Closed
Bug 446483
Opened 16 years ago
Closed 15 years ago
Crash [@ nsIDocument::GetRootContent] with contenteditable and selection collapse on body
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(4 files, 2 obsolete files)
|
227 bytes,
text/html
|
Details | |
|
5.65 KB,
text/plain
|
Details | |
|
4.65 KB,
text/plain
|
Details | |
|
1.08 KB,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build usually within 10 seconds. This regressed between 2008-07-08 and 2008-07-12 (Ria, could you find out a more narrow regression range?) http://crash-stats.mozilla.com/report/index/4f43ff21-5767-11dd-90e4-001a4bd43e5c?p=1 0 xul.dll nsIDocument::GetRootContent obj-firefox/dist/include/content/nsIDocument.h:448 1 xul.dll SelectorMatches layout/style/nsCSSRuleProcessor.cpp:1355 2 xul.dll ContentEnumFunc layout/style/nsCSSRuleProcessor.cpp:1817 3 xul.dll RuleHash::EnumerateAllRules layout/style/nsCSSRuleProcessor.cpp:630 4 xul.dll factory_MatchEntry
|
||
Comment 1•16 years ago
|
||
It was not 100% reproducible for me. The only thing for sure is that it crashed on ID:2008071115. I couldn't make it crash on ID:2008071114 until now. That would mean that on this page http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/e30d33fe2ed8 the problem started between f174a0cc8c12 and (up) to ebfc2ad982f4 but I see nothing relevant in that range.
|
Reporter | |
Comment 2•16 years ago
|
||
Ok, thanks for trying. I've narrowed down the regression range. I don't get a crash in a 2008-07-11 build, I do get a crash in a 2008-07-12 build: http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/2ac26a817782 http://hg.mozilla.org/index.cgi/mozilla-central/shortlog/e30d33fe2ed8 Regression from bug 431770, somehow?
|
Assignee | |
Comment 3•16 years ago
|
||
nsCOMPtr<nsINode>::get_DerivedSafe nsIDocument::GetRootContent SelectorMatches ContentEnumFunc RuleHash::EnumerateAllRules nsCSSRuleProcessor::RulesMatching EnumRulesMatching nsStyleSet::FileRules nsStyleSet::ResolveStyleFor nsInspectorCSSUtils::GetStyleContextForContent nsInspectorCSSUtils::GetStyleContextForContent nsComputedDOMStyle::GetPropertyCSSValue nsComputedDOMStyle::GetPropertyValue IsBreakElement mozInlineSpellWordUtil::BuildSoftText mozInlineSpellWordUtil::EnsureWords mozInlineSpellWordUtil::SetPosition mozInlineSpellChecker::DoSpellCheck mozInlineSpellChecker::ResumeCheck mozInlineSpellResume::Run nsThread::ProcessNextEvent NS_ProcessNextEvent_P nsBaseAppShell::Run nsAppStartup::Run XRE_main main
|
|
Assignee | |
Comment 4•16 years ago
|
||
There are a bunch of these warnings leading up to the crash: WARNING: Context has no global.: dom/src/base/nsJSEnvironment.cpp, line 2231 Looking at the HTMLDocument at that point reveals that mContentEditableCount == 0.
|
|
Assignee | |
Comment 5•16 years ago
|
||
Don't schedule a spell check after removing the last node in the document.
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED
Attachment #330770 -
Flags: superreview?(bzbarsky)
Attachment #330770 -
Flags: review?(bzbarsky)
|
||
Comment 6•16 years ago
|
||
Comment on attachment 330770 [details] [diff] [review] Patch rev. 1 Peter should review this... Do we know why it regressed?
Attachment #330770 -
Flags: superreview?(peterv)
Attachment #330770 -
Flags: superreview?(bzbarsky)
Attachment #330770 -
Flags: review?(peterv)
Attachment #330770 -
Flags: review?(bzbarsky)
|
||
Comment 7•16 years ago
|
||
Comment on attachment 330770 [details] [diff] [review] Patch rev. 1 This looks wrong, we want to rest the spellchecking state of the last node on which we turn off contentEditable. Does checking aElement->IsInDoc() help?
Attachment #330770 -
Flags: superreview?(peterv)
Attachment #330770 -
Flags: review?(peterv)
Attachment #330770 -
Flags: review-
|
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
|
|
Assignee | |
Comment 8•16 years ago
|
||
Firefox x86_64 debug builds on Linux: hg clone changeset 35e2246a339f (bug 431770) => crash backing out 431770 => still crash hg clone changeset b6f1af141782 => crash with/without bug 431770 hg clone changeset 6904a3773137 => no crash hg clone f174a0cc8c12 => no crash apply bug 431770 => still no crash hg pull -r ebfc2ad982f4 => no crash hg pull -r dd2a7349ee20 => no crash hg pull -r 6cf6bfb166b8 => no crash hg pull -r 62e942b4fe34 => crash backout bug 422868 => still crash backout bug 422865 (changeset 751005894cf8) => no crash ==> bug 422865 is the culprit! =============================== Current trunk does NOT crash, it appears to have been fixed in the range 2008-08-19-02 -- 2008-08-20-02. http://hg.mozilla.org/mozilla-central/shortlog/5e68a48895e8 which is odd since there's only JS engine stuff in that range AFAICT. There are several warnings and assertions in current trunk though, which I think are related to the bug, so the underlying bug is still there IMO.
|
|
Assignee | |
Comment 9•16 years ago
|
||
(In reply to comment #7) > Does checking aElement->IsInDoc() help? No.
|
|
Assignee | |
Comment 10•16 years ago
|
||
The document has been removed from the docshell (mRemovedFromDocShell==true) but it still has "mEditingState == eContentEditable" so the EditingStateChanged() call at the beginning of ChangeContentEditableCount() does not change the state due to the early return: http://hg.mozilla.org/mozilla-central/annotate/72ebd32e6033/content/html/document/src/nsHTMLDocument.cpp#l3086 http://hg.mozilla.org/mozilla-central/annotate/72ebd32e6033/content/html/document/src/nsHTMLDocument.cpp#l3304 This patch fixes the crash in the old debug build and the associated warnings/assertions disappears in that build and current trunk.
Attachment #330770 -
Attachment is obsolete: true
Attachment #338573 -
Flags: superreview?(peterv)
Attachment #338573 -
Flags: review?(peterv)
Flags: blocking1.9.1? → wanted1.9.1+
|
|
Reporter | |
Comment 11•16 years ago
|
||
This seems to be worksforme in current trunk build.
|
|
Reporter | |
Comment 12•16 years ago
|
||
I don't crash anymore with the testcase, but I still crash with this stacktrace in some complicated case where I haven't been able to make a testcase from. Is the patch still relevant? Can it be reviewed and checked in?
I think so.
|
|
Reporter | |
Comment 14•16 years ago
|
||
Ok, the patch still seems to fix the complicated case where I'm seeing this crash in my debug build.
|
|
Reporter | |
Updated•15 years ago
|
Flags: blocking1.9.2?
|
|
||
Comment 15•15 years ago
|
||
I was going to review with comments, but might as well post the patch with the change that I want (since it's so small). I'd rather set mEditingState to eOff asap, in RemovedFromDocshell, instead of waiting for a call to EditingStateChanged to update it.
Attachment #338573 -
Attachment is obsolete: true
Attachment #363377 -
Flags: superreview+
Attachment #363377 -
Flags: review+
Attachment #338573 -
Flags: superreview?(peterv)
Attachment #338573 -
Flags: review?(peterv)
|
|
Assignee | |
Comment 16•15 years ago
|
||
Yeah, that's better, thanks. I pushed it with a mochitest: http://hg.mozilla.org/mozilla-central/rev/fef91437b4f0 -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Flags: blocking1.9.2?
|
||
Updated•13 years ago
|
Crash Signature: [@ nsIDocument::GetRootContent]
You need to log in
before you can comment on or make changes to this bug.
Description
•