Closed Bug 499006 Opened 15 years ago Closed 14 years ago

Null pointer crash [@ nsINode::GetNodeParent] in [@ nsContentUtils::ComparePoints] using detach()'ed DOM range

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:closeme])

Crash Data

Attachments

(4 files)

Testcase (CRASHES on load)
555 bytes, text/html
Details
stack
10.43 KB, text/plain
Details
testcase2
588 bytes, text/html
Details
crashtests.diff
2.00 KB, patch
Details | Diff | Splinter Review 
Loading the attached testcase crashes Firefox trunk.
It doesn't crash 1.9.1 or 1.9.0 builds for me.  (all on Linux x86-64)
Attached file stack 
The range was GC'ed ?
Group: core-security
Attached file testcase2 
This seems like the same issue, except it seems to have a different regression range and different stacktrace, namely not.
Martijn: are you filing testcase2 as a separate bug then?
Keywords: crash
Neither testcase crashes Firefox 3.6, Firefox 3.5.7, or a trunk debug build for me (on Linux).  dveditz, any reason to keep this one open still?
Whiteboard: [sg:closeme]
It appears to have been fixed in the range 2009-10-05-03 -- 2009-10-06-03:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1470fa9c9f01&tochange=8f1ba5c38bb1
Bug 520070 is in that range and the attached crash stack looks similar
to the one in that bug.

We should land the crashtests in this bug when bug 520070 is made public.
Status: NEW → RESOLVED
Closed: 14 years ago
Depends on: 520070
Flags: in-testsuite?
Keywords: regressionwindow-wanted
Resolution: --- → WORKSFORME
Attached patch crashtests.diffSplinter Review 

    
    

    
  
Landed crashtests:  http://hg.mozilla.org/mozilla-central/rev/09336169ed68

I think we can make this bug public now.

    
  
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsINode::GetNodeParent]
[@ nsContentUtils::ComparePoints]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: