Closed Bug 303260 Opened 19 years ago Closed 18 years ago

if there is no root element, keyboard shortcuts and the context menu do not work [@ nsContentList::nsContentList]

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: grantwohl+mozbug, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: access, crash, testcase)

Crash Data

Attachments

(4 files)

HTML Testcase
272 bytes, text/html
Details
crash stack
3.21 KB, text/plain
Details
Some indication of what's up
5.76 KB, patch
MatsPalmgren_bugz
: review+
roc
: superreview+
Details | Diff | Splinter Review
Patch A rev. 1 (fixes the crash)
2.39 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+

If there is no root element, keyboard shortcuts and the context menu do not work.

Reproducible: Always

Steps to Reproduce:
1.Load any XHTML/HTML/XML document.
2.Use the DOM Inspector to remove the root element(usually "html"), or use a
bookmarklet:<javascript:void(document.removeChild(document.getElementsByTagName("*")[0]))>
3.Try to use a keyboard shortcut (e.g., CTRL+W) or try to bring up the context menu.

Actual Results:  
Nothing happenend.

Expected Results:  
Either the keyboard shortcut action should have happened or the context menu
should have been brought up.
If you remove "document.documentElement" the same thing occurs.
Attached file HTML Testcase β€” 

  

  



    
  
Keywords: access, 
          
            testcase

    
    

    
  
Why would anyone ever remove the root element?

  

  



    
    

    
  
(In reply to comment #3)
> Why would anyone ever remove the root element?

I don't know.

  

  



    
    

    
  
> Why would anyone ever remove the root element?

Why wouldn't they?  We shouldn't break when it happens.

  

  


Assignee: general → events
Status: UNCONFIRMED → NEW
Component: DOM → DOM: Events
Ever confirmed: true

    
    

    
  
It's not a "major" bug, IMHO. But it is a valid bug.

  

  


Severity: major → normal

    
    

    
  
It's pretty major for keyboard-only users (see "access" keyword).

  

  


Severity: normal → major

    
  
Assignee: events → mats.palmgren

    
  
Blocks: focusnav

    
    

    
  
Furthermore, this bug is forcing us to have buggy and insecure code elsewhere in the product to work around it.  See bug 341730.

Aaron, Mats, is the issue that nsEventStateManager::ShiftFocusInternal screws this up or something?

  

  


OS: Windows XP → All
Hardware: PC → All
Blocks: 341730

    
    

    
  
I'll have a look...

I see reproducable crash for the following:
1. start seamonkey
2. click on throbber
3. load the URL from this bug
4. click on throbber -> crash

0x41204bfb in nsContentList (this=0x88fa710, aRootNode=0x0, aMatchAtom=0x80af380, aMatchNameSpaceId=-1, aDeep=0) at nsContentList.cpp:346
346       mRootNode->AddMutationObserver(this);
(gdb) p mRootNode
$1 = (class nsINode *) 0x0

Before the crash I see:
###!!! ASSERTION: content list has to have a root: 'aRootNode', file nsContentList.cpp, line 248
###!!! ASSERTION: Must have root: 'mRootNode', file nsContentList.cpp, line 339


  

  


Severity: major → critical
Keywords: crash
Summary: if there is no root element, keyboard shortcuts and the context menu do not work → if there is no root element, keyboard shortcuts and the context menu do not work [@ nsContentList::nsContentList]

    
    

    
  

      
      
      
      

        Attached file
          
        crash stack
        β€” 
      

    


  

  

  



    
    

    
  
Hmm... So is the problem that Destroy() has already been called so that OnPageHide has a null mRootContent?

Note that the crash is a separate bug from what this bug is actually about; it indicates that either OnPageHide is broken as designed or that we really do need to not null out mRootContent in nsDocument::Destroy.  Please file a separate bug on that?

  

  



    
    

    
  


  
The presshell parts of this fix this bug for me, as far as I can tell.

The docshell parts make tabbing to the rootless document focus its content area; not sure whether we even want that, since any key will blur it, per the presshell code.

  

  



    
    

    
  


  
(In reply to comment #11)
> Hmm... So is the problem that Destroy() has already been called so that
> OnPageHide has a null mRootContent?

It was RemoveChildAt() that made mRootContent null:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/base/src/nsDocument.cpp&rev=3.663&root=/cvsroot&mark=1869,1883#1863

This patch fixes the crash at least. I also reviewed the rest of
nsDocument.cpp and it looks mRootContent-null-safe AFAICT.

  

  



        Attachment #229521 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 229521 [details] [diff] [review]
Patch A rev. 1 (fixes the crash)

Ah, right.  This looks good.  Thanks!

  

  



        Attachment #229521 -
        Flags: superreview+

        Attachment #229521 -
        Flags: review?(bzbarsky)

        Attachment #229521 -
        Flags: review+

    
    

    
  
Comment on attachment 229521 [details] [diff] [review]
Patch A rev. 1 (fixes the crash)

Checked in to trunk at 2006-07-18 20:53 PDT.

  

  



    
    

    
  
Comment on attachment 229517 [details] [diff] [review]
Some indication of what's up

So, should we take only the pres shell bits for now?
r=me on both changes (FWIW), but I think only pres shell is needed here.

  

  



    
    

    
  
I really have no idea; I don't know the code well enough to tell.

  

  



        Attachment #229517 -
        Flags: superreview?(roc)

        Attachment #229517 -
        Flags: review?(mats.palmgren)
Depends on: 348156

    
    

    
  
Comment on attachment 229517 [details] [diff] [review]
Some indication of what's up

Looks good. r=mats

  

  



        Attachment #229517 -
        Flags: review?(mats.palmgren) → review+
Flags: blocking1.9a1? → blocking1.9+

        Attachment #229517 -
        Flags: superreview?(roc) → superreview+

    
    

    
  
Checked in the presshell and docshell fixes too.  This puppy is fixed.

  

  


Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsContentList::nsContentList]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: