Closed Bug 713417 Opened 9 years ago Closed 8 years ago

Crash [@ nsIRange::UnregisterCommonAncestor] with designMode

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla12
Tracking Status
firefox9 --- unaffected
firefox10 --- unaffected
firefox11 --- verified
firefox12 --- verified

People

(Reporter: jruderman, Assigned: mats)

Details

(Keywords: crash, testcase, verified-beta, Whiteboard: [inbound][qa!])

Attachments

(5 files)

1. Load the testcase.
2. Close the tab or quit Firefox.

Result: Crash [@ nsIRange::UnregisterCommonAncestor]
Attached file stack trace
Assignee: nobody → matspal
Component: Document Navigation → DOM
OS: Mac OS X → All
QA Contact: docshell → general
Hardware: x86_64 → All
Attached patch fixSplinter Review
Make the nsGkAtoms::range property transferable otherwise it's deleted by adoptNode.
Attachment #584315 - Flags: review?(bugs)
Attached patch Jesse's testSplinter Review
A similar test that crashes without using document.designMode
Comment on attachment 584315 [details] [diff] [review]
fix

Ah, of course.

The patch should go to Aurora too, right?
Attachment #584315 - Flags: review?(bugs) → review+
Comment on attachment 584315 [details] [diff] [review]
fix

> The patch should go to Aurora too, right?

Yes.  It's a low-risk crash fix.
Attachment #584315 - Flags: approval-mozilla-aurora?
Comment on attachment 584315 [details] [diff] [review]
fix

[triage comment]
Approved for aurora. Simple crash fix.
Attachment #584315 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [inbound] → [inbound][qa+]
No crashes loading the test case from comment 0. This is verified fixed on Firefox 11b1:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [inbound][qa+] → [inbound][qa+][qa!:11]
Status: VERIFIED → RESOLVED
Closed: 9 years ago8 years ago
No crashes loading the test case from comment 0. This is verified fixed on Firefox 12b2:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Status: RESOLVED → VERIFIED
Whiteboard: [inbound][qa+][qa!:11] → [inbound][qa!]
I cannot duplicate the tab with the test case. Could be something related to this fix ?
Paul, what do you mean by "duplicate the tab"?
Paul, that's related to http://hg.mozilla.org/mozilla-central/annotate/a30fd69f1e0c/browser/components/sessionstore/src/nsSessionStore.js#l2193, not this patch. Can you file a new bug report in the "Session Restore" component, and mention the bug number here?
Sure Jesse.
Bug 739531 filed.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.