Closed Bug 529670 Opened 10 years ago Closed 10 years ago

Crash [@ nsINode::GetCurrentDoc] after range.detach and then using getClientRects

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: martijn.martijn, Assigned: mats)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [trunk only])

Crash Data

Attachments

(4 files)

Attached file testcase
See testcase, which crashes current trunk build on load. I guess this is a regression from bug 396392.

http://crash-stats.mozilla.com/report/index/941771d1-1ccf-4760-a1dc-251ab2091118
0	xul.dll	nsINode::GetCurrentDoc
1	xul.dll	GetPresShell
2	xul.dll	nsRange::GetClientRects
3	xul.dll	NS_InvokeByIndex_P
4	xul.dll	XPCWrappedNative::CallMethod
5	xul.dll	XPC_WN_CallMethod
6	mozjs.dll	js_Invoke
7	mozjs.dll	js_Interpret
8	mozjs.dll	js_Execute
9	mozjs.dll	JS_EvaluateUCScriptForPrincipals
10	xul.dll	nsJSContext::EvaluateString
11	xul.dll	nsScriptLoader::EvaluateScript
12	xul.dll	nsScriptLoader::ProcessRequest
13	xul.dll	nsScriptLoader::ProcessScriptElement
I was just about to file this, it's currently #88 on the 1.9.3 top crash list.
http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&platform=windows&branch=1.9.3&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=&do_query=1

It also crashes when the boundary point is a Document node (not nsIContent).

Patch coming up...
Assignee: nobody → matspal
OS: Windows XP → All
Hardware: x86 → All
Attached file Testcase #2
(In reply to comment #1)
> It also crashes when the boundary point is a Document node (not nsIContent).

That would probably be bug 529411.
Attached patch Patch rev. 1Splinter Review
Yes, this fixes both bugs.
Attachment #413256 - Flags: review?(roc)
Blocks: 529411
Whiteboard: [trunk only]
Comment on attachment 413256 [details] [diff] [review]
Patch rev. 1

tests?
Attachment #413256 - Flags: review?(roc) → review+
Will push Testcase #2 as crash test, it covers both bugs.
mozilla-central checkins are restricted now though...
Can we push this, please?
Whiteboard: [trunk only] → [trunk only][needs landing]
The patch needs to be refreshed, it doesn't apply cleanly for me.
Whiteboard: [trunk only][needs landing] → [trunk only]
Attached patch Updated to tipSplinter Review
I'll land this tomorrow when I have time to watch the tree...
http://hg.mozilla.org/mozilla-central/rev/6a13910dde03
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Crash Signature: [@ nsINode::GetCurrentDoc]
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.