Null pointer crash [@ nsINode::GetNodeParent] in [@ nsContentUtils::ComparePoints] using detach()'ed DOM range

RESOLVED WORKSFORME

Status

()

Core
Selection
--
critical
RESOLVED WORKSFORME
9 years ago
2 years ago

People

(Reporter: mats, Unassigned)

Tracking

({crash, regression, testcase})

unspecified
crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:closeme], crash signature)

Attachments

(4 attachments)

(Reporter)

Description

9 years ago
Created attachment 383790 [details]
Testcase (CRASHES on load)

Loading the attached testcase crashes Firefox trunk.
It doesn't crash 1.9.1 or 1.9.0 builds for me.  (all on Linux x86-64)
(Reporter)

Comment 1

9 years ago
Created attachment 383791 [details]
stack

The range was GC'ed ?
(Reporter)

Updated

9 years ago
Group: core-security
Created attachment 383804 [details]
testcase2

This seems like the same issue, except it seems to have a different regression range and different stacktrace, namely not.
Martijn: are you filing testcase2 as a separate bug then?
Keywords: crash
Neither testcase crashes Firefox 3.6, Firefox 3.5.7, or a trunk debug build for me (on Linux).  dveditz, any reason to keep this one open still?
Whiteboard: [sg:closeme]
(Reporter)

Comment 5

8 years ago
It appears to have been fixed in the range 2009-10-05-03 -- 2009-10-06-03:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1470fa9c9f01&tochange=8f1ba5c38bb1
Bug 520070 is in that range and the attached crash stack looks similar
to the one in that bug.

We should land the crashtests in this bug when bug 520070 is made public.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Depends on: 520070
Flags: in-testsuite?
Keywords: regressionwindow-wanted
Resolution: --- → WORKSFORME
(Reporter)

Comment 6

8 years ago
Created attachment 444872 [details] [diff] [review]
crashtests.diff
(Reporter)

Comment 7

8 years ago
Landed crashtests:  http://hg.mozilla.org/mozilla-central/rev/09336169ed68

I think we can make this bug public now.
(Reporter)

Updated

8 years ago
Flags: in-testsuite? → in-testsuite+
(Assignee)

Updated

6 years ago
Crash Signature: [@ nsINode::GetNodeParent] [@ nsContentUtils::ComparePoints]

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.