Reentering nsRange::DeleteContents for same-ish range crashes

VERIFIED FIXED in mozilla1.8beta4

Status

()

Core
DOM: Core & HTML
P1
critical
VERIFIED FIXED
13 years ago
5 years ago

People

(Reporter: Nicolae Namolovan, Assigned: bz)

Tracking

({crash, testcase})

Trunk
mozilla1.8beta4
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050508

When innerHTML of a div is overwrited by innerHTML of a iframe, the loading icon
starts and can't be stoped, on multiple tryes browser can crash.
I have created a loop function what call the function multiple times, to crash
the browser..
The main problem is the loading icon.. I really need that script for my site(i
trying to create a iframe with dynamic width&height)..

Reproducible: Sometimes

Steps to Reproduce:
1. Execute the function what overwrite the DIV innerHTML (after that, the
loading icon starts and can't be stoped)
2. Execute multiple times.. You can do that with a loop.. (See my url)
3.

Actual Results:  
Firstly the loadin animation can't be stopped..
If you repeat multiple times, browser can crash.

Expected Results:  
The loading animation should stop after loading
Browser shouldn't crash

Here is ff_crash.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>Crasher</title>

</head><body>

<div id="dynamicdiv">
<iframe onLoad="insertIt();" name="dynamicframe" scrolling="no" frameborder="0"
src="blank.html" height="100%" width="100%"></iframe>
</div>


<script language="JavaScript">
function insertIt() {
	var _y = document.getElementById('dynamicdiv');
	var _x = window.frames[0].document.body.innerHTML;
	_y.innerHTML = _x;
}

function makeIframe() {
	var newIframe = document.createElement('iframe');
	newIframe.onload = function() { insertIt(); }
	newIframe.name ='dynamicframe';
	newIframe.scrolling='no'; 
	newIframe.frameborder='0';
	newIframe.src ='blank.html';
	newIframe.height='100%';
	newIframe.width='100%';
	document.getElementById('dynamicdiv').appendChild(newIframe);
}

function Loop() {
for(i = 1; i <= 30; i++) makeIframe();
}
</script>


<a onclick="Loop();">Press to Crash</a>
</body</body></html>


Another version.. Also cause to crash..
Insted of function makeIframe() {
	var newIframe = document.createElement('iframe');
	newIframe.onload = function() { insertIt(); }
	newIframe.name ='dynamicframe';
	newIframe.scrolling='no'; 
	newIframe.frameborder='0';
	newIframe.src ='blank.html';
	newIframe.height='100%';
	newIframe.width='100%';
	document.getElementById('dynamicdiv').appendChild(newIframe);
}

Also can be ussed..
function makeIframe() {
	var _y = document.getElementById('dynamicdiv');
	_y.innerHTML = '<iframe onLoad="insertIt();" name="dynamicframe" scrolling="no"
frameborder="0" src="blank.html" height="100%" width="100%"></iframe>';
}

Same too be same resultat..

Here is Mozilla crash info.. A bit long.. Oh.. Too long.. If you still need it,
send me a email..

Application Information

 Application Launch Time
   08.05.2005 18:19

 Build Identifier
   2005050805

 Deployment Identifier
   MozillaOrgMozillaTrunkWin322005050805

 Interface Version
            8 (0x00000008)

 Monitor Configuration Version
            1 (0x00000001)

 Platform Identifier
   Win32

 Product Identifier
   MozillaTrunk

 Talkback Configuration Version
            1 (0x00000001)

 Talkback Library Version
            7 (0x00000007)

 Vendor Identifier
   MozillaOrg

Runtime Information

 Active Application
         2084 (0x00000824)

 Command Line
   "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -installer

 Contents of the Stack

[   0] 10 10 00 00 00 10 00 00 B0 53 12 00 00 10 00 00 [.........S......]
[  10] A8 5A E8 01 00 00 00 00 80 CA A3 00 00 00 00 00 [.Z..............]
[  20] F4 53 12 00 B3 BB 26 60 00 00 00 00 64 10 11 61 [.S....&`....d..a]
[  30] 00 EE 32 01 00 00 00 00 F0 C7 E8 01 01 00 00 00 [..2.............]
[  40] 74 AB E8 01 00 00 00 00 00 26 E2 01 8F 70 15 60 [t........&...p.`]
[  50] 00 00 00 00 10 54 12 00 6F 51 2A 60 70 AB E8 01 [.....T..oQ*`p...]
[  60] 00 00 00 00 00 EE 32 01 14 CB CF 01 00 26 E2 01 [......2......&..]
[  70] 68 54 12 00 6D 12 29 60 A8 5A E8 01 88 1C B5 01 [hT..m.)`.Z......]
[  80] 2C 12 C3 01 18 50 E5 01 00 00 00 00 33 C7 25 60 [,....P......3.%`]
[  90] 00 00 00 00 2C 12 C3 01 00 EE 32 01 10 12 C3 01 [....,.....2.....]
[  A0] 6C 54 12 00 88 1C B5 01 00 00 00 00 00 00 00 00 [lT..............]
[  B0] 01 00 00 00 00 00 00 00 18 50 E5 01 C8 ED 32 01 [.........P....2.]
[  C0] 50 50 E5 01 14 CB CF 01 88 54 12 00 7C 0F 29 60 [PP.......T..|.)`]
[  D0] 00 EE 32 01 01 00 00 00 2C 12 C3 01 18 50 E5 01 [..2.....,....P..]
[  E0] 2C 12 C3 01 00 00 00 00 A4 54 12 00 02 07 27 60 [,........T....'`]
[  F0] 18 50 E5 01 00 00 00 00 00 EE 32 01 B8 EC 32 01 [.P........2...2.]
[ 100] C8 AC E1 01 B4 55 12 00 D5 CA 25 60 18 50 E5 01 [.....U....%`.P..]
[ 110] 00 00 00 00 00 EE 32 01 10 12 C3 01 88 12 C3 01 [......2.........]
[ 120] B8 E7 BD 01 58 BC CE 01 00 00 00 00 58 BC CE 01 [....X.......X...]
[ 130] 34 98 11 60 C9 C3 C2 77 00 00 27 00 00 00 00 00 [4..`...w..'.....]
.............
[  60] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
[  70] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
[  80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
[  90] 00 00 00 00                                     [....]

Thanks guys ;)
I'm from Moldova (if that matter ;o)
If you have a workarround.. Please let me know.. I need a solution to make that
code work properly on all browsers(on IE works just fine).. Need an
autoresizeble iframe..

Comment 1

13 years ago
reporter: please run components\talkback and copy the incident id.

also, please load this bug and click 'create a new attachment' and attach your
crashing html.
Assignee: general → general
Component: JavaScript Engine → DOM: HTML
QA Contact: general → ian
I got a crash with a 2005-05-07 trunk build. Talkback ID: TB5686535Q

nsRange::DeleteContents 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsRange.cpp,
line 1591]
nsGenericHTMLElement::SetInnerHTML 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 917]
nsGenericHTMLElementTearoff::SetInnerHTML 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 213]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2065]
XPC_WN_GetterSetter 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1311]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1320]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1417]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1460]
js_SetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2875]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 3448]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1340]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1417]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsapi.c, line 3851]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1385]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1568]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1669]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2132]
nsGlobalWindow::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 967]
DocumentViewerImpl::LoadComplete 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 992]
nsDocShell::EndPageLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4627]
nsWebShell::EndPageLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 667]
nsDocShell::OnStateChange 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4553]
nsDocLoader::FireOnStateChange 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 1194]
nsDocLoader::doStopDocumentLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 832]
nsDocLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 653]
nsLoadGroup::RemoveRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 732]
PresShell::RemoveDummyLayoutRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 7041]
PresShell::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 1993]
DocumentViewerImpl::Hide 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 1833]
nsSubDocumentFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameFrame.cpp,
line 561]
nsBlockFrame::DoRemoveFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 5597]
nsBlockFrame::RemoveFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 5382]
nsFrameManager::RemoveFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 708]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9816]
PresShell::ContentRemoved 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5487]
nsGenericElement::RemoveChild 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 3278]
nsRange::DeleteContents 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsRange.cpp,
line 1592]
nsGenericHTMLElement::SetInnerHTML 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 917]
nsGenericHTMLElementTearoff::SetInnerHTML 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 213]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2065]
XPC_WN_GetterSetter 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1311]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1320]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1417]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1460]
js_SetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2875]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 3448]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1340]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1417]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsapi.c, line 3851]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1385]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1568]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1669]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2132]
nsGlobalWindow::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 967]
DocumentViewerImpl::LoadComplete 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 992]
nsDocShell::EndPageLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4627]
nsWebShell::EndPageLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 667]
nsDocShell::OnStateChange 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4553]
nsDocLoader::FireOnStateChange 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 1194]
nsDocLoader::doStopDocumentLoad 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 832]
nsDocLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 653]
nsLoadGroup::RemoveRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 732]
Keywords: crash, testcase
(Reporter)

Comment 3

13 years ago
Created attachment 183012 [details]
Html with the bug reproducer

On pressing "Crash Me" firefox will crash.. Or try multiple times if not.. Also
create a blank.html and put there somethink
(Reporter)

Comment 4

13 years ago
(In reply to comment #1)
> reporter: please run components\talkback and copy the incident id.

TB5686559Q

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Overwriting of div innerHTML cause starting of the loading icon(circle) and some times browser can crash → Overwriting of div innerHTML cause starting of the loading icon(circle) and some times browser can crash [@ nsRange::DeleteContents]

Comment 5

13 years ago
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050509
Firefox/1.0+

FWIW I don't get a crash on my debug build. Perhaps it is platform specific, or
I have some spackle stopping the crash.

Comment 7

13 years ago
Comment on attachment 183074 [details] [diff] [review]
Patch

This patch doesn't work, maybe if (!parent) break; works (it doesn't crash),
but i'm not sure if the testcase behaves as it should: It only switches once
between div and iframe (i expected 12 because of for(i = 1; i <= 12; i++)
makeIframe();)?
Attachment #183074 - Attachment is obsolete: true
Can someone create a minimized testcase?  Is the loop over 12 things needed?
Note that the page, as written, should end up going into an infinite-ish loop,
with a more and more deeply nested DOM.  Is that what's causing problems?
Created attachment 186071 [details]
testcase

This crashes consistently for me when clicking on the button.
This doesn't crash in Mozilla1.0, but there it does the wrong thing: it doesn't
delete the iframes.
In Mozilla1.1 it starts to crash witht the testcase.
Attachment #183012 - Attachment is obsolete: true
Created attachment 188606 [details]
Testcase that makes it clearer what's going on
The problem is that setting innerHTML removes the iframe, which triggers its
onload, which reenters SetInnerHTML.  Similarly, just reentering
nsRange::DeleteContents from an event triggered by nsRange::DeleteContents crashes.

The problem seems to be that we end up with a |node| whose parent is already
null, so when we go to call RemoveChild on the parent, we crash.
Assignee: general → traversal-range
Component: DOM: HTML → DOM: Traversal-Range
OS: Windows XP → All
Hardware: PC → All
Summary: Overwriting of div innerHTML cause starting of the loading icon(circle) and some times browser can crash [@ nsRange::DeleteContents] → Reentering nsRange::DeleteContents for same-ish range crashes
So the general problem is that the iterator used by nsRange::DeleteContents
(nsSubtreeIterator, in the end), doesn't really deal with document mutations. 
It will happily return a node that's no longer in the document, which is what
happens here.  It's not clear to me what the correct behavior is for DOM events
rearranging the DOM the range is trying to delete while it's trying to delete
it, so I'm tempted to just null-check here and be done with it.  sicking? 
peterv?  jst?  Thoughts?
Actually, a null-check won't work.  The iterator holds a _weak_ ref to the
content.  So in my testcase it'll actually end up returning an already-deleted node.
Created attachment 188611 [details] [diff] [review]
Proposed patch

Well, I was wrong.  The iterator holds a strong ref.  But generic element was
failing to deal with RemoveChildAt rearranging the DOM...  With this patch,
both testcases are happy.
Attachment #188611 - Flags: superreview?(peterv)
Attachment #188611 - Flags: review?(bugmail)
Comment on attachment 188611 [details] [diff] [review]
Proposed patch

>Index: content/base/src/nsGenericElement.cpp
>===================================================================

>@@ -2766,29 +2766,33 @@ nsGenericElement::RemoveChildAt(PRUint32
> 
>     if (HasMutationListeners(this, NS_EVENT_BITS_MUTATION_NODEREMOVED)) {
>       nsMutationEvent mutation(PR_TRUE, NS_MUTATION_NODEREMOVED, oldKid);
>       mutation.mRelatedNode = do_QueryInterface(this);
> 
>       nsEventStatus status = nsEventStatus_eIgnore;
>       oldKid->HandleDOMEvent(nsnull, &mutation, nsnull,
>                              NS_EVENT_FLAG_INIT, &status);
>     }
> 
>-    nsRange::OwnerChildRemoved(this, aIndex, oldKid);
>+    // Someone may have removed the kid while that event was processing...
>+    if (oldKid->GetParent() == this && aIndex < GetChildCount() &&
>+        oldKid == GetChildAt(aIndex)) {

We could do this check only in the case where there's a mutation listener?
Attachment #188611 - Flags: superreview?(peterv) → superreview+
Good idea.  I'll make that change.
Comment on attachment 188611 [details] [diff] [review]
Proposed patch

I don't quite understand how this is reentering the range code. 

>+    // Someone may have removed the kid while that event was processing...
>+    if (oldKid->GetParent() == this && aIndex < GetChildCount() &&
>+        oldKid == GetChildAt(aIndex)) {

No need to bounds-check aIndex, GetChildAt will return null so that test will
always fail if aIndex is too big.

r=me
Attachment #188611 - Flags: review?(bugmail) → review+
Comment on attachment 188611 [details] [diff] [review]
Proposed patch

Requesting approval for some sanity-checking to deal with the DOM mutating
under us...
Attachment #188611 - Flags: approval1.8b4?
> I don't quite understand how this is reentering the range code. 

Which?  "testcase", or "testcase that makes it clearer..."?  They reenter via
different paths, of course...

Updated

13 years ago
Attachment #188611 - Flags: approval1.8b4? → approval1.8b4+
Assignee: traversal-range → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta4
Fixed.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Verified FIXED using https://bugzilla.mozilla.org/attachment.cgi?id=188606 and
https://bugzilla.mozilla.org/attachment.cgi?id=186071 as testcases with build
2005-07-27-05 under Windows XP SeaMonkey trunk--no crash.
Status: RESOLVED → VERIFIED
content/base/crashtests/293388-1.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Component: DOM: Traversal-Range → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.