See bug 375093
talkback ID: TB30519322Z
MSVCR80.dll + 0x1520a (0x7814520a)
nsVoidArray::RemoveElementsAt [mozilla/xpcom/build/nsvoidarray.cpp, line 591]
[mozilla/editor/libeditor/base/nseditorutils.h, line 66]
I can reproduce this crash with a 2007-03-24 trunk build.
But I haven't been able to reproduce it with my debug build.
If someone can reproduce this crash in its own built build and then try out Olli's patch, that would be great.
Btw, I sometimes can reproduce this crash (in 20% of the cases) when right-clicking pasting in the text input.
(In reply to comment #1)
> If someone can reproduce this crash in its own built build and then try out
> Olli's patch, that would be great.
I can reproduce this crash in my debug build and the suggested patch
Created attachment 259578 [details] [diff] [review]
Should we fix CheckFireOnChange and NotifySelectionChanged too?
and perhaps document in nsIPresShell.h that callers of
HandleEventWithTarget and HandleDOMEventWithTarget
guaranties that a strong ref exist for the duration of the call.
Ditto for HandleEvent in nsIViewObserver.h (which PresShell implements)
-or- should we leave the callers as is and make the above HandleEvent
methods hold a strong ref on 'this'?
Caller of HandleEventWithTarget or HandleDOMEventWithTarget should keep
strong ref. Just going through all those cases ...
Created attachment 259585 [details] [diff] [review]
I think we want to have a version for branches too.
Comment on attachment 259585 [details] [diff] [review]
// shell may no longer be alive, don't use it here unless you keep a ref
You could remove this comment.
Created attachment 259780 [details] [diff] [review]
Similar for branches.
1.8.0/nsGfxScrollFrame.cpp needs to be fixed manually when applying the
On an unfixed trunk debug build I get a deleted PresShell, on the 1.8 branch it
appears to be a relatively safe null-deref DoS. DeCOMtamination went too far on
the trunk? Better to just fix it though, just in case.
Comment on attachment 259780 [details] [diff] [review]
approved for 18.104.22.168 and 22.214.171.124, a=dveditz for release-drivers
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070403 Minefield/3.0a4pre