Last Comment Bug 712937 - crash in nsTypedSelection::selectFrames
: crash in nsTypedSelection::selectFrames
: crash, regression
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 11 Branch
: All All
-- critical (vote)
: mozilla12
Assigned To: Mats Palmgren (:mats)
: Jet Villegas (:jet)
: 712994 (view as bug list)
Depends on:
Blocks: 619273
  Show dependency treegraph
Reported: 2011-12-22 06:57 PST by Robert Kaiser
Modified: 2012-02-17 08:01 PST (History)
7 users (show)
mats: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.20 KB, patch)
2011-12-22 09:02 PST, Mats Palmgren (:mats)
bzbarsky: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Robert Kaiser 2011-12-22 06:57:19 PST
This bug was filed from the Socorro interface and is 
report bp-bb7f7db3-9398-4501-885b-6355d2111222 .

Crash stack:
0 	xul.dll 	nsTypedSelection::selectFrames 	layout/generic/nsSelection.cpp:4369
1 	xul.dll 	nsWindowRoot::AddRef 	content/base/src/nsInProcessTabChildGlobal.cpp:168
2 	xul.dll 	nsTypedSelection::ReplaceAnchorFocusRange 	layout/generic/nsSelection.cpp:5075
3 	xul.dll 	nsFrameSelection::AdjustForMaintainedSelection 	layout/generic/nsSelection.cpp:1634
4 	xul.dll 	nsIFrame::GetContentOffsetsFromPoint 	layout/generic/nsFrame.cpp:3358
5 	xul.dll 	nsFrameSelection::HandleClick 	layout/generic/nsSelection.cpp:1673
6 	xul.dll 	nsFrameSelection::HandleDrag 	layout/generic/nsSelection.cpp:1749
7 	xul.dll 	nsLayoutUtils::GetEventCoordinatesRelativeTo 	layout/base/nsLayoutUtils.cpp:983
8 	xul.dll 	nsFrame::DisplaySelection 	layout/generic/nsFrame.cpp:1147
9 	xul.dll 	nsCOMPtr<nsIDOMStorage>::StartAssignment 	obj-firefox/dist/include/nsCOMPtr.h:843
10 	xul.dll 	nsFrame::HandleDrag 	
11 	xul.dll 	nsJSContext::Release 	dom/base/nsJSEnvironment.cpp:1166
12 	xul.dll 	nsFrame::HandleEvent 	layout/generic/nsFrame.cpp:2146
13 	xul.dll 	nsPresShellEventCB::HandleEvent 	layout/base/nsPresShell.cpp:760
14 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:393
15 	xul.dll 	nsGlobalChromeWindow::AddRef 	dom/base/nsGlobalWindow.cpp:1402
16 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:681

More reports are listed at*,%20nsIRange*,%20bool)

This started in the 2011-12-20 builds on 12.0a1 trunk and had over 30 crashes both on that and the -21 build so far.
Comment 1 User image Boris Zbarsky [:bz] (still a bit busy) 2011-12-22 07:51:32 PST
Almost certainly a regression from bug 619273.
Comment 2 User image Mats Palmgren (:mats) 2011-12-22 08:48:58 PST
It looks like a null-pointer crash at line 4369.
and indeed I inadvertently removed a null check on aRange (at 1.343):

I don't quite understand why it's null though since AdjustForMaintainedSelection
does check for a null 'mMaintainRange':

I should add back that null-check in selectFrames() anyway...
Comment 3 User image Mats Palmgren (:mats) 2011-12-22 09:02:25 PST
Created attachment 583819 [details] [diff] [review]
Comment 4 User image Mats Palmgren (:mats) 2011-12-22 09:12:10 PST
Ah, now I see that ReplaceAnchorFocusRange() calls selectFrames() 
for mAnchorFocusRange, not aRange, so that could explain it.
Comment 5 User image Boris Zbarsky [:bz] (still a bit busy) 2011-12-22 09:15:13 PST
Comment on attachment 583819 [details] [diff] [review]

Comment 6 User image Boris Zbarsky [:bz] (still a bit busy) 2011-12-22 09:42:12 PST
*** Bug 712994 has been marked as a duplicate of this bug. ***
Comment 7 User image Marcia Knous [:marcia - use ni] 2011-12-22 11:50:50 PST
Adding Mac version of the signature.
Comment 8 User image Mats Palmgren (:mats) 2011-12-23 21:39:51 PST
Comment 9 User image Scoobidiver (away) 2012-01-06 05:33:55 PST
It's #4 top crasher in 11.0a2.
Comment 10 User image Mats Palmgren (:mats) 2012-01-06 08:27:55 PST
Comment on attachment 583819 [details] [diff] [review]

Adds back a missing null-check.  Zero risk.
Comment 11 User image Alex Keybl [:akeybl] 2012-01-06 12:47:05 PST
Comment on attachment 583819 [details] [diff] [review]

[Triage Comment]
Top crasher for FF11. Approved for Aurora.
Comment 13 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-02-01 13:26:05 PST
Is there something QA can do to verify this fix, apart from checking crashstats?
Comment 15 User image Scoobidiver (away) 2012-02-17 07:58:10 PST
(In reply to Virgil Dicu [:virgil] [QA] from comment #14)
> Still about 10 crashes since the fix landed on Aurora (2012-01-06), if I'm
> reading this correctly.
I see one crash in 11.0b1 but with a different stack: bp-fb5f61b5-7763-423e-b5c4-5dfb12120207.
The latest crashes on 11.0 happened in 11.0a2/20120106 and on 12.0 in 12.0a1/20111223.

Note You need to log in before you can comment on or make changes to this bug.