Closed Bug 565125 Opened 10 years ago Closed 10 years ago
Child with next sibling?" and crash involving DOM range
###!!! ASSERTION: aChild with next sibling?: '!aChild->GetNextSibling()', file content/base/src/nsAttrAndChildArray.cpp, line 822 ###!!! ASSERTION: aChild with prev sibling?: '!aChild->GetPreviousSibling()', file content/base/src/nsAttrAndChildArray.cpp, line 823 Crash [@ nsINode::GetFlags] attempting to call a function on ((class nsINode::nsSlots *) 0x5a5a5a5a5a5a5a5a). I'm guessing this is a regression from bug 564432.
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
Boris, this looks like fallout from your recent changes.
Assignee: nobody → bzbarsky
This one was fun. Basically, the range code created a document fragment that contained some kids, then forgot about it. So the doc fragment was destroyed (our known "parent node goes away" bug) and dropped refs to its kids. That destroyed some of the kids, but others had refs to them from js. And it didn't clean up sibling pointers. So when those other kids were later inserted into the DOM they had broken sibling pointers and things ended up all bad.
Attachment #444809 - Flags: review?(jst)
Pushed http://hg.mozilla.org/mozilla-central/rev/54540deb463f I think we should just open this bug; this was a trunk-only issue for one day.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a5
Whiteboard: [sg:critical][critsmash:investigating] → [sg:critical][critsmash:resolved]
You need to log in before you can comment on or make changes to this bug.