Closed Bug 349931 Opened 19 years ago Closed 19 years ago

Crash [@ nsDocument::GetFirstChild] when following selection instructions in this particular testcase

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(4 keywords)

Crash Data

Attachments

(6 files)

testcase
693 bytes, text/html
Details
stack traces for testcase
10.63 KB, text/plain
Details
Revised test
779 bytes, text/html
Details
Stack trace showing where the listener was removed
9.57 KB, text/plain
Details
Patch that throws an assertion where the removal occurs
3.77 KB, patch
Details | Diff | Splinter Review
something like this?
4.40 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
See upcoming testcase. To reproduce the crash: - Mousedown and drag the mouse from the right of the iframe into the iframe, then release the mouse button - Now mousedown and drag the mouse from in the iframe to outside of the iframe, then release the mouse button Talkback ID: TB22425496G nsDocument::GetFirstChild nsDOMEvent::GetType nsFrameSelection::NotifySelectionListeners nsFrameSelection::HandleClick nsFrameSelection::HandleDrag nsFrame::HandleDrag nsFrame::HandleEvent nsPresShellEventCB::HandleEvent nsEventDispatcher::Dispatch PresShell::HandleEventInternal PresShell::HandlePositionedEvent PresShell::HandleEvent nsViewManager::HandleEvent nsViewManager::DispatchEvent HandleEvent nsWindow::DispatchEvent nsWindow::DispatchMouseEvent This regressed between 2006-02-03 and 2006-02-04: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-02-03+06&maxdate=2006-02-04+07&cvsroot=%2Fcvsroot I suspect this is a regression from bug 253076.
Attached file testcase
I have to admit, I don't yet see a connection between nsDocument::GetFirstChild and nsDOMEvent::GetType. Despite the stack trace, nsDOMEvent::GetType doesn't seem to call on nsDocument::GetFirstChild. I'm building a SeaMonkey trunk now to see if I can reproduce and debug this.
Okay, I was right - the stack trace given by Talkback is no good. I find this testcase works best when you aim for just inside the lower right corner of the iframe. It's also worth noting we hit an assertion: ###!!! ASSERTION: index out of range: '0 <= aIndex && aIndex < Count()', file m:\xpathgen\mozilla\xpcom\glue\nsVoidArray.h, line 72 The assertion is hit right before we crash.
Keywords: assertion
Attached file Revised test
Try figuring out the regression range with this revised test (this version puts a <br> in the iframe). I don't have many builds downloaded, but it regressed between 20050827 and 20051009.
Attachment #235129 - Attachment is obsolete: true
So the crash happens while iterating over the selection listeners in nsTypedSelection. One of the listeners is a ResizerSelectionListener which can call nsHTMLEditor::GetAbsolutelyPositionedSelectionContainer, which gets a computed CSS property. This causes a flush, and wipes out the selection listeners in nsTypedSelection. Then the crash occurs when nsTypedSelection tries to loop over listeners that no longer exists. I'll attach a stack showing this and the debugging patch I used to find it. I think the real issue is getting a computed property from inside a frame method, right?
This is Windows only? Would adding nsRefPtr<nsTypedSelection> selection = mDomSelections[index]; return selection->NotifySelectionListeners(); to http://lxr.mozilla.org/seamonkey/source/layout/generic/nsSelection.cpp#2841 help?
(In reply to comment #4) > Created an attachment (id=235187) [edit] > Revised test > > Try figuring out the regression range with this revised test (this version puts > a <br> in the iframe). I tried crashing with this testcase, but I don't succeed in crashing with this. (sorry for the delay)
(In reply to comment #8) > This is Windows only? > Would adding > nsRefPtr<nsTypedSelection> selection = mDomSelections[index]; > return selection->NotifySelectionListeners(); > to http://lxr.mozilla.org/seamonkey/source/layout/generic/nsSelection.cpp#2841 > help? I just tried it in my debug build, no, that doesn't seem to help. I still crash with the testcase, after I changed that code.
Comment on attachment 235129 [details] testcase I'm unobsoluting this testcase, since I am not able to crash with the other testcase.
Attachment #235129 - Attachment is obsolete: false
I managed to crash after all. OS->All
OS: Windows XP → All
I'm not too happy to use weakframe here. Roc, any other ideas?
Attachment #238194 - Flags: superreview?(roc)
Attachment #238194 - Flags: review?(roc)
Comment on attachment 238194 [details] [diff] [review] something like this? no, not really.
Attachment #238194 - Flags: superreview?(roc)
Attachment #238194 - Flags: superreview+
Attachment #238194 - Flags: review?(roc)
Attachment #238194 - Flags: review+
Checked in. The first testcase shouldn't crash anymore. If there are still problems with the second test, please reopen this bug or file a new one. (I managed to crash only using the first testcase.)
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED for me with build 2006-09-19-09 of SeaMonkey trunk under Windows XP with: https://bugzilla.mozilla.org/attachment.cgi?id=235129&action=view and https://bugzilla.mozilla.org/attachment.cgi?id=235187 as the testcases. No crash.
Status: RESOLVED → VERIFIED
Assignee: events → Olli.Pettay
Crash Signature: [@ nsDocument::GetFirstChild]
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: