Closed Bug 565125 Opened 10 years ago Closed 10 years ago

"ASSERTION: aChild with next sibling?" and crash involving DOM range

Categories

(Core :: DOM: Core & HTML, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla1.9.3a5
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical][critsmash:resolved])

Attachments

(3 files)

###!!! ASSERTION: aChild with next sibling?: '!aChild->GetNextSibling()', file content/base/src/nsAttrAndChildArray.cpp, line 822

###!!! ASSERTION: aChild with prev sibling?: '!aChild->GetPreviousSibling()', file content/base/src/nsAttrAndChildArray.cpp, line 823

Crash [@ nsINode::GetFlags] attempting to call a function on ((class nsINode::nsSlots *) 0x5a5a5a5a5a5a5a5a).

I'm guessing this is a regression from bug 564432.
Attached file crash stack+
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
Boris, this looks like fallout from your recent changes.
Assignee: nobody → bzbarsky
Blocks: 564974
Attached patch FixSplinter Review
This one was fun.  Basically, the range code created a document fragment that contained some kids, then forgot about it.  So the doc fragment was destroyed (our known "parent node goes away" bug) and dropped refs to its kids.  That destroyed some of the kids, but others had refs to them from js.  And it didn't clean up sibling pointers.  So when those other kids were later inserted into the DOM they had broken sibling pointers and things ended up all bad.
Attachment #444809 - Flags: review?(jst)
Attachment #444809 - Flags: review?(jst) → review+
Pushed http://hg.mozilla.org/mozilla-central/rev/54540deb463f

I think we should just open this bug; this was a trunk-only issue for one day.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Group: core-security
Target Milestone: --- → mozilla1.9.3a5
Whiteboard: [sg:critical][critsmash:investigating] → [sg:critical][critsmash:resolved]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.