Closed
Bug 1663601
Opened 4 years ago
Closed 4 years ago
Crash in [@ mozilla::RangeBoundaryBase<T>::GetNextSiblingOfChildAtOffset]
Categories
(Core :: DOM: Events, defect, P1)
Core
DOM: Events
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | fixed |
People
(Reporter: aryx, Assigned: masayuki)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
ShrinkRangesIfStartFromOrEndAfterAtomicContent got added by https://hg.mozilla.org/mozilla-central/rev/ad9e11f73c272f7f801a3ed0b9e6233ce6d792c2 in bug 1658702.
Crash report: https://crash-stats.mozilla.org/report/index/ceaf8092-d0b0-4f2f-8c74-596ac0200907
Top 10 frames of crashing thread:
0 xul.dll mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::GetNextSiblingOfChildAtOffset const dom/base/RangeBoundary.h:127
1 xul.dll mozilla::AutoRangeArray::ShrinkRangesIfStartFromOrEndAfterAtomicContent editor/libeditor/EditorUtils.cpp:305
2 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::Run editor/libeditor/HTMLEditSubActionHandler.cpp:3398
3 xul.dll mozilla::HTMLEditor::HandleDeleteSelection editor/libeditor/HTMLEditSubActionHandler.cpp:3101
4 xul.dll mozilla::EditorBase::DeleteSelectionAsSubAction editor/libeditor/EditorBase.cpp:3767
5 xul.dll mozilla::EditorBase::DeleteSelectionAsAction editor/libeditor/EditorBase.cpp:3737
6 xul.dll mozilla::TextEditor::HandleKeyPressEvent editor/libeditor/TextEditor.cpp:320
7 xul.dll mozilla::EditorEventListener::KeyPress editor/libeditor/EditorEventListener.cpp:621
8 xul.dll mozilla::EventListenerManager::HandleEventInternal dom/events/EventListenerManager.cpp:1278
9 xul.dll static mozilla::EventTargetChainItem::HandleEventTargetChain dom/events/EventDispatcher.cpp:594
Flags: needinfo?(masayuki)
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → masayuki
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P2
|
|
Assignee | |
Comment 1•4 years ago
|
||
Ah, really annoying API, sigh.
Root Cause: --- → Coding: Internal API Issue
|
||
Updated•4 years ago
|
Keywords: regression
|
|
Assignee | |
Comment 2•4 years ago
|
||
This is easy to reproduce.
- load
data:text/html,<div contenteditable><img src="something"></div> - Put caret before the
<img> - Type
Delete.
Priority: P2 → P1
|
|
Assignee | |
Comment 3•4 years ago
|
||
RangeBoundaryBase stores a previous sibling of child node at offset with
mRef. Therefore, even if the callers check whether its instance points a
child node, mRef may be nullptr when it points first child of its container.
So, GetNextSiblingOfChildAtOffset() needs to handle the case.
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/a99710068e29
Make `RangeBoundaryBase::GetNextSiblingOfChildAtOffset()` check whether `mRef` is nullptr or not r=mbrodesser
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•