Closed Bug 297926 Opened 19 years ago Closed 19 years ago

Crash when following the steps in this editor testcase

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bryner)

References

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase
1.49 KB, application/vnd.mozilla.xul+xml
Details
patch
961 bytes, patch
bzbarsky
: review+
bzbarsky
: superreview+
benjamin
: approval1.8b4+
Details | Diff | Splinter Review 
See upcoming testcase. Because of enablePrivilege use, you have to try the
testcase on your local hard drive.
When clicking two times on the link, Mozilla crashes (although currently one
click seems enough).

The key seems to be, this line:
var editorsession = editingSession.getEditorForWindow(editor.contentWindow);
Although I don't use it for something, it seems to be the cause of the crash.
When I remove that line of code, Mozilla doesn't crash anymore.
Attached file testcase 

    
    

    
  
0x64726164
nsCSSFrameConstructor::GetInsertionPoint 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11522]
nsCSSFrameConstructor::ContentInserted 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9033]
nsCSSFrameConstructor::RecreateFramesForContent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11691]
nsCSSFrameConstructor::ProcessRestyledFrames 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10189]
nsIPresShell::ReconstructStyleDataInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 5545]
nsHTMLEditor::AddOverrideStyleSheet 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 3614]
nsHTMLEditor::Init 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 319]
nsEditingSession::SetupEditorOnWindow 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp,
line 453]
nsEditingSession::EndDocumentLoad 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp,
line 1110]
nsEditingSession::OnStateChange 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/composer/src/nsEditingSession.cpp,
line 815]
nsDocLoader::FireOnStateChange 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp,
line 1194]
nsDocLoader::doStopDocumentLoad 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp,
line 832]
nsDocLoader::OnStopRequest 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp,
line 653]
nsLoadGroup::RemoveRequest 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 732]
nsLoadGroup::Cancel 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 400]
nsDocLoader::Stop 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp,
line 311]
nsDocLoader::Stop 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsDocLoader.cpp,
line 306]
nsDocShell::Stop 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp,
line 3163]
nsDSURIContentListener::DoContent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/docshell/base/nsDSURIContentListener.cpp,
line 127]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2105]
XPC_WN_CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1348]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1178]
js_Interpret 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3469]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1198]
nsXPCWrappedJSClass::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsDocumentOpenInfo::TryContentListener 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp,
line 739]
nsDocumentOpenInfo::DispatchContent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp,
line 483]
nsDocumentOpenInfo::OnStartRequest 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/uriloader/base/nsURILoader.cpp,
line 328]
nsHttpChannel::CallOnStartRequest 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 696]
nsHttpChannel::ProcessNormal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 865]
nsHttpChannel::ProcessResponse 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 788]

    
    

    
  
Actually, I also get this same crash in a 'regular' case, it only happens to me
when I have bfcache on:
- Go to https://bugzilla.mozilla.org/attachment.cgi?id=154357 (testcase from bug
253078)
- Click on the Google image -> drag handles should appear.
- Press Back -> you get to this page again.
- Press Forward -> Crash
Blocks: blazinglyfastback

    
  

        Attachment #186489 -
        Attachment is patch: false

        Attachment #186489 -
        Attachment mime type: text/plain → application/vnd.mozilla.xul+xml

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
I was surprised to discover this sort of pseudo-anonymous content that the
editor creates.  By not using any of our other anonymous content mechanisms, it
ends up suffering from some odd problems -- I think this should be converted to
XBL if possible.

At any rate, with the current implementation, the HTMLEditor must clean up the
anonymous nodes that it created, or the last owning reference to them will be
left with the frame, which means a reframe will crash (as the destruction of
the original frame destroys the content node).

    
  
Assignee: mozeditor → bryner
Status: NEW → ASSIGNED

        Attachment #188807 -
        Flags: superreview?(bzbarsky)

        Attachment #188807 -
        Flags: review?(bzbarsky)

        Attachment #188807 -
        Flags: superreview?(bzbarsky)

        Attachment #188807 -
        Flags: superreview+

        Attachment #188807 -
        Flags: review?(bzbarsky)

        Attachment #188807 -
        Flags: review+

    
    

    
  
Comment on attachment 188807 [details] [diff] [review]
patch

requesting approval for post-1.1a2 landing

        Attachment #188807 -
        Flags: approval1.8b4?

    
  

        Attachment #188807 -
        Flags: approval1.8b4? → approval1.8b4+

    
    

    
  
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Verified FIXED using build 2005-07-14-05 Windows XP SeaMonkey trunk using:

https://bugzilla.mozilla.org/attachment.cgi?id=186489

and the testcase in comment 3.

I still see weird things (like designMode remaining on, etc.) but I believe
designMode already has a ton of bugs on it, and there's no more crash here.
Status: RESOLVED → VERIFIED

    
    

    
  
Stephend, could you file the bugs you see (with the url pointing to this testcase)?

    
    

    
  
bz: the bug I should've mentioned explicitly is bug 300165, and I'm waiting to
test our behavior post-fix before filing additional bugs.  Sorry for not
mentioning it.

    
    

    
  
Ah, ok.  Sounds good.

    
  
Depends on: 309981

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: