The default bug view has changed. See this FAQ.

crash in nsTypedSelection::selectFrames

VERIFIED FIXED in Firefox 11

Status

()

Core
Layout
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Robert Kaiser, Assigned: mats)

Tracking

({crash, regression})

11 Branch
mozilla12
crash, regression
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox11+ verified, firefox12 verified)

Details

(Whiteboard: [qa!], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-bb7f7db3-9398-4501-885b-6355d2111222 .
============================================================= 

Crash stack:
0 	xul.dll 	nsTypedSelection::selectFrames 	layout/generic/nsSelection.cpp:4369
1 	xul.dll 	nsWindowRoot::AddRef 	content/base/src/nsInProcessTabChildGlobal.cpp:168
2 	xul.dll 	nsTypedSelection::ReplaceAnchorFocusRange 	layout/generic/nsSelection.cpp:5075
3 	xul.dll 	nsFrameSelection::AdjustForMaintainedSelection 	layout/generic/nsSelection.cpp:1634
4 	xul.dll 	nsIFrame::GetContentOffsetsFromPoint 	layout/generic/nsFrame.cpp:3358
5 	xul.dll 	nsFrameSelection::HandleClick 	layout/generic/nsSelection.cpp:1673
6 	xul.dll 	nsFrameSelection::HandleDrag 	layout/generic/nsSelection.cpp:1749
7 	xul.dll 	nsLayoutUtils::GetEventCoordinatesRelativeTo 	layout/base/nsLayoutUtils.cpp:983
8 	xul.dll 	nsFrame::DisplaySelection 	layout/generic/nsFrame.cpp:1147
9 	xul.dll 	nsCOMPtr<nsIDOMStorage>::StartAssignment 	obj-firefox/dist/include/nsCOMPtr.h:843
10 	xul.dll 	nsFrame::HandleDrag 	
11 	xul.dll 	nsJSContext::Release 	dom/base/nsJSEnvironment.cpp:1166
12 	xul.dll 	nsFrame::HandleEvent 	layout/generic/nsFrame.cpp:2146
13 	xul.dll 	nsPresShellEventCB::HandleEvent 	layout/base/nsPresShell.cpp:760
14 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:393
15 	xul.dll 	nsGlobalChromeWindow::AddRef 	dom/base/nsGlobalWindow.cpp:1402
16 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:681


More reports are listed at https://crash-stats.mozilla.com/report/list?signature=nsTypedSelection::selectFrames(nsPresContext*,%20nsIRange*,%20bool)

This started in the 2011-12-20 builds on 12.0a1 trunk and had over 30 crashes both on that and the -21 build so far.
Almost certainly a regression from bug 619273.
Blocks: 619273
tracking-firefox12: --- → ?
(Assignee)

Comment 2

5 years ago
It looks like a null-pointer crash at line 4369.
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l4369
and indeed I inadvertently removed a null check on aRange (at 1.343):
http://hg.mozilla.org/mozilla-central/diff/e3766ee732cc/layout/generic/nsSelection.cpp#l1.323

I don't quite understand why it's null though since AdjustForMaintainedSelection
does check for a null 'mMaintainRange':
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l1600

I should add back that null-check in selectFrames() anyway...
Assignee: nobody → matspal
tracking-firefox11: --- → ?
(Assignee)

Comment 3

5 years ago
Created attachment 583819 [details] [diff] [review]
fix
Attachment #583819 - Flags: review?(bzbarsky)
(Assignee)

Comment 4

5 years ago
Ah, now I see that ReplaceAnchorFocusRange() calls selectFrames() 
for mAnchorFocusRange, not aRange, so that could explain it.
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l5070
Comment on attachment 583819 [details] [diff] [review]
fix

r=me
Attachment #583819 - Flags: review?(bzbarsky) → review+
Duplicate of this bug: 712994
Adding Mac version of the signature.
Crash Signature: [@ nsTypedSelection::selectFrames(nsPresContext*, nsIRange*, bool)] → [@ nsTypedSelection::selectFrames(nsPresContext*, nsIRange*, bool)] [@ nsTypedSelection::selectFrames ]
OS: Windows 7 → All
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/mozilla-central/rev/a109a4515c64
Status: NEW → RESOLVED
Last Resolved: 5 years ago
tracking-firefox12: ? → ---
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla12

Comment 9

5 years ago
It's #4 top crasher in 11.0a2.
status-firefox11: --- → affected
Keywords: regression
Version: Trunk → 11 Branch
(Assignee)

Comment 10

5 years ago
Comment on attachment 583819 [details] [diff] [review]
fix

Adds back a missing null-check.  Zero risk.
Attachment #583819 - Flags: approval-mozilla-aurora?

Updated

5 years ago
tracking-firefox11: ? → +
Comment on attachment 583819 [details] [diff] [review]
fix

[Triage Comment]
Top crasher for FF11. Approved for Aurora.
Attachment #583819 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 12

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/a39673dc41bc
status-firefox11: affected → fixed
Is there something QA can do to verify this fix, apart from checking crashstats?
Whiteboard: [qa+]
Still about 10 crashes since the fix landed on Aurora (2012-01-06), if I'm reading this correctly. 

https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=nsTypedSelection%3A%3AselectFrames%28nsPresContext%2A%2C%20nsIRange%2A%2C%20bool%29

Comment 15

5 years ago
(In reply to Virgil Dicu [:virgil] [QA] from comment #14)
> Still about 10 crashes since the fix landed on Aurora (2012-01-06), if I'm
> reading this correctly.
I see one crash in 11.0b1 but with a different stack: bp-fb5f61b5-7763-423e-b5c4-5dfb12120207.
The latest crashes on 11.0 happened in 11.0a2/20120106 and on 12.0 in 12.0a1/20111223.
Status: RESOLVED → VERIFIED
status-firefox11: fixed → verified
status-firefox12: --- → verified
Whiteboard: [qa+] → [qa!]
You need to log in before you can comment on or make changes to this bug.