Closed Bug 1411345 Opened 7 years ago Closed 7 years ago

stack-overflow in [@ mozilla::HTMLEditRules::WillDeleteSelection]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: tsmith, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

test_case.html
442 bytes, text/html
Details
Bug 1411345 - HTMLEditRules::GetHighestInlineParent() shouldn't return editing host even when it's the highest inline parent of aNode
59 bytes, text/x-review-board-request
m_kato
: review+
Details
Attached file test_case.html 
The stack is this frame repeated... mozilla::HTMLEditRules::WillDeleteSelection(mozilla::dom::Selection*, short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2321:16
Flags: in-testsuite?
INFO: Last good revision: f5c43a9f8510ad50cf45248fe306707aa059b991
INFO: First bad revision: e05f84ea2a338e172a55a0898e3551fff61abb0a
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5c43a9f8510ad50cf45248fe306707aa059b991&tochange=e05f84ea2a338e172a55a0898e3551fff61abb0a
Blocks: 1355792
Has Regression Range: --- → yes
status-firefox56: --- → wontfix
status-firefox57: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(masayuki)
Version: Trunk → 55 Branch
TryToJoinBlocks() doesn't return the result of MoveBlock():
https://searchfox.org/mozilla-central/rev/40e8eb46609dcb8780764774ec550afff1eed3a5/editor/libeditor/HTMLEditRules.cpp#2841-2846,2851

Then, WillDeleteSelection() believes that it does nothing. Then, it retries to delete selection again with recursive call and this causes the infinite loop.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Although, the patch does NOT fix direct cause of the crash. I.e., not fixing the recursive call. However, such unexpected recursive calls are a bug of other methods which WillDeleteSelection() doesn't check the result strictly. So, this fix must be okay for now.

(The root cause of this bug is, SplitNodeDeep() splits editing host whose style is inline unexpectedly.  Then, another editing host cannot be joined to expected node since they are in different editing host.)
Comment on attachment 8923875 [details]
Bug 1411345 - HTMLEditRules::GetHighestInlineParent() shouldn't return editing host even when it's the highest inline parent of aNode

https://reviewboard.mozilla.org/r/195008/#review200350
Attachment #8923875 - Flags: review?(m_kato) → review+
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/dd95e6f8c0b6
HTMLEditRules::GetHighestInlineParent() shouldn't return editing host even when it's the highest inline parent of aNode r=m_kato
https://hg.mozilla.org/mozilla-central/rev/dd95e6f8c0b6
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
status-firefox57: affectedwontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: