Closed Bug 303260 Opened 19 years ago Closed 18 years ago

if there is no root element, keyboard shortcuts and the context menu do not work [@ nsContentList::nsContentList]

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: grantwohl+mozbug, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: access, crash, testcase)

Crash Data

Attachments

(4 files)

HTML Testcase
272 bytes, text/html
Details
crash stack
3.21 KB, text/plain
Details
Some indication of what's up
5.76 KB, patch
MatsPalmgren_bugz
: review+
roc
: superreview+
Details | Diff | Splinter Review
Patch A rev. 1 (fixes the crash)
2.39 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+ If there is no root element, keyboard shortcuts and the context menu do not work. Reproducible: Always Steps to Reproduce: 1.Load any XHTML/HTML/XML document. 2.Use the DOM Inspector to remove the root element(usually "html"), or use a bookmarklet:<javascript:void(document.removeChild(document.getElementsByTagName("*")[0]))> 3.Try to use a keyboard shortcut (e.g., CTRL+W) or try to bring up the context menu. Actual Results: Nothing happenend. Expected Results: Either the keyboard shortcut action should have happened or the context menu should have been brought up.
If you remove "document.documentElement" the same thing occurs.
Attached file HTML Testcase
Keywords: access, testcase
Why would anyone ever remove the root element?
(In reply to comment #3) > Why would anyone ever remove the root element? I don't know.
> Why would anyone ever remove the root element? Why wouldn't they? We shouldn't break when it happens.
Assignee: general → events
Status: UNCONFIRMED → NEW
Component: DOM → DOM: Events
Ever confirmed: true
It's not a "major" bug, IMHO. But it is a valid bug.
Severity: major → normal
It's pretty major for keyboard-only users (see "access" keyword).
Severity: normal → major
Assignee: events → mats.palmgren
Blocks: focusnav
Furthermore, this bug is forcing us to have buggy and insecure code elsewhere in the product to work around it. See bug 341730. Aaron, Mats, is the issue that nsEventStateManager::ShiftFocusInternal screws this up or something?
OS: Windows XP → All
Hardware: PC → All
Blocks: 341730
I'll have a look... I see reproducable crash for the following: 1. start seamonkey 2. click on throbber 3. load the URL from this bug 4. click on throbber -> crash 0x41204bfb in nsContentList (this=0x88fa710, aRootNode=0x0, aMatchAtom=0x80af380, aMatchNameSpaceId=-1, aDeep=0) at nsContentList.cpp:346 346 mRootNode->AddMutationObserver(this); (gdb) p mRootNode $1 = (class nsINode *) 0x0 Before the crash I see: ###!!! ASSERTION: content list has to have a root: 'aRootNode', file nsContentList.cpp, line 248 ###!!! ASSERTION: Must have root: 'mRootNode', file nsContentList.cpp, line 339
Severity: major → critical
Keywords: crash
Summary: if there is no root element, keyboard shortcuts and the context menu do not work → if there is no root element, keyboard shortcuts and the context menu do not work [@ nsContentList::nsContentList]
Attached file crash stack
Hmm... So is the problem that Destroy() has already been called so that OnPageHide has a null mRootContent? Note that the crash is a separate bug from what this bug is actually about; it indicates that either OnPageHide is broken as designed or that we really do need to not null out mRootContent in nsDocument::Destroy. Please file a separate bug on that?
The presshell parts of this fix this bug for me, as far as I can tell. The docshell parts make tabbing to the rootless document focus its content area; not sure whether we even want that, since any key will blur it, per the presshell code.
(In reply to comment #11) > Hmm... So is the problem that Destroy() has already been called so that > OnPageHide has a null mRootContent? It was RemoveChildAt() that made mRootContent null: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/base/src/nsDocument.cpp&rev=3.663&root=/cvsroot&mark=1869,1883#1863 This patch fixes the crash at least. I also reviewed the rest of nsDocument.cpp and it looks mRootContent-null-safe AFAICT.
Attachment #229521 - Flags: review?(bzbarsky)
Comment on attachment 229521 [details] [diff] [review] Patch A rev. 1 (fixes the crash) Ah, right. This looks good. Thanks!
Attachment #229521 - Flags: superreview+
Attachment #229521 - Flags: review?(bzbarsky)
Attachment #229521 - Flags: review+
Comment on attachment 229521 [details] [diff] [review] Patch A rev. 1 (fixes the crash) Checked in to trunk at 2006-07-18 20:53 PDT.
Comment on attachment 229517 [details] [diff] [review] Some indication of what's up So, should we take only the pres shell bits for now? r=me on both changes (FWIW), but I think only pres shell is needed here.
I really have no idea; I don't know the code well enough to tell.
Attachment #229517 - Flags: superreview?(roc)
Attachment #229517 - Flags: review?(mats.palmgren)
Depends on: 348156
Comment on attachment 229517 [details] [diff] [review] Some indication of what's up Looks good. r=mats
Attachment #229517 - Flags: review?(mats.palmgren) → review+
Flags: blocking1.9a1? → blocking1.9+
Attachment #229517 - Flags: superreview?(roc) → superreview+
Checked in the presshell and docshell fixes too. This puppy is fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsContentList::nsContentList]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: