Closed Bug 637621 Opened 14 years ago Closed 14 years ago

Crash [@ nsRange::IsValidBoundary] after selected node is GCed

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0
Tracking Flags:
Tracking Status
blocking2.0 --- -
blocking1.9.2 --- .17+
status1.9.2 --- .17-fixed
blocking1.9.1 --- .19+
status1.9.1 --- .19-fixed

People

(Reporter: jruderman, Assigned: smaug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?][has patch])

Crash Data

Attachments

(3 files)

testcase (requires extension for GC)
247 bytes, text/html
Details
stack trace
41.26 KB, text/plain
Details
patch
798 bytes, patch
jst
: review+
jst
: approval2.0+
christian
: approval1.9.2.17+
christian
: approval1.9.1.19+
Details | Diff | Splinter Review
1. Install 'DOM Fuzz Lite' from https://www.squarefree.com/extensions/domFuzzLite.xpi 2. Load the testcase. Crash [@ nsRange::IsValidBoundary] http://hg.mozilla.org/mozilla-central/file/410519307e63/content/base/src/nsRange.cpp#l598 is the crashing line
Attached file stack trace
Seems to be debug-only with this testcase, but that's probably just because opt is lucky and memory isn't overwritten.
blocking2.0: --- → ?
patch coming.
Assignee: nobody → Olli.Pettay
Attached patch patchSplinter Review
Clear(presContext) in nsTypedSelection::Collapse deletes range objects, and the method is called Collapse(lastRange->GetEndParent(), lastRange->EndOffset()); So, the safest patch I can think is to just keep aParentNode alive. I know, the caller should do it, but in this case this is just simpler and safer.
Attachment #515901 - Flags: review?(bzbarsky)
Whiteboard: [sg:critical?] → [sg:critical?][has patch]
Not blocking, but we'll take the patch once reviewed.
blocking2.0: ? → -
Comment on attachment 515901 [details] [diff] [review] patch r+a=jst
Attachment #515901 - Flags: review?(bzbarsky)
Attachment #515901 - Flags: review+
Attachment #515901 - Flags: approval2.0+
http://hg.mozilla.org/mozilla-central/rev/ab7fd603bb9d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Need to test if also branches need fixing.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → ?
The code being patched looks equivalent on the branches, assuming we need this and blocking next releases.
blocking1.9.1: ? → .18+
blocking1.9.2: ? → .15+
status1.9.1: ?wanted
status1.9.2: --- → wanted
Comment on attachment 515901 [details] [diff] [review] patch Seems to apply cleanly (some fuzz) to branches.
Attachment #515901 - Flags: approval1.9.2.15?
Attachment #515901 - Flags: approval1.9.1.18?
Comment on attachment 515901 [details] [diff] [review] patch a=LegNeato for 1.9.2.16 and 1.9.1.18
Attachment #515901 - Flags: approval1.9.2.16?
Attachment #515901 - Flags: approval1.9.2.16+
Attachment #515901 - Flags: approval1.9.1.18?
Attachment #515901 - Flags: approval1.9.1.18+
Can we get this landed on branches?
Sorry, I need to land this asap.
Had to land a bustage fix for 1.9.1 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fbb2dfda1784 I hadn't noticed that nsIDOMNode* parameter was changed to nsINode*
Group: core-security
Target Milestone: --- → mozilla2.0
Crash Signature: [@ nsRange::IsValidBoundary]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: