Closed Bug 448993 Opened 16 years ago Closed 16 years ago

Crash [@ nsRange::CutContents] using deleteContents after extractContents and GC

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(4 keywords)

Crash Data

Attachments

(4 files, 2 obsolete files)

testcase (crashes Firefox when loaded with privs)
644 bytes, text/html
Details
er, this one, fix for now
725 bytes, patch
Details | Diff | Splinter Review
+missing file
3.15 KB, patch
sicking
: review+
sicking
: superreview+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
mochitest
2.22 KB, patch
Details | Diff | Splinter Review 
I've been hitting this crash a lot during automated testing.
Assignee: nobody → Olli.Pettay
The fix for bug 335998 would fix this one too, but let's see if I find some
temporary fix for the crash.
Depends on: strongparent
So bug 335998 changed us to cut nodes, which means that just
before CC b's parentNode is c, which parentNode is a document fragment, which 
isn't kept alive.
Before bug 335998, c's parent is null.

Keeping the document fragment alive by changing
r.extractContents();
to
var df = r.extractContents();
prevents the crash.
Attached patch proposed patch for now (obsolete) — Splinter Review 

        Attachment #332171 -
        Flags: superreview?(jonas)

        Attachment #332171 -
        Flags: review?(jonas)

        Attachment #332171 -
        Flags: superreview?(jonas)

        Attachment #332171 -
        Flags: review?(jonas)

    
    

    
  
I assume you meant to refer to bug 332148 in comment 2.
Blocks: 332148

    
    

    
  


  

        Attachment #332171 -
        Attachment is obsolete: true

        Attachment #332173 -
        Flags: superreview?(jonas)

        Attachment #332173 -
        Flags: review?(jonas)

    
    

    
  
Whoops.

I know the point was made in bug 332148 about making mochitests instead of xpcshell tests.  Do we plan on adding this testcase as a mochitest and granting privileges, or should we perhaps use a xpcshell test and just call gc()?

    
    

    
  
Seems bad that IsDetached() can return false but mRoot be null. Should we also set mIsDetached in ::NodeWillBeDestroyed?

    
    

    
  
Or are there more cases when we are detached with a null mRoot so we need to check for that anyway?

    
    

    
  
I don't think we want to mark range detached, because that would prevent using
a valid range after mRoot has been deleted.

    
    

    
  
But you can't really use the range if the root goes away anyway since lots of the nodes between the start and end point might have gone away (at which point the endpoints would no longer be connected).

Should we make ranges hold a strong reference to the root? (effectively we'd do that anyway once we make nodes hold strong reference to their parent)

        Attachment #332173 -
        Flags: superreview?(jonas)

        Attachment #332173 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 332173 [details] [diff] [review]
er, this one, fix for now

Resetting request, i think we'll want to detach or hold a strong reference to the root.

    
    

    
  
Ok, I'll make the mRoot strong, after bug 463410.
Depends on: 463410
Flags: blocking1.9.1?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Strong mRoot (obsolete)
        — Splinter Review
      

    


  

        Attachment #349162 -
        Flags: superreview?(jonas)

        Attachment #349162 -
        Flags: review?(jonas)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        +missing fileSplinter Review
      

    


  

        Attachment #349163 -
        Flags: superreview?(jonas)

        Attachment #349163 -
        Flags: review?(jonas)

        Attachment #349162 -
        Attachment is obsolete: true

        Attachment #349162 -
        Flags: superreview?(jonas)

        Attachment #349162 -
        Flags: review?(jonas)

        Attachment #349163 -
        Flags: superreview?(jonas)

        Attachment #349163 -
        Flags: superreview+

        Attachment #349163 -
        Flags: review?(jonas)

        Attachment #349163 -
        Flags: review+
Flags: in-testsuite?

        Attachment #349163 -
        Flags: approval1.9.1? → approval1.9.1+

    
    

    
  
This needs approval for Bug 463410 too.

    
    

    
  
The patch here has approval, so should be ready to land. Not blocking...
Flags: blocking1.9.1? → blocking1.9.1-
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs-1.9.1-landing]

    
    

    
  
fixed on trunk and 1.9.1
Whiteboard: [needs-1.9.1-landing]
Flags: in-testsuite? → in-testsuite+
Keywords: fixed1.9.1
Target Milestone: --- → mozilla1.9.1b3

    
    

    
  
(In reply to comment #19)
> fixed on trunk and 1.9.1

Please include links to changesets to trunk and 1.9.1 fixes in the comments next time.  Thanks.

Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090310 Shiretoko/3.1b4pre Ubiquity/0.1.5
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Depends on: 483981
Crash Signature: [@ nsRange::CutContents]
Component: DOM: Traversal-Range → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: