beta          2       4       0
 - release      27      22      12
 - esr          15       3      10

Affected platform: Mac OS X

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora
 - beta    #2016
 - release #494
 - esr     #688
Duplicate of this bug: 1336414
as noted in the other bug, these crash reports have a high correlation (90%+) to the grammarly extension being installed.
Crash Signature: [@ nsHTMLEditRules::RemoveEmptyNodes ] → [@ nsHTMLEditRules::RemoveEmptyNodes ] [@ mozilla::HTMLEditRules::RemoveEmptyNodes ]
Priority: -- → P2
Assignee: nobody → m_kato
regression by bug 1154701
Comment on attachment 8836596 [details]
Bug 1270235 - Part 1. Check parent node is null in RemoveEmptyNodes.

https://reviewboard.mozilla.org/r/111990/#review113224
Attachment #8836596 - Flags: review?(masayuki) → review+
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/4d5fe833df04
Part 1. Check parent node is null in RemoveEmptyNodes. r=masayuki
https://hg.mozilla.org/integration/autoland/rev/334642cf0c00
Part 2. Add test. r=masayuki
https://hg.mozilla.org/mozilla-central/rev/4d5fe833df04
https://hg.mozilla.org/mozilla-central/rev/334642cf0c00
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Thanks for tracking this down! Please request Aurora/Beta approval on this when you get a chance.
Flags: needinfo?(m_kato)
Flags: in-testsuite+
Comment on attachment 8836596 [details]
Bug 1270235 - Part 1. Check parent node is null in RemoveEmptyNodes.

Approval Request Comment
[Feature/Bug causing the regression]:
bug 1154701

[User impact if declined]:
Firefox on OSX might crash when typing any character

[Is this code covered by automated tests?]:
Yes.

[Has the fix been verified in Nightly?]:
Yes

[Needs manual test from QE? If yes, steps to reproduce]: 
No

[List of other uplifts needed for the feature/fix]:
No

[Is the change risky?]:
Too low.

[Why is the change risky/not risky?]:
Check nullptr only.

[String changes made/needed]:
No
Flags: needinfo?(m_kato)
Attachment #8836596 - Flags: approval-mozilla-beta?
Attachment #8836596 - Flags: approval-mozilla-aurora?
Attachment #8836597 - Flags: approval-mozilla-beta?
Attachment #8836597 - Flags: approval-mozilla-aurora?
Comment on attachment 8836596 [details]
Bug 1270235 - Part 1. Check parent node is null in RemoveEmptyNodes.

Fix a crash on OSX when typing some characters. Aurora53+.
Attachment #8836596 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8836597 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8836596 [details]
Bug 1270235 - Part 1. Check parent node is null in RemoveEmptyNodes.

fix a crash, beta52+
Attachment #8836596 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8836597 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Setting qe-verify- based on Makoto's assessment on manual testing needs (Comment 16) and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.