Closed
Bug 989711
Opened 10 years ago
Closed 3 years ago
Crash in nsContentIterator::NextNode with Range.toString
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files)
411 bytes,
application/xhtml+xml
|
Details | |
10.31 KB,
text/plain
|
Details | |
5.54 KB,
patch
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
bp-4c1a1449-d15f-4410-ba97-d5ccd2140330
Comment 3•10 years ago
|
||
So we end up having a text node and a NAC text node as range boundaries. Content can't access that NAC, but Range's toString certainly can't handle such odd case.
Comment 4•10 years ago
|
||
But I don't quite understand what modify() does here.
Comment 5•10 years ago
|
||
Ah, we have this special Range which Find creates and that lets one to go through NAC boundaries.
Comment 6•10 years ago
|
||
I think we should just make sure that selection.getRangeAt never returns such ranges to JS which cross NAC boundaries.
Comment 7•10 years ago
|
||
And we need to make sure such odd range objects don't affect to .modify() and such.
Comment 8•10 years ago
|
||
Comment 9•10 years ago
|
||
Comment on attachment 8399170 [details] [diff] [review] ugly wip for the first case This is truly terrible! I think the real question is, why does document.getSelection() returns a selection object which lets you modify the find selection? All kinds of things can go wrong with that, and I think that is the underlying problem.
Comment 10•10 years ago
|
||
Hmm, actually, I guess if toString() is called on the range object from chrome then the same problem happens?
Comment 11•10 years ago
|
||
(In reply to :Ehsan Akhgari (lagging on bugmail, needinfo? me!) from comment #9) > Comment on attachment 8399170 [details] [diff] [review] > ugly wip for the first case > > This is truly terrible! :) > I think the real question is, why does document.getSelection() returns a > selection object which lets you modify the find selection? All kinds of > things can go wrong with that, and I think that is the underlying problem. As long as we have window.find, I think it is rather useful to let it to change selection and get the results from .getSelection() But we must not return stuff which points to anonymous content to web.
Reporter | ||
Comment 12•10 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6) > I think we should just make sure that selection.getRangeAt never returns > such ranges to JS which > cross NAC boundaries. In addition to Selection.getRangeAt, are similar changes needed for Selection.toString and Selection.deleteFromDocument?
Updated•9 years ago
|
Crash Signature: [@ nsContentIterator::NextNode(nsINode*, nsTArray<int>*) ] → [@ nsContentIterator::NextNode(nsINode*, nsTArray<int>*) ]
[@ nsContentIterator::NextNode ]
Olli, based on the history of comments here, do we understand the problem and possibly get a fix out there? I was reviewing the top crashes for last week on Aurora44 and this is #4 at the moment. Thanks!
Flags: needinfo?(bugs)
Comment 14•9 years ago
|
||
Are you sure it is this, and not https://bugzilla.mozilla.org/show_bug.cgi?id=1224101 ?
Flags: needinfo?(bugs) → needinfo?(rkothari)
(In reply to Olli Pettay [:smaug] from comment #14) > Are you sure it is this, and not > https://bugzilla.mozilla.org/show_bug.cgi?id=1224101 ? Yes, you are correct! I noticed that in the last 3 days of data, this crash signature has been dropping so we may have fixed it as needed by backing out the patches in bug 1224101. Thanks and sorry for the mistake!
Flags: needinfo?(rkothari)
Comment 16•7 years ago
|
||
Crash volume for signature 'nsContentIterator::NextNode': - nightly (version 53): 0 crashes from 2016-11-14. - aurora (version 52): 0 crashes from 2016-11-14. - beta (version 51): 1 crash from 2016-11-14. - release (version 50): 9 crashes from 2016-11-01. - esr (version 45): 8780 crashes from 2016-07-06. Crash volume on the last weeks (Week N is from 01-02 to 01-08): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 0 1 0 0 0 0 0 - release 1 3 1 1 2 0 1 - esr 160 265 466 429 426 386 426 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta - release - esr #30
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox-esr45:
--- → affected
Updated•6 years ago
|
Priority: -- → P5
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
Comment 17•3 years ago
|
||
Closing this as resolved:worksforme, could not reproduce the crash on MacOS using the attached testcase on the latest Nightly and there are no crashes in the last 6 months with this signature.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•