Closed Bug 161304 Opened 22 years ago Closed 22 years ago

Deletion of HTML node causes Mozilla crash

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.3beta

People

(Reporter: owen.marshall+bmo, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [patch])

Attachments

(1 file)

patch
6.53 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.1b) Gecko/20020805
BuildID:    2002080508

The summary says it all.

Reproducible: Always
Steps to Reproduce:
1.Load the test page, and click "test node deletion"


Actual Results:  Mozilla crashes in GKCONTENT.DLL

Expected Results:  Mozilla should have handled this gracefully, either returning
an error message (if needed), or by displaying a blank page (as IE does, not
sure if this is proper).

If someone wants to refresh my memory on how to send in a talkback ID, I can
send it in.
Additional Note: Removing all children of document also causes a crash.
(see http://www.people.fas.harvard.edu/~dbaron/dom/test/removing-html/document_ch)
Talkback for first problem using BuildID 2002080508 on Win2K SP2 is TB9034733X

Once u have submitted talkback report, go into bin\components and run
talkback.exe to find the incident ID

Adding crash keyword
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
For 2nd problem talkback ID is TB9034901E
We crash due to an UndisplayedNode holding a weak pointer to a content object
that has already been deleted.

Here's the stack for the crash:

StyleSetImpl::ResolveStyleFor(nsIPresContext * 0x03590650, nsIContent *
0x0331e7f8, nsIStyleContext * 0x0356aea8) line 1104 + 11 bytes
nsPresContext::ResolveStyleContextFor(nsPresContext * const 0x03590650,
nsIContent * 0x0331e7f8, nsIStyleContext * 0x0356aea8, nsIStyleContext * *
0x0012c580) line 926 + 37 bytes
FrameManager::ReResolveStyleContext(nsIPresContext * 0x03590650, nsIFrame *
0x033e228c, nsIContent * 0x0347eb58, int -1, nsIAtom * 0x00000000,
nsStyleChangeList & {...}, int 0, int & 0) line 1791
FrameManager::ReResolveStyleContext(nsIPresContext * 0x03590650, nsIFrame *
0x033e1e74, nsIContent * 0x00000000, int -1, nsIAtom * 0x00000000,
nsStyleChangeList & {...}, int 0, int & 0) line 1874
FrameManager::ReResolveStyleContext(nsIPresContext * 0x03590650, nsIFrame *
0x033e1c4c, nsIContent * 0x00000000, int -1, nsIAtom * 0x00000000,
nsStyleChangeList & {...}, int 0, int & 0) line 1874
FrameManager::ComputeStyleChangeFor(FrameManager * const 0x0332dd80,
nsIPresContext * 0x03590650, nsIFrame * 0x033e1c4c, int -1, nsIAtom *
0x00000000, nsStyleChangeList & {...}, int 0, int & 0) line 1916
PresShell::ReconstructStyleData(PresShell * const 0x033386d0, int 1) line 5540
PresShell::StyleSheetRemoved(PresShell * const 0x033386d8, nsIDocument *
0x032da8e8, nsIStyleSheet * 0x0165ce98) line 5573
nsDocument::RemoveStyleSheet(nsIStyleSheet * 0x0165ce98) line 1531
nsStyleLinkElement::UpdateStyleSheet(nsStyleLinkElement * const 0x03376c7c,
nsIDocument * 0x032da8e8, int -1) line 182
nsHTMLLinkElement::SetDocument(nsHTMLLinkElement * const 0x03376c50, nsIDocument
* 0x00000000, int 1, int 1) line 110
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x03468220, nsIDocument *
0x00000000, int 1) line 1735
nsGenericElement::SetDocument(nsGenericElement * const 0x03468220, nsIDocument *
0x00000000, int 1, int 1) line 1797 + 17 bytes
nsGenericHTMLElement::SetDocument(nsGenericHTMLElement * const 0x03468220,
nsIDocument * 0x00000000, int 1, int 1) line 1282 + 21 bytes
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x0347eb58, nsIDocument *
0x00000000, int 1) line 1735
nsGenericElement::SetDocument(nsGenericElement * const 0x0347eb58, nsIDocument *
0x00000000, int 1, int 1) line 1797 + 17 bytes
nsGenericHTMLElement::SetDocument(nsGenericHTMLElement * const 0x0347eb58,
nsIDocument * 0x00000000, int 1, int 1) line 1282 + 21 bytes
nsDocument::RemoveChild(nsDocument * const 0x032da8ec, nsIDOMNode * 0x0347eb7c,
nsIDOMNode * * 0x0012d348) line 3329
nsHTMLDocument::RemoveChild(nsHTMLDocument * const 0x032da8ec, nsIDOMNode *
0x0347eb7c, nsIDOMNode * * 0x0012d348) line 1735

Over to style system for further investigation.
Assignee: jst → dbaron
Component: DOM Core → Style System
QA Contact: stummala → ian
Tested 1st problem on Linux BuildID 2002061014 on RH7.3 and crashes that too.
Talkback ID TB9035125Q

Setting OS to all
OS: Windows ME → All
Still in build 2002082704.

*ping* =)
OK, I think I'm going to make the UndisplayedNode objects hold owning pointers
to content nodes, just like frames do (and then remove that other hack to clear
the undisplayed map, which I'll have to find).

That said, this won't necessarily happen immediately.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.2beta
Target Milestone: mozilla1.2beta → Future
*** Bug 189303 has been marked as a duplicate of this bug. ***
Attached patch patchSplinter Review 
This fixes the testcase, and I retested the testcase for bug 145737.  (I was
using a build with the memset in nsPresShell::FreeFrame.)
Attachment #111944 - Flags: superreview?(bzbarsky)
Attachment #111944 - Flags: review?(bzbarsky)
Whiteboard: [patch]
Target Milestone: Future → mozilla1.3beta
Comment on attachment 111944 [details] [diff] [review]
patch

looks good.
Attachment #111944 - Flags: superreview?(bzbarsky)
Attachment #111944 - Flags: superreview+
Attachment #111944 - Flags: review?(bzbarsky)
Attachment #111944 - Flags: review+
Fix checked in to trunk, 2003-01-20 16:47 PST.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified. Mozilla no longer crashes on those testcases.

Thanks, David =)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: