Closed
Bug 637621
Opened 14 years ago
Closed 14 years ago
Crash [@ nsRange::IsValidBoundary] after selected node is GCed
Categories
(Core :: DOM: Selection, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0
People
(Reporter: jruderman, Assigned: smaug)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?][has patch])
Crash Data
Attachments
(3 files)
|
247 bytes,
text/html
|
Details | |
|
41.26 KB,
text/plain
|
Details | |
|
798 bytes,
patch
|
jst
:
review+
jst
:
approval2.0+
christian
:
approval1.9.2.17+
christian
:
approval1.9.1.19+
|
Details | Diff | Splinter Review |
1. Install 'DOM Fuzz Lite' from
https://www.squarefree.com/extensions/domFuzzLite.xpi
2. Load the testcase.
Crash [@ nsRange::IsValidBoundary]
http://hg.mozilla.org/mozilla-central/file/410519307e63/content/base/src/nsRange.cpp#l598 is the crashing line
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
Seems to be debug-only with this testcase, but that's probably just because opt is lucky and memory isn't overwritten.
|
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
Assignee | |
Comment 4•14 years ago
|
||
Clear(presContext) in nsTypedSelection::Collapse deletes range objects, and the method is called Collapse(lastRange->GetEndParent(), lastRange->EndOffset()); So, the safest patch I can think is to just keep aParentNode alive. I know, the caller should do it, but in this case this is just simpler and safer.
Attachment #515901 -
Flags: review?(bzbarsky)
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][has patch]
|
||
Comment 6•14 years ago
|
||
Comment on attachment 515901 [details] [diff] [review] patch r+a=jst
Attachment #515901 -
Flags: review?(bzbarsky)
Attachment #515901 -
Flags: review+
Attachment #515901 -
Flags: approval2.0+
|
|
Assignee | |
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ab7fd603bb9d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•14 years ago
|
||
Need to test if also branches need fixing.
|
||
Comment 9•14 years ago
|
||
The code being patched looks equivalent on the branches, assuming we need this and blocking next releases.
|
|
Assignee | |
Comment 10•14 years ago
|
||
Comment on attachment 515901 [details] [diff] [review] patch Seems to apply cleanly (some fuzz) to branches.
Attachment #515901 -
Flags: approval1.9.2.15?
Attachment #515901 -
Flags: approval1.9.1.18?
|
||
Comment 11•14 years ago
|
||
Comment on attachment 515901 [details] [diff] [review] patch a=LegNeato for 1.9.2.16 and 1.9.1.18
Attachment #515901 -
Flags: approval1.9.2.16?
Attachment #515901 -
Flags: approval1.9.2.16+
Attachment #515901 -
Flags: approval1.9.1.18?
Attachment #515901 -
Flags: approval1.9.1.18+
|
|
||
Comment 12•14 years ago
|
||
Can we get this landed on branches?
|
|
Assignee | |
Comment 13•14 years ago
|
||
Sorry, I need to land this asap.
|
|
Assignee | |
Comment 14•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/74fd63b96277 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/33488621d2a4
|
|
Assignee | |
Comment 15•14 years ago
|
||
Had to land a bustage fix for 1.9.1 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fbb2dfda1784 I hadn't noticed that nsIDOMNode* parameter was changed to nsINode*
|
|
||
Updated•13 years ago
|
Group: core-security
Target Milestone: --- → mozilla2.0
|
||
Updated•13 years ago
|
Crash Signature: [@ nsRange::IsValidBoundary]
You need to log in
before you can comment on or make changes to this bug.
Description
•