470212 - crash [@ nsContentUtils::ComparePoints]

Status: RESOLVED FIXED

(Core :: DOM: Selection, defect, P2)

Description

[Sylvain Pasche]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081218 Minefield/3.2a1pre

open:
http://build.chromium.org/buildbot/perf/dashboard/overview.html

Hold down Shift, click and drag on one of the Canvas.

#0  0xb7f9b430 in __kernel_vsyscall ()
#1  0xb6d13de6 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2  0xb6d13bfe in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7f26b92 in ah_crap_handler (signum=11)
    at /home/sypasche/moz/central/mozilla/toolkit/xre/nsSigHandlers.cpp:149
#4  0xb7f27e50 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216
#5  <signal handler called>
#6  0xb548c870 in nsINode::GetNodeParent (this=0x0) at ../../../dist/include/content/nsINode.h:530
#7  0xb5761a55 in nsContentUtils::ComparePoints (aParent1=0x0, aOffset1=4396, aParent2=0xb702a20, 
    aOffset2=4, aDisconnected=0x0)
    at /home/sypasche/moz/central/mozilla/content/base/src/nsContentUtils.cpp:1644
#8  0xb55aeb52 in CompareDOMPoints (aParent1=0x0, aOffset1=4396, aParent2=0xb702a40, aOffset2=4)
    at /home/sypasche/moz/central/mozilla/layout/generic/nsSelection.cpp:157
#9  0xb55b0337 in nsFrameSelection::AdjustForMaintainedSelection (this=0xb5d9e00, aContent=0xb702a20, 
    aOffset=4) at /home/sypasche/moz/central/mozilla/layout/generic/nsSelection.cpp:1747
#10 0xb55b0529 in nsFrameSelection::HandleClick (this=0xb5d9e00, aNewFocus=0xb702a20, aContentOffset=4, 
    aContentEndOffset=4, aContinueSelection=1, aMultipleSelection=0, aHint=0)
    at /home/sypasche/moz/central/mozilla/layout/generic/nsSelection.cpp:1797
#11 0xb55b0dc1 in nsFrameSelection::HandleDrag (this=0xb5d9e00, aFrame=0xc72c7b0, aPoint=
      {x = -1079398080, y = -1079396640})
    at /home/sypasche/moz/central/mozilla/layout/generic/nsSelection.cpp:1876
#12 0xb554c5be in nsFrame::HandleDrag (this=0xc72c7b0, aPresContext=0xb5d0248, aEvent=0xbfa9b6e0, 
    aEventStatus=0xbfa9b2a4) at /home/sypasche/moz/central/mozilla/layout/generic/nsFrame.cpp:2262
#13 0xb5537d74 in nsFrame::HandleEvent (this=0xc72c7b0, aPresContext=0xb5d0248, aEvent=0xbfa9b6e0, 
    aEventStatus=0xbfa9b2a4) at /home/sypasche/moz/central/mozilla/layout/generic/nsFrame.cpp:1641
#14 0xb55010ff in nsPresShellEventCB::HandleEvent (this=0xbfa9b350, aVisitor=@0xbfa9b298)
    at /home/sypasche/moz/central/mozilla/layout/base/nsPresShell.cpp:1255
#15 0xb5878e87 in nsEventTargetChainItem::HandleEventTargetChain (this=0xc155d88, aVisitor=@0xbfa9b298, 
    aFlags=6, aCallback=0xbfa9b350, aMayHaveNewListenerManagers=1)
    at /home/sypasche/moz/central/mozilla/content/events/src/nsEventDispatcher.cpp:337

Comment 1

[Sylvain Pasche]

also happens on 1.9.1 branch.

Comment 2

[Tobias Fischer]

Japp, crash from todays SeaMonkey-Win-Nightly (1.9.1 branch):
bp-a5106225-d8b5-45d4-b0df-07b3c2081218

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Possibly regression from Bug 415707? Could anyone verify?

Comment 4

[Sylvain Pasche]

That's very likely according to the regression range:
bug 415707 was pushed on Fri Oct 17 21:46:33 2008

build from 20081017: ok
build from 20081018: crashes

Comment 5

[Sylvain Pasche]

Attachment: testcase

A somewhat reduced testcase.

Comment 6

[Martijn Wargers (dead)]

Attachment: testcase2 (uses enhanced privileges)

This testcase uses enhanced privileges and should crash in that case in 200ms.

Comment 7

[Uri Bernstein]

Attachment: patch

Restore the previous behavior where MaintainSelection() failed when the current selection is empty, so that mMaintainedRange is either null or non-empty.

Comment 8

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 353953 [details] [diff] [review]
patch

I think Martijn's latest test could be turned into a mochitest

Comment 9

[Mats Palmgren (inactive)]

I think returning NS_OK is better.  Having no anchor/focus node is valid
and mMaintainedRange==nsnull is the correct state in that case, isn't it?

Also, the "mMaintainRange = nsnull" might be better to do earlier (after
the mMaintainedAmount assignment), so if any of the NS_ENSURE_SUCCESS
fails it is null.

Comment 10

[Uri Bernstein]

Attachment: patch v2

Modified per comments.

Comment 11

[Mats Palmgren (inactive)]

Comment on attachment 354626 [details] [diff] [review]
patch v2

r=mats

Comment 12

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Uri, do you want to check this in yourself? Or should we go for checkin-needed?

Comment 13

[Uri Bernstein]

I'm pretty short on time these days, adding checkin-needed.

Comment 14

[Mats Palmgren (inactive)]

http://hg.mozilla.org/mozilla-central/rev/bfb2d513344d

-> FIXED

Comment 15

[:Gavin Sharp [email: gavin@gavinsharp.com]]

checkin-needed for 1.9.1 too?

Comment 16

[Martijn Wargers (dead)]

Attachment: mochitest

I've verified that this test crashes prior to the check-in of the patch.

Comment 17

[Mats Palmgren (inactive)]

Pushed Martijn's test:
http://hg.mozilla.org/mozilla-central/rev/14b8b7294044

Comment 18

[Mats Palmgren (inactive)]

Pushed the fix and the test to 1.9.1:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/360b9713dd27
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/63c1f52ef2f5

Comment 19

[Marcia Knous [:marcia]]

Verified fixed on the 1.9.1 branch using  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090414 Shiretoko/3.5b4pre and  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090414 Shiretoko/3.5b4pre. No crashes with testcase.