crash in [@ nsWSRunObject::GetWSBoundingParent() ]

VERIFIED FIXED in mozilla1.9.3a2

Status

()

VERIFIED FIXED
9 years ago
7 years ago

People

(Reporter: jrmuizel, Assigned: Ehsan)

Tracking

({crash, regression, verified1.9.2})

1.9.2 Branch
mozilla1.9.3a2
x86
Mac OS X
crash, regression, verified1.9.2
Points:
---
Bug Flags:
wanted1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 .5-fixed)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Description

9 years ago
The following page crashes after editing the text by hitting enter twice.

http://people.mozilla.com/~jmuizelaar/editor/crash.html

This happens in 3.6 and 3.7 but not in 3.5.

http://crash-stats.mozilla.com/report/index/ee9cfcf6-9d49-4b12-94f9-39bba2091228

This change:
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/59cb55e08d1f by Mats was the last to touch the crashing area so perhaps it's to blame.

There have only been two other crashes so this probably doesn't need to block 1.9.2?
Flags: wanted1.9.2?
Flags: wanted1.9.2? → wanted1.9.2+
(Assignee)

Comment 1

9 years ago
The page in comment 0 does not crash for me on trunk or 3.6.  Jeff, can you please specify more details on how to reproduce the crash?  FWIW, I tried loading the test case and typing in some text.
(Assignee)

Comment 2

9 years ago
Jeff mentioned to me that the crash happens when pressing Enter twice in the editable area.  I think I have a patch for that, just testing it out a bit...
(Assignee)

Updated

9 years ago
Assignee: nobody → ehsan.akhgari
Status: NEW → ASSIGNED
Keywords: crash
(Assignee)

Updated

9 years ago
Blocks: 455992
(Assignee)

Comment 3

9 years ago
Created attachment 419948 [details] [diff] [review]
Patch (v1)

The problem is that IsBlockNode returns false is the node passed to it is null, and we tried to dereference that pointer inside the loop...  The fix is simple enough, just null-check the pointer.
Attachment #419948 - Flags: review?(peterv)
Comment on attachment 419948 [details] [diff] [review]
Patch (v1)

Return early if mNode is null, instead of doubling the null-checks in the loop (mParent is already null-checked).
Attachment #419948 - Flags: review?(peterv) → review+
(Assignee)

Comment 5

9 years ago
Created attachment 426733 [details] [diff] [review]
Patch to land

Modified patch according to comment 4.
(Assignee)

Comment 6

9 years ago
http://hg.mozilla.org/mozilla-central/rev/5a4114d6608b
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a2
(Assignee)

Updated

9 years ago
Attachment #426733 - Flags: approval1.9.2.2?
Comment on attachment 426733 [details] [diff] [review]
Patch to land

Needs a crash test, I think?
Attachment #426733 - Flags: approval1.9.2.3?
Attachment #426733 - Flags: approval1.9.2.2?
Attachment #426733 - Flags: approval1.9.2.2-
Keywords: regression
(Assignee)

Comment 8

9 years ago
Created attachment 433155 [details] [diff] [review]
Crash test

This crash test basically mimics the steps listed in comment 0.
Attachment #433155 - Flags: review?(peterv)
We'll approve this for landing when the crash test is approved; peterv, can you help us out a bit?
Attachment #433155 - Flags: review?(peterv) → review+
(Assignee)

Comment 10

9 years ago
Crash test landed as http://hg.mozilla.org/mozilla-central/rev/7788846fd5d5.
Flags: in-testsuite+
(Assignee)

Updated

9 years ago
Attachment #433155 - Flags: approval1.9.2.4?

Comment 11

9 years ago
Comment on attachment 426733 [details] [diff] [review]
Patch to land

a=LegNeato for 1.9.2.5. Please ONLY land this on mozilla-1.9.2 default, as we
are still working on 1.9.2.4 on the relbranch
Attachment #426733 - Flags: approval1.9.2.4? → approval1.9.2.5+

Updated

9 years ago
Attachment #433155 - Flags: approval1.9.2.4? → approval1.9.2.5+
Verified fix in Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.7pre) Gecko/20100630 Namoroka/3.6.7pre
and 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100630 Namoroka/3.6.7pre

also trunk:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:2.0b2pre) Gecko/20100630 Minefield/4.0b2pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Crash Signature: [@ nsWSRunObject::GetWSBoundingParent() ]
You need to log in before you can comment on or make changes to this bug.