Closed
Bug 847076
Opened 11 years ago
Closed 11 years ago
nsRange can get confused when it points into anonymous content.
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 846096
People
(Reporter: khuey, Unassigned)
References
Details
Attachments
(1 file)
1.21 KB,
patch
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #846096 +++ I'm filing a new bug so we don't have to deal with the noise while we fix it. From Bug 846096: > So the problem is roughly this. > > We have an nsRange whose root is a <textarea>, and whose start and end > pointers are in the native anonymous content for that <textarea>. When we > tear down the frame tree we end up in HTMLTextAreaElement::UnbindFromFrame, > and then nsTextEditorState::UnbindFromFrame. That ends up calling > nsContentUtils::DestroyAnonymousContent on the root anonymous node. We set > up an AnonymousContentDestroyer to run off a script runner and it calls > UnbindFromTree on the root anonymous node. This mStart/EndParent no longer > chain up to mRoot. But no ContentRemoved notification was ever fired, so > the nsRange has no idea that its messed up. > > This bug manifests because later the cycle collector runs and it unlinks the > NAC before it unlinks the nsRange. The start and end parent end up with > null parent pointers and this assertion fires. I believe that if we > asserted that mStartParent and mEndParent chain up to mRoot that assertion > would fire 100% of the time. Attached is a patch that adds that assertion. If you apply this and run /toolkit/content/tests/chrome/test_bug451540.xul you'll see the problem.
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•