Closed
Bug 349931
Opened 18 years ago
Closed 18 years ago
Crash [@ nsDocument::GetFirstChild] when following selection instructions in this particular testcase
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(4 keywords)
Crash Data
Attachments
(6 files)
693 bytes,
text/html
|
Details | |
10.63 KB,
text/plain
|
Details | |
779 bytes,
text/html
|
Details | |
9.57 KB,
text/plain
|
Details | |
3.77 KB,
patch
|
Details | Diff | Splinter Review | |
4.40 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
See upcoming testcase. To reproduce the crash: - Mousedown and drag the mouse from the right of the iframe into the iframe, then release the mouse button - Now mousedown and drag the mouse from in the iframe to outside of the iframe, then release the mouse button Talkback ID: TB22425496G nsDocument::GetFirstChild nsDOMEvent::GetType nsFrameSelection::NotifySelectionListeners nsFrameSelection::HandleClick nsFrameSelection::HandleDrag nsFrame::HandleDrag nsFrame::HandleEvent nsPresShellEventCB::HandleEvent nsEventDispatcher::Dispatch PresShell::HandleEventInternal PresShell::HandlePositionedEvent PresShell::HandleEvent nsViewManager::HandleEvent nsViewManager::DispatchEvent HandleEvent nsWindow::DispatchEvent nsWindow::DispatchMouseEvent This regressed between 2006-02-03 and 2006-02-04: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-02-03+06&maxdate=2006-02-04+07&cvsroot=%2Fcvsroot I suspect this is a regression from bug 253076.
Reporter | ||
Comment 1•18 years ago
|
||
Comment 2•18 years ago
|
||
I have to admit, I don't yet see a connection between nsDocument::GetFirstChild and nsDOMEvent::GetType. Despite the stack trace, nsDOMEvent::GetType doesn't seem to call on nsDocument::GetFirstChild. I'm building a SeaMonkey trunk now to see if I can reproduce and debug this.
Comment 3•18 years ago
|
||
Okay, I was right - the stack trace given by Talkback is no good. I find this testcase works best when you aim for just inside the lower right corner of the iframe. It's also worth noting we hit an assertion: ###!!! ASSERTION: index out of range: '0 <= aIndex && aIndex < Count()', file m:\xpathgen\mozilla\xpcom\glue\nsVoidArray.h, line 72 The assertion is hit right before we crash.
Comment 4•18 years ago
|
||
Try figuring out the regression range with this revised test (this version puts a <br> in the iframe). I don't have many builds downloaded, but it regressed between 20050827 and 20051009.
Attachment #235129 -
Attachment is obsolete: true
So the crash happens while iterating over the selection listeners in nsTypedSelection. One of the listeners is a ResizerSelectionListener which can call nsHTMLEditor::GetAbsolutelyPositionedSelectionContainer, which gets a computed CSS property. This causes a flush, and wipes out the selection listeners in nsTypedSelection. Then the crash occurs when nsTypedSelection tries to loop over listeners that no longer exists. I'll attach a stack showing this and the debugging patch I used to find it. I think the real issue is getting a computed property from inside a frame method, right?
Assignee | ||
Comment 8•18 years ago
|
||
This is Windows only? Would adding nsRefPtr<nsTypedSelection> selection = mDomSelections[index]; return selection->NotifySelectionListeners(); to http://lxr.mozilla.org/seamonkey/source/layout/generic/nsSelection.cpp#2841 help?
Reporter | ||
Comment 9•18 years ago
|
||
(In reply to comment #4) > Created an attachment (id=235187) [edit] > Revised test > > Try figuring out the regression range with this revised test (this version puts > a <br> in the iframe). I tried crashing with this testcase, but I don't succeed in crashing with this. (sorry for the delay)
Reporter | ||
Comment 10•18 years ago
|
||
(In reply to comment #8) > This is Windows only? > Would adding > nsRefPtr<nsTypedSelection> selection = mDomSelections[index]; > return selection->NotifySelectionListeners(); > to http://lxr.mozilla.org/seamonkey/source/layout/generic/nsSelection.cpp#2841 > help? I just tried it in my debug build, no, that doesn't seem to help. I still crash with the testcase, after I changed that code.
Reporter | ||
Comment 11•18 years ago
|
||
Comment on attachment 235129 [details]
testcase
I'm unobsoluting this testcase, since I am not able to crash with the other testcase.
Attachment #235129 -
Attachment is obsolete: false
Assignee | ||
Comment 13•18 years ago
|
||
I'm not too happy to use weakframe here. Roc, any other ideas?
Attachment #238194 -
Flags: superreview?(roc)
Attachment #238194 -
Flags: review?(roc)
Comment on attachment 238194 [details] [diff] [review] something like this? no, not really.
Attachment #238194 -
Flags: superreview?(roc)
Attachment #238194 -
Flags: superreview+
Attachment #238194 -
Flags: review?(roc)
Attachment #238194 -
Flags: review+
Assignee | ||
Comment 15•18 years ago
|
||
Checked in. The first testcase shouldn't crash anymore. If there are still problems with the second test, please reopen this bug or file a new one. (I managed to crash only using the first testcase.)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified FIXED for me with build 2006-09-19-09 of SeaMonkey trunk under Windows XP with: https://bugzilla.mozilla.org/attachment.cgi?id=235129&action=view and https://bugzilla.mozilla.org/attachment.cgi?id=235187 as the testcases. No crash.
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Assignee: events → Olli.Pettay
Updated•13 years ago
|
Crash Signature: [@ nsDocument::GetFirstChild]
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•