Closed Bug 448445 Opened 16 years ago Closed 16 years ago

Crash when copying or dragging content within an html <ul> element [@ nsHTMLContentSerializer::IsFirstChildOfOL(nsIDOMElement*) ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: tyghyjbyujvjhb, Assigned: eschew)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Reduced Testcase
332 bytes, text/html
Details
Fix missing case of !aOriginalNode && !mNodeFixup
953 bytes, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a2pre) Gecko/2008072903 Minefield/3.1a2pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a2pre) Gecko/2008072903 Minefield/3.1a2pre Crashes when dragging a link inside an html <ul> element. Tested in a new profile. Reproducible: Always Steps to Reproduce: 1. Open url 2. Drag link 3. Crash instantly. Actual Results: Crash Expected Results: Not crash Crash report http://crash-stats.mozilla.com/report/index/3856080c-5d97-11dd-beab-001a4bd43ef6 Another from mozillazine forum user gigaherz, probably the same bug http://crash-stats.mozilla.com/report/index/94481bab-5d9c-11dd-aaa7-001cc4e2bf68 posted here: http://forums.mozillazine.org/viewtopic.php?p=4012435#p4012435
Confirming, I believe this regressed since yesterday's (2008072803) nightly because I tried to reproduce on that first to no avail, upgraded to today's and could reproduce.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-firefox3.1?
Version: unspecified → Trunk
Summary: Crash when dragging a link inside an html <ul> element → Crash when dragging a link inside an html <ul> element [@ nsHTMLContentSerializer::IsFirstChildOfOL(nsIDOMElement*) ]
OS: Windows XP → All
Attached file Reduced Testcase
(In reply to comment #0) > Another from mozillazine forum user gigaherz, probably the same bug > http://crash-stats.mozilla.com/report/index/94481bab-5d9c-11dd-aaa7-001cc4e2bf68 > posted here: http://forums.mozillazine.org/viewtopic.php?p=4012435#p4012435 > Just to say I'm gigaherz from mozillazile, and add myself to CC. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a2pre) Gecko/2008072903 Minefield/3.1a2pre ID:2008072903
Summary: Crash when dragging a link inside an html <ul> element [@ nsHTMLContentSerializer::IsFirstChildOfOL(nsIDOMElement*) ] → Crash when copying or dragging content within an html <ul> element [@ nsHTMLContentSerializer::IsFirstChildOfOL(nsIDOMElement*) ]
Keywords: regression, testcase
Regression rang from bug 448464 regressed between Gecko/2008072822 Minefield/3.1a2pre (works) Gecko/2008072823 Minefield/3.1a2pre (fails) (OS X builds)
Broke between 2008072822 and 2008072901 windows builds From dependent bug: regressed between Gecko/2008072822 Minefield/3.1a2pre (works) Gecko/2008072823 Minefield/3.1a2pre (fails) (OS X builds)
Hardware: PC → All
So now double-clicking links also. Seems to keep getting worse with more ways to trigger this.
Severity: critical → blocker
Component: General → DOM
Flags: blocking-firefox3.1?
Product: Firefox → Core
QA Contact: general → general
Actually, I noticed it primarily on the body of elements. Try: http://news.slashdot.org/article.pl?sid=08/07/29/2211235 And double click on the body of a comment without links.
Breakpad is broken, but I'm guessing this is a topcrash.
Keywords: crash, topcrash
Mozilla/5.0 (X11; U; Linux i686; rv:1.9.0.2pre) Gecko/2008072213 SeaMonkey/2.0a1pre ID:2008072213 Mine works ok. No crash P.S My build id seems wrong by another Seamonkey bug, it's 30 jul gecko 1.9.1 latest build
This happens also designmode.
Peter, I think this is a regression from bug 332239, which added the aOriginalElement parameter. That parameter is quite often null, so referencing it may cause crashes.
Blocks: 332239
Adding: 476194e1-5e45-11dd-b31c-001a4bd43ef6 7/30/2008 10:39 AM 2d795868-5e45-11dd-862a-001a4bd43ef6 7/30/2008 10:38 AM Mine occurs on http://www.kelvinluck.com/assets/jquery/datePicker/v2/demo/documentation.html When trying to copy the example code under dpSetStartDate Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a2pre) Gecko/2008073003 Minefield/3.1a2pre ID:2008073003
(In reply to comment #13) > Peter, I think this is a regression from bug 332239, which added the > aOriginalElement parameter. Nope, I think this is actually a regression from bug 293834.
Blocks: 293834
No longer blocks: 332239
Yeah, this mess is my fault. The fix should be pretty simple: if aOriginalNode is null, use aNode instead. Verifying now, will be a few minutes for the compile to finish.
Status: NEW → ASSIGNED
Verified that this fixes the crash on OS X.
Attachment #331759 - Flags: review?(bzbarsky)
Comment on attachment 331759 [details] [diff] [review] Fix missing case of !aOriginalNode && !mNodeFixup r+sr=bzbarsky
Attachment #331759 - Flags: superreview+
Attachment #331759 - Flags: review?(bzbarsky)
Attachment #331759 - Flags: review+
Assignee: nobody → eschew
Status: ASSIGNED → NEW
Pushed changeset b57a468b13a2. It'd be good to have a test here.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Verified fixed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a2pre) Gecko/2008073014 Minefield/3.1a2pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsHTMLContentSerializer::IsFirstChildOfOL(nsIDOMElement*) ]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: