Closed
Bug 297926
Opened 19 years ago
Closed 19 years ago
Crash when following the steps in this editor testcase
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: bryner)
References
Details
(Keywords: crash, testcase)
Attachments
(2 files)
1.49 KB,
application/vnd.mozilla.xul+xml
|
Details | |
961 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
See upcoming testcase. Because of enablePrivilege use, you have to try the testcase on your local hard drive. When clicking two times on the link, Mozilla crashes (although currently one click seems enough). The key seems to be, this line: var editorsession = editingSession.getEditorForWindow(editor.contentWindow); Although I don't use it for something, it seems to be the cause of the crash. When I remove that line of code, Mozilla doesn't crash anymore.
Reporter | ||
Comment 1•19 years ago
|
||
Comment 2•19 years ago
|
||
0x64726164 nsCSSFrameConstructor::GetInsertionPoint [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11522] nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9033] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11691] nsCSSFrameConstructor::ProcessRestyledFrames [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10189] nsIPresShell::ReconstructStyleDataInternal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5545] nsHTMLEditor::AddOverrideStyleSheet [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 3614] nsHTMLEditor::Init [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 319] nsEditingSession::SetupEditorOnWindow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp, line 453] nsEditingSession::EndDocumentLoad [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp, line 1110] nsEditingSession::OnStateChange [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp, line 815] nsDocLoader::FireOnStateChange [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp, line 1194] nsDocLoader::doStopDocumentLoad [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp, line 832] nsDocLoader::OnStopRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp, line 653] nsLoadGroup::RemoveRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 732] nsLoadGroup::Cancel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 400] nsDocLoader::Stop [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp, line 311] nsDocLoader::Stop [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp, line 306] nsDocShell::Stop [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 3163] nsDSURIContentListener::DoContent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsDSURIContentListener.cpp, line 127] XPTC_InvokeByIndex [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2105] XPC_WN_CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1348] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1178] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 3469] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1198] nsXPCWrappedJSClass::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1339] nsXPCWrappedJS::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 450] SharedStub [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] nsDocumentOpenInfo::TryContentListener [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp, line 739] nsDocumentOpenInfo::DispatchContent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp, line 483] nsDocumentOpenInfo::OnStartRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp, line 328] nsHttpChannel::CallOnStartRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 696] nsHttpChannel::ProcessNormal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 865] nsHttpChannel::ProcessResponse [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 788]
Reporter | ||
Comment 3•19 years ago
|
||
Actually, I also get this same crash in a 'regular' case, it only happens to me when I have bfcache on: - Go to https://bugzilla.mozilla.org/attachment.cgi?id=154357 (testcase from bug 253078) - Click on the Google image -> drag handles should appear. - Press Back -> you get to this page again. - Press Forward -> Crash
Blocks: blazinglyfastback
Reporter | ||
Updated•19 years ago
|
Attachment #186489 -
Attachment is patch: false
Attachment #186489 -
Attachment mime type: text/plain → application/vnd.mozilla.xul+xml
Assignee | ||
Comment 4•19 years ago
|
||
I was surprised to discover this sort of pseudo-anonymous content that the editor creates. By not using any of our other anonymous content mechanisms, it ends up suffering from some odd problems -- I think this should be converted to XBL if possible. At any rate, with the current implementation, the HTMLEditor must clean up the anonymous nodes that it created, or the last owning reference to them will be left with the frame, which means a reframe will crash (as the destruction of the original frame destroys the content node).
Assignee | ||
Updated•19 years ago
|
Assignee: mozeditor → bryner
Status: NEW → ASSIGNED
Attachment #188807 -
Flags: superreview?(bzbarsky)
Attachment #188807 -
Flags: review?(bzbarsky)
Updated•19 years ago
|
Attachment #188807 -
Flags: superreview?(bzbarsky)
Attachment #188807 -
Flags: superreview+
Attachment #188807 -
Flags: review?(bzbarsky)
Attachment #188807 -
Flags: review+
Assignee | ||
Comment 5•19 years ago
|
||
Comment on attachment 188807 [details] [diff] [review] patch requesting approval for post-1.1a2 landing
Attachment #188807 -
Flags: approval1.8b4?
Updated•19 years ago
|
Attachment #188807 -
Flags: approval1.8b4? → approval1.8b4+
Assignee | ||
Comment 6•19 years ago
|
||
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 7•19 years ago
|
||
Verified FIXED using build 2005-07-14-05 Windows XP SeaMonkey trunk using: https://bugzilla.mozilla.org/attachment.cgi?id=186489 and the testcase in comment 3. I still see weird things (like designMode remaining on, etc.) but I believe designMode already has a ton of bugs on it, and there's no more crash here.
Status: RESOLVED → VERIFIED
Comment 8•19 years ago
|
||
Stephend, could you file the bugs you see (with the url pointing to this testcase)?
Comment 9•19 years ago
|
||
bz: the bug I should've mentioned explicitly is bug 300165, and I'm waiting to test our behavior post-fix before filing additional bugs. Sorry for not mentioning it.
Comment 10•19 years ago
|
||
Ah, ok. Sounds good.
You need to log in
before you can comment on or make changes to this bug.
Description
•