Closed Bug 529670 Opened 15 years ago Closed 15 years ago

Crash [@ nsINode::GetCurrentDoc] after range.detach and then using getClientRects

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [trunk only])

Crash Data

Attachments

(4 files)

testcase
147 bytes, text/html
Details
Testcase #2
439 bytes, text/html
Details
Patch rev. 1
3.21 KB, patch
roc
: review+
Details | Diff | Splinter Review
Updated to tip
2.91 KB, patch
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crashes current trunk build on load. I guess this is a regression from bug 396392.

http://crash-stats.mozilla.com/report/index/941771d1-1ccf-4760-a1dc-251ab2091118
0	xul.dll	nsINode::GetCurrentDoc
1	xul.dll	GetPresShell
2	xul.dll	nsRange::GetClientRects
3	xul.dll	NS_InvokeByIndex_P
4	xul.dll	XPCWrappedNative::CallMethod
5	xul.dll	XPC_WN_CallMethod
6	mozjs.dll	js_Invoke
7	mozjs.dll	js_Interpret
8	mozjs.dll	js_Execute
9	mozjs.dll	JS_EvaluateUCScriptForPrincipals
10	xul.dll	nsJSContext::EvaluateString
11	xul.dll	nsScriptLoader::EvaluateScript
12	xul.dll	nsScriptLoader::ProcessRequest
13	xul.dll	nsScriptLoader::ProcessScriptElement
I was just about to file this, it's currently #88 on the 1.9.3 top crash list.
http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&platform=windows&branch=1.9.3&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=&do_query=1

It also crashes when the boundary point is a Document node (not nsIContent).

Patch coming up...
Assignee: nobody → matspal
OS: Windows XP → All
Hardware: x86 → All
Attached file Testcase #2 

    
    

    
  
(In reply to comment #1)
> It also crashes when the boundary point is a Document node (not nsIContent).

That would probably be bug 529411.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1Splinter Review
      

    


  
Yes, this fixes both bugs.

        Attachment #413256 -
        Flags: review?(roc)

    
  
Blocks: 529411

    
  

          status1.9.1:
          --- → unaffected

          status1.9.2:
          --- → unaffected
Whiteboard: [trunk only]

    
    

    
  
Comment on attachment 413256 [details] [diff] [review]
Patch rev. 1

tests?

        Attachment #413256 -
        Flags: review?(roc) → review+

    
    

    
  
Will push Testcase #2 as crash test, it covers both bugs.
mozilla-central checkins are restricted now though...

    
    

    
  
Can we push this, please?
Whiteboard: [trunk only] → [trunk only][needs landing]

    
    

    
  
The patch needs to be refreshed, it doesn't apply cleanly for me.
Whiteboard: [trunk only][needs landing] → [trunk only]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Updated to tipSplinter Review
      

    


  
I'll land this tomorrow when I have time to watch the tree...

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/6a13910dde03
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Crash Signature: [@ nsINode::GetCurrentDoc]
Component: DOM: Traversal-Range → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: