Closed Bug 313400 Opened 20 years ago Closed 20 years ago

document.createRange().extractContents() crashes [@ nsRange::CloneContents]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: WeirdAl)

References

(
URL
)

Details

(5 keywords)

Attachments

(2 files, 1 obsolete file)

full stack trace
8.00 KB, text/plain
Details
patch, v1.1
1.19 KB, patch
WeirdAl
: review+
WeirdAl
: superreview+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
document.createRange().extractContents(); crashes. TB10965825H Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051021 Firefox/1.6a1 nsRange::CloneContents [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsRange.cpp, line 1736] nsRange::ExtractContents [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsRange.cpp, line 1658] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2139] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3501] js_Execute [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1408] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4118] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1072] nsJSThunk::EvaluateScript [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 297]
Upon clicking the URL, I crashed with Seamonkey 1.1a rv:1.9a1 build 2005102208 but I did not crash with Firefox 1.5 rv:1.8b5 build 20051021; XP Pro SP2 here. Though Firefox 1.5 javascript console reports " Error: uncaught exception: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIDOMRange.extractContents]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: javascript: document.createRange().extractContents(); :: <TOP_LEVEL> :: line 1" data: no] " CONFIRMING
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 98 → All
I couldn't find a duplicate for this bug. Adding clean-report and talkbackid keywords
Keywords: clean-report, talkbackid
Related: ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/xpcom\nsCOMPtr.h, line 849
Keywords: assertion, testcase
Oh ho. The mStartParent is the HTML document. Documents have no owner document, so we get null back at line 1725: res = mStartParent->GetOwnerDocument(getter_AddRefs(document)); From there, we go downhill. Patch coming up shortly.
Status: NEW → ASSIGNED
Assignee: traversal-range → ajvincent
Status: ASSIGNED → NEW
Attached patch patch, v1 (obsolete) — Splinter Review
After this patch, we get NS_ERROR_FAILURE. The range is empty.
Comment on attachment 200882 [details] [diff] [review] patch, v1 + nsCOMPtr<nsIDOMDocument> document(do_QueryInterface(mStartParent)); + if (!document) { + res = mStartParent->GetOwnerDocument(getter_AddRefs(document)); + if (NS_FAILED(res)) return res; + } The common case here is that mStartParent is *not* a document, so this would be faster over all if you flipped this around (since you wouldn't be trying to QI to nsIDOMDocument when you know it will fail in most cases), i.e.: + nsCOMPtr<nsIDOMDocument> document; + res = mStartParent->GetOwnerDocument(getter_AddRefs(document)); + if (NS_FAILED(res)) return res; + if (!document) { + document = do_QueryInterface(mStartParent); + } r+sr=jst either way though.
Attachment #200882 - Flags: superreview+
Attachment #200882 - Flags: review+
Attached patch patch, v1.1Splinter Review
Per #developers, I've also added an assertion for document, and for optimized builds, we return if we don't have a document. I'm carrying forward jst's r+sr. I'd appreciate someone checking this in for me, please.
Attachment #200882 - Attachment is obsolete: true
Attachment #200886 - Flags: superreview+
Attachment #200886 - Flags: review+
jst has checked in my patch, thank you.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED using javascript: document.createRange().extractContents(); in the URL bar with build 2005-10-27-04 on Windows XP SeaMonkey trunk.
Status: RESOLVED → VERIFIED
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 It also crashes on the 1.8.0.x branch, using the typo3 demo.
Attachment #200886 - Flags: approval1.8.1?
Attachment #200886 - Flags: approval1.8.0.8?
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 Differing to 1.8.1.1
Attachment #200886 - Flags: approval1.8.1? → approval1.8.1-
Flags: blocking1.8.1.1?
*** Bug 353473 has been marked as a duplicate of this bug. ***
*** Bug 354829 has been marked as a duplicate of this bug. ***
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 Maybe this can be reconsidered? It is numer 30 on the firefox2 branch crash list, so it's not really a topcrasher, but the patch is almost a year in trunk and seems very safe to me.
Attachment #200886 - Flags: approval1.8.1- → approval1.8.1?
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 Still want to wait for this till 1.8.1.1 - thanks for bringing this back up!
Attachment #200886 - Flags: approval1.8.1? → approval1.8.1-
The Typo3 community discovered the problem immediately after 1.5.0.7 came out. Most are admins and rolled back to 1.5.0.6. The actual number of people affected are larger but it is masked by the rollbacks. If this does not make it into 1.5.0.8 and 2.0 I hope for an immediate update very soon after.
Oh great, the typo3 demo doesn't crash with Firefox1.5.0.6, but does crash after I've updated to Firefox1.5.07 :(
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 Ok. Given we have some folks who are known to be affected let's get this in for RC2.
Attachment #200886 - Flags: approval1.8.1- → approval1.8.1+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.8+
The patch applies cleanly to Gecko 1.8 branch with an offset of -23 lines. Need checkin.
Whiteboard: [checkin needed to 1.8 branch]
Also applies cleanly to Gecko 1.8.0 branch, offset -31 lines.
Checking in nsRange.cpp; /cvsroot/mozilla/content/base/src/nsRange.cpp,v <-- nsRange.cpp new revision: 1.189.2.6; previous revision: 1.189.2.5 done Checked into the 1.8.1 branch. I just verified in my debug 1.8.1 branch build that it indeed fixes the typo3 crash.
Keywords: fixed1.8.1
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 This was checked in on the 1.8.1 branch, so it will also need to be checked in on the 1.8.0.8 branch.
Attachment #200886 - Flags: approval1.8.0.9? → approval1.8.0.8?
Whiteboard: [checkin needed to 1.8 branch]
*** Bug 354995 has been marked as a duplicate of this bug. ***
Keywords: regression
*** Bug 355011 has been marked as a duplicate of this bug. ***
Comment on attachment 200886 [details] [diff] [review] patch, v1.1 approved for 1.8.0 branch, a=dveditz for drivers
Attachment #200886 - Flags: approval1.8.0.8? → approval1.8.0.8+
Checking in nsRange.cpp; /cvsroot/mozilla/content/base/src/nsRange.cpp,v <-- nsRange.cpp new revision: 1.189.6.2; previous revision: 1.189.6.1 done Checked into the 1.8.0.x branch.
Keywords: fixed1.8.0.8
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre
Keywords: fixed1.8.0.8verified1.8.0.8
See Also: → https://launchpad.net/bugs/62815
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: