847076 - nsRange can get confused when it points into anonymous content.

Status: RESOLVED DUPLICATE of bug 846096

(Core :: DOM: Core & HTML, defect)

Description

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

Attachment: Assertion

+++ This bug was initially created as a clone of Bug #846096 +++

I'm filing a new bug so we don't have to deal with the noise while we fix it.

From Bug 846096:

> So the problem is roughly this.
> 
> We have an nsRange whose root is a <textarea>, and whose start and end
> pointers are in the native anonymous content for that <textarea>.  When we
> tear down the frame tree we end up in HTMLTextAreaElement::UnbindFromFrame,
> and then nsTextEditorState::UnbindFromFrame.  That ends up calling
> nsContentUtils::DestroyAnonymousContent on the root anonymous node.  We set
> up an AnonymousContentDestroyer to run off a script runner and it calls
> UnbindFromTree on the root anonymous node.  This mStart/EndParent no longer
> chain up to mRoot.  But no ContentRemoved notification was ever fired, so
> the nsRange has no idea that its messed up.
> 
> This bug manifests because later the cycle collector runs and it unlinks the
> NAC before it unlinks the nsRange.  The start and end parent end up with
> null parent pointers and this assertion fires.  I believe that if we
> asserted that mStartParent and mEndParent chain up to mRoot that assertion
> would fire 100% of the time.

Attached is a patch that adds that assertion.  If you apply this and run /toolkit/content/tests/chrome/test_bug451540.xul you'll see the problem.