Crash [@ nsIRange::UnregisterCommonAncestor] with designMode

VERIFIED FIXED in Firefox 11

Status

()

defect
--
critical
VERIFIED FIXED
8 years ago
3 months ago

People

(Reporter: jruderman, Assigned: mats)

Tracking

(Blocks 1 bug, {crash, testcase, verified-beta})

Trunk
mozilla12
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox9 unaffected, firefox10 unaffected, firefox11 verified, firefox12 verified)

Details

(Whiteboard: [inbound][qa!])

Attachments

(5 attachments)

Reporter

Description

8 years ago
1. Load the testcase.
2. Close the tab or quit Firefox.

Result: Crash [@ nsIRange::UnregisterCommonAncestor]
Reporter

Comment 1

8 years ago
Posted file stack trace
Assignee: nobody → matspal
Assignee

Updated

8 years ago
Component: Document Navigation → DOM
OS: Mac OS X → All
QA Contact: docshell → general
Hardware: x86_64 → All
Assignee

Comment 2

8 years ago
Posted patch fixSplinter Review
Make the nsGkAtoms::range property transferable otherwise it's deleted by adoptNode.
Attachment #584315 - Flags: review?(bugs)
Assignee

Comment 3

8 years ago
Posted patch Jesse's testSplinter Review
Assignee

Comment 4

8 years ago
A similar test that crashes without using document.designMode
Comment on attachment 584315 [details] [diff] [review]
fix

Ah, of course.

The patch should go to Aurora too, right?
Attachment #584315 - Flags: review?(bugs) → review+
Assignee

Comment 7

8 years ago
Comment on attachment 584315 [details] [diff] [review]
fix

> The patch should go to Aurora too, right?

Yes.  It's a low-risk crash fix.
Attachment #584315 - Flags: approval-mozilla-aurora?

Comment 9

8 years ago
Comment on attachment 584315 [details] [diff] [review]
fix

[triage comment]
Approved for aurora. Simple crash fix.
Attachment #584315 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [inbound] → [inbound][qa+]
No crashes loading the test case from comment 0. This is verified fixed on Firefox 11b1:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [inbound][qa+] → [inbound][qa+][qa!:11]
Status: VERIFIED → RESOLVED
Closed: 8 years ago8 years ago
No crashes loading the test case from comment 0. This is verified fixed on Firefox 12b2:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Status: RESOLVED → VERIFIED
Whiteboard: [inbound][qa+][qa!:11] → [inbound][qa!]
I cannot duplicate the tab with the test case. Could be something related to this fix ?
Reporter

Comment 14

7 years ago
Paul, what do you mean by "duplicate the tab"?
Reporter

Comment 16

7 years ago
Paul, that's related to http://hg.mozilla.org/mozilla-central/annotate/a30fd69f1e0c/browser/components/sessionstore/src/nsSessionStore.js#l2193, not this patch. Can you file a new bug report in the "Session Restore" component, and mention the bug number here?
Sure Jesse.
Bug 739531 filed.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.