Closed Bug 446483 Opened 16 years ago Closed 16 years ago

Crash [@ nsIDocument::GetRootContent] with contenteditable and selection collapse on body

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(4 files, 2 obsolete files)

testcase
227 bytes, text/html
Details
Crash stack
5.65 KB, text/plain
Details
Stack for "WARNING: Context has no global"
4.65 KB, text/plain
Details
Patch rev. 2.1
1.08 KB, patch
peterv
: review+
peterv
: superreview+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build usually within 10 seconds. This regressed between 2008-07-08 and 2008-07-12 (Ria, could you find out a more narrow regression range?) http://crash-stats.mozilla.com/report/index/4f43ff21-5767-11dd-90e4-001a4bd43e5c?p=1 0 xul.dll nsIDocument::GetRootContent obj-firefox/dist/include/content/nsIDocument.h:448 1 xul.dll SelectorMatches layout/style/nsCSSRuleProcessor.cpp:1355 2 xul.dll ContentEnumFunc layout/style/nsCSSRuleProcessor.cpp:1817 3 xul.dll RuleHash::EnumerateAllRules layout/style/nsCSSRuleProcessor.cpp:630 4 xul.dll factory_MatchEntry
It was not 100% reproducible for me. The only thing for sure is that it crashed on ID:2008071115. I couldn't make it crash on ID:2008071114 until now. That would mean that on this page http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/e30d33fe2ed8 the problem started between f174a0cc8c12 and (up) to ebfc2ad982f4 but I see nothing relevant in that range.
Ok, thanks for trying. I've narrowed down the regression range. I don't get a crash in a 2008-07-11 build, I do get a crash in a 2008-07-12 build: http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/2ac26a817782 http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/e30d33fe2ed8 Regression from bug 431770, somehow?
Attached file Crash stack
nsCOMPtr<nsINode>::get_DerivedSafe nsIDocument::GetRootContent SelectorMatches ContentEnumFunc RuleHash::EnumerateAllRules nsCSSRuleProcessor::RulesMatching EnumRulesMatching nsStyleSet::FileRules nsStyleSet::ResolveStyleFor nsInspectorCSSUtils::GetStyleContextForContent nsInspectorCSSUtils::GetStyleContextForContent nsComputedDOMStyle::GetPropertyCSSValue nsComputedDOMStyle::GetPropertyValue IsBreakElement mozInlineSpellWordUtil::BuildSoftText mozInlineSpellWordUtil::EnsureWords mozInlineSpellWordUtil::SetPosition mozInlineSpellChecker::DoSpellCheck mozInlineSpellChecker::ResumeCheck mozInlineSpellResume::Run nsThread::ProcessNextEvent NS_ProcessNextEvent_P nsBaseAppShell::Run nsAppStartup::Run XRE_main main
There are a bunch of these warnings leading up to the crash: WARNING: Context has no global.: dom/src/base/nsJSEnvironment.cpp, line 2231 Looking at the HTMLDocument at that point reveals that mContentEditableCount == 0.
Attached patch Patch rev. 1 (obsolete) — Splinter Review
Don't schedule a spell check after removing the last node in the document.
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED
Attachment #330770 - Flags: superreview?(bzbarsky)
Attachment #330770 - Flags: review?(bzbarsky)
Comment on attachment 330770 [details] [diff] [review] Patch rev. 1 Peter should review this... Do we know why it regressed?
Attachment #330770 - Flags: superreview?(peterv)
Attachment #330770 - Flags: superreview?(bzbarsky)
Attachment #330770 - Flags: review?(peterv)
Attachment #330770 - Flags: review?(bzbarsky)
Comment on attachment 330770 [details] [diff] [review] Patch rev. 1 This looks wrong, we want to rest the spellchecking state of the last node on which we turn off contentEditable. Does checking aElement->IsInDoc() help?
Attachment #330770 - Flags: superreview?(peterv)
Attachment #330770 - Flags: review?(peterv)
Attachment #330770 - Flags: review-
Flags: blocking1.9.1?
Firefox x86_64 debug builds on Linux: hg clone changeset 35e2246a339f (bug 431770) => crash backing out 431770 => still crash hg clone changeset b6f1af141782 => crash with/without bug 431770 hg clone changeset 6904a3773137 => no crash hg clone f174a0cc8c12 => no crash apply bug 431770 => still no crash hg pull -r ebfc2ad982f4 => no crash hg pull -r dd2a7349ee20 => no crash hg pull -r 6cf6bfb166b8 => no crash hg pull -r 62e942b4fe34 => crash backout bug 422868 => still crash backout bug 422865 (changeset 751005894cf8) => no crash ==> bug 422865 is the culprit! =============================== Current trunk does NOT crash, it appears to have been fixed in the range 2008-08-19-02 -- 2008-08-20-02. http://hg.mozilla.org/mozilla-central/shortlog/5e68a48895e8 which is odd since there's only JS engine stuff in that range AFAICT. There are several warnings and assertions in current trunk though, which I think are related to the bug, so the underlying bug is still there IMO.
Blocks: 422865
OS: Windows XP → All
Hardware: PC → All
(In reply to comment #7) > Does checking aElement->IsInDoc() help? No.
Attached patch Patch rev. 2 (obsolete) — Splinter Review
The document has been removed from the docshell (mRemovedFromDocShell==true) but it still has "mEditingState == eContentEditable" so the EditingStateChanged() call at the beginning of ChangeContentEditableCount() does not change the state due to the early return: http://hg.mozilla.org/mozilla-central/annotate/72ebd32e6033/content/html/document/src/nsHTMLDocument.cpp#l3086 http://hg.mozilla.org/mozilla-central/annotate/72ebd32e6033/content/html/document/src/nsHTMLDocument.cpp#l3304 This patch fixes the crash in the old debug build and the associated warnings/assertions disappears in that build and current trunk.
Attachment #330770 - Attachment is obsolete: true
Attachment #338573 - Flags: superreview?(peterv)
Attachment #338573 - Flags: review?(peterv)
Flags: blocking1.9.1? → wanted1.9.1+
This seems to be worksforme in current trunk build.
I don't crash anymore with the testcase, but I still crash with this stacktrace in some complicated case where I haven't been able to make a testcase from. Is the patch still relevant? Can it be reviewed and checked in?
Ok, the patch still seems to fix the complicated case where I'm seeing this crash in my debug build.
Flags: blocking1.9.2?
Attached patch Patch rev. 2.1Splinter Review
I was going to review with comments, but might as well post the patch with the change that I want (since it's so small). I'd rather set mEditingState to eOff asap, in RemovedFromDocshell, instead of waiting for a call to EditingStateChanged to update it.
Attachment #338573 - Attachment is obsolete: true
Attachment #363377 - Flags: superreview+
Attachment #363377 - Flags: review+
Attachment #338573 - Flags: superreview?(peterv)
Attachment #338573 - Flags: review?(peterv)
Yeah, that's better, thanks. I pushed it with a mochitest: http://hg.mozilla.org/mozilla-central/rev/fef91437b4f0 -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ nsIDocument::GetRootContent]
Depends on: 939618
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: