Closed Bug 580151 Opened 10 years ago Closed 9 years ago

Crash [@ nsSelectionState::DoTraverse] with textarea, changing root

Categories

(Core :: DOM: Editor, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla2.0b4
Tracking Status
blocking2.0 --- -
status2.0 --- wanted
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: jruderman, Assigned: ehsan)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] [qa-examined-191] [qa-examined-192])

Crash Data

Attachments

(5 files)

###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file editor/libeditor/text/nsTextEditRules.cpp, line 250

###!!! ASSERTION: zero or negative placeholder batch count when ending batch!: 'mPlaceHolderBatch > 0', file editor/libeditor/base/nsEditor.cpp, line 876

Crash [@ nsSelectionState::DoTraverse]
blocking2.0: --- → ?
The first assertion is caused by the fact that nsTextEditRules::BeforeEdit can be bailing out early if nsEditor::GetSelection fails, and therefore not incrementing mActionNesting as expected.
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #458641 - Flags: review?(roc)
The cause of the second assertion is similar: failing to increment mPlaceHolderBatch because we bail out early if we can't get the selection.  These two patches fix the crash as well (as it was caused by a partially initialized placeholder transaction.)
Attachment #458644 - Flags: review?(roc)
Attachment #458645 - Flags: review?(roc)
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Why would this block the branch releases? Seems nice to have on the branches so request approval when you've got reviews, etc.  If we're misunderstanding the importance of this apparently non-security, non-topcrash bug please let us know.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
Attached patch Rolled up patchSplinter Review
Attachment #462449 - Flags: approval2.0?
Comment on attachment 462449 [details] [diff] [review]
Rolled up patch

a2.0=dbaron
Attachment #462449 - Flags: approval2.0? → approval2.0+
http://hg.mozilla.org/mozilla-central/rev/6a75787301c4
http://hg.mozilla.org/mozilla-central/rev/c87965964a17
http://hg.mozilla.org/mozilla-central/rev/440a4bfe2f5f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b4
Attachment #462449 - Flags: approval1.9.2.10?
Attachment #462449 - Flags: approval1.9.1.13?
Comment on attachment 462449 [details] [diff] [review]
Rolled up patch

Approved for 1.9.2.10 and 1.9.1.13, a=dveditz for release-drivers
Attachment #462449 - Flags: approval1.9.2.10?
Attachment #462449 - Flags: approval1.9.2.10+
Attachment #462449 - Flags: approval1.9.1.13?
Attachment #462449 - Flags: approval1.9.1.13+
Looks like this might've caused a new mochitest failure in editor code on 1.9.1:
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.5/1282941921.1282944723.14877.gz
OS X 10.5.2 mozilla-1.9.1 test mochitests on 2010/08/27 13:45:21
s: moz2-darwin9-slave55

>44652 ERROR TEST-UNEXPECTED-FAIL | /tests/editor/libeditor/html/tests/test_CF_HTML_clipboard.html | [SimpleTest/SimpleTest.js, window.onerror] An error occurred - SimpleTest.waitForFocus is not a function
I had aki|buildduty trigger another round of mochitests for that box, to see if the orange from comment 11 sticks.
Actually it looks like that test has been perma-orange on 1.9.1 for a while (probably ever since it landed in bug 572642)

I filed Bug 591544 on it.
Running the testcase in comment 0 and comment 3 in my own debug 1.9.2 build (pre-fix) on Windows XP, I don't trigger any crash, even if I sit around for a while. How do we trigger cycle collection to cause this crash?
Loading the page in a tab, closing the tab and waiting for a while should be enough.
Nothing here running a 1.9.2.9pre build in order to see the crash. What operating system are you using?
Whiteboard: [sg:critical?] → [sg:critical?] [qa-examined-191] [qa-examined-192]
Mac.
I just tried with 10.6.4, using both testcases, opening them in a new tab, waiting a minute, closing the tab, and then watching. I see no asserts and no crashes in 1.9.2.11pre.
Hmm, weird.  What about 1.9.1?
(In reply to comment #20)
> The same.

Then something else is probably in play here...
Group: core-security
Crash Signature: [@ nsSelectionState::DoTraverse]
You need to log in before you can comment on or make changes to this bug.