Closed
Bug 330925
Opened 19 years ago
Closed 19 years ago
[FIX]Crash [@ nsContentIterator::NextNode] involving reparenting XBL anonymous children
Categories
(Core :: XBL, defect, P1)
Core
XBL
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(6 files, 2 obsolete files)
|
(deleted),
application/xhtml+xml
|
Details | |
|
(deleted),
text/plain
|
Details | |
|
(deleted),
application/xhtml+xml
|
Details | |
|
(deleted),
application/xhtml+xml
|
Details | |
|
(deleted),
patch
|
sicking
:
review+
sicking
:
superreview+
bzbarsky
:
approval-aviary1.0.9?
bzbarsky
:
approval1.7.14?
sicking
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
To reproduce, just load the testcase. TB16527704X shows what might be an incomplete stack trace: nsContentIterator::NextNode nsContentIterator::Next nsRange::OwnerChildRemoved nsGenericElement::doRemoveChildAt nsGenericElement::RemoveChildAt nsGenericElement::doRemoveChild nsGenericElement::RemoveChild XPCWrappedNative::CallMethod
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
I can reproduce on Windows 2003, Windows XP, and Mac.
OS: Windows Server 2003 → All
Hardware: PC → All
|
|
Reporter | |
Comment 3•19 years ago
|
||
I wonder why web pages are able to see the anonymous content that makes up the missing-plugin placeholder. I also wonder whether making that anonymous content inaccessible to web pages would be considered a complete fix for this bug.
|
||
Comment 4•19 years ago
|
||
I think this is an xbl bug. I don't think there is currently a way to make xbl anonymous content inaccessible, maybe there should be a way? (it would fix the testcase, I guess, but not the bug itself).
|
|
Reporter | |
Comment 5•19 years ago
|
||
I forgot that the missing-plugin placeholder uses XBL now. I should try to make a testcase that doesn't involve plugins, but instead supplies its own XBL. Is this a dup of bug 205735? (Would the change suggested in bug 205735 comment 34 fix this crash?)
Summary: Crash involving anonymous content of missing-plugin placeholder [@ nsContentIterator::NextNode] → Crash [@ nsContentIterator::NextNode] involving XBL (anonymous content of missing-plugin placeholder)
|
|
||
Comment 6•19 years ago
|
||
Before the crash, I get some assertions: "###!!! ASSERTION: invalid removeIndex: 'removeIndex >= 0 && ! (oldParent == container && removeIndex == insPos)', file c:/mozilla/mozilla/cont ent/base/src/nsGenericElement.cpp, line 3028") ###!!! ASSERTION: Already have a document. Unbind first!: '!GetCurrentDoc()', f ile c:/mozilla/mozilla/content/base/src/nsGenericDOMDataNode.cpp, line 665 ###!!! ASSERTION: Already have a parent. Unbind first!: '!GetParent() || aParen t == GetParent()', file c:/mozilla/mozilla/content/base/src/nsGenericDOMDataNode .cpp, line 669 and more. Backtrace of some of the assertions included in the file.
|
|
||
Comment 7•19 years ago
|
||
I think somewhere here it is already going wrong. When the anonymous node is move out of the xbl, the old node is not removed. I thought that bug 308120 made it impossible to move anonymous xbl nodes out of xbl. But it seems like comment nodes or textnodes as direct children of the xbl binding are not treated as xbl anonymous content, so you don't get the NS_ERROR_DOM_NOT_SUPPORTED_ERR error. You can also see this in the dom inspector where those nodes turn up as black, while normal xbl anonymous nodes turn up as red (I always used to wonder about that). So I don't think this is a dup of bug 205735.
|
|
||
Comment 8•19 years ago
|
||
I guess that's what the XXX comment is about: http://lxr.mozilla.org/seamonkey/source/content/base/src/nsGenericDOMDataNode.cpp#678 "// XXXbz we don't keep track of the binding parent yet. We should."
|
|
||
Comment 9•19 years ago
|
||
Well, this fixes the crash by making those nodes really anonymous. But it isn't any good because it also makes direct text/commentnodes of the bound element anonymous, which isn't true.
|
|
Reporter | |
Updated•19 years ago
|
Assignee: nobody → general
Component: Plug-ins → XBL
QA Contact: plugins → ian
Summary: Crash [@ nsContentIterator::NextNode] involving XBL (anonymous content of missing-plugin placeholder) → Crash [@ nsContentIterator::NextNode] involving reparenting XBL anonymous children
|
||
Comment 10•19 years ago
|
||
BTW, all java as asked are (and were) OK for me. /be
|
Assignee | |
Comment 11•19 years ago
|
||
> I wonder why web pages are able to see the anonymous content That's just how XBL works, sadly. That said, in this case we'll end up with a bogus removeIndex, since our bindingParent is bogus. Perhaps for safety sake we should simply throw if removeIndex ends up -1? That would fix this bug and all... We could even remove the bindingParent check bug 308120 added -- since the kid is anonymous, it's not removable, no matter how it came to be anonymous...
|
|
Assignee | |
Comment 12•19 years ago
|
||
Jonas, should we land this on branches too (like bug 308120)? If so, I'll write a 1.8 branch version of this patch....
Assignee: general → bzbarsky
Attachment #215528 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #216996 -
Flags: superreview?(bugmail)
Attachment #216996 -
Flags: review?(bugmail)
|
|
Assignee | |
Updated•19 years ago
|
Priority: -- → P1
Summary: Crash [@ nsContentIterator::NextNode] involving reparenting XBL anonymous children → [FIX]Crash [@ nsContentIterator::NextNode] involving reparenting XBL anonymous children
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 216996 [details] [diff] [review] Per comment 11 Yeah, we want this for branches too sadly. You should probably wait until i've landed bug 325730 on the branches though.
Attachment #216996 -
Flags: superreview?(bugmail)
Attachment #216996 -
Flags: superreview+
Attachment #216996 -
Flags: review?(bugmail)
Attachment #216996 -
Flags: review+
|
|
Assignee | |
Comment 14•19 years ago
|
||
Sounds good. I'll ask you for approval and so forth... ;) Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Depends on: 325730
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Resolution: --- → FIXED
|
|
Assignee | |
Updated•19 years ago
|
Attachment #216996 -
Flags: approval1.8.0.3?
Attachment #216996 -
Flags: approval1.7.14?
Attachment #216996 -
Flags: approval-branch-1.8.1?(bugmail)
Attachment #216996 -
Flags: approval-aviary1.0.9?
Attachment #216996 -
Flags: approval-branch-1.8.1?(bugmail) → approval-branch-1.8.1+
|
||
Comment 16•19 years ago
|
||
Please land this on the MOZILLA_1_8_BRANCH soon, so it can bake before we accept it for the MOZILLA_1_8_0_BRANCH. Please add the "fixed1.8.1" keyword when it has been checked in on the MOZILLA_1_8_BRANCH. Thanks!
|
|
Assignee | |
Comment 17•19 years ago
|
||
> Please land this on the MOZILLA_1_8_BRANCH soon I can't until bug 325730 lands on that branch. See the dep list.
Keywords: fixed1.8.1
|
||
Comment 18•18 years ago
|
||
Comment on attachment 216996 [details] [diff] [review] Per comment 11 approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216996 -
Flags: approval1.8.0.3? → approval1.8.0.3+
Keywords: fixed1.8.0.3
|
||
Comment 19•18 years ago
|
||
verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 no crash, however testcase2 shows red (failed).
Keywords: fixed1.8.0.4 → verified1.8.0.4
|
|
Assignee | |
Comment 20•18 years ago
|
||
Yep. That should have gotten fixed on trunk today by bug 329122.
|
|
Assignee | |
Updated•18 years ago
|
Flags: blocking1.8.1?
|
|
Reporter | |
Comment 21•17 years ago
|
||
I checked in my testcase as a crashtest. Should Martijn's "testcase2" be a mochitest? It seems a little hacky to use reftest for JavaScript-set "pass/fail" messages.
Flags: in-testsuite?
|
|
Assignee | |
Comment 22•17 years ago
|
||
That looks like a good mochitest candidate, yes. Want to do it?
|
|
Reporter | |
Comment 23•17 years ago
|
||
Well, I don't know how to use mochitest... ;)
|
|
Assignee | |
Comment 24•17 years ago
|
||
There are docs in devmo, I think... Please let me know if they're unclear and I'll help.
|
|
Reporter | |
Comment 25•17 years ago
|
||
This is my first mochitest. It's based on Martijn's testcase2, but tests that getBindingParent returns the specific div instead of just testing that it's not null.
|
|
Assignee | |
Comment 26•17 years ago
|
||
Some comments on the test:
* use addLoadEvent(init) instead of an onload attr on the body. That will
guarantee in-order firing of load stuff, basically.
* Add a description string to you is() calls. Something like:
is(document.getBindingParent(document.getAnonymousNodes(t)[0]), t,
"Wrong binding parent for anonymous node");
and perhaps "Wrong binding parent for anonymous node child" for the other
test. That message will be shown if the test fails.
Other than those nits, looks good!|
|
Reporter | |
Comment 27•17 years ago
|
||
Added diagnostic messages and switched to addLoadEvent as requested by bz. Also added two more tests and a comment about why we're waiting for onload.
Attachment #297111 -
Attachment is obsolete: true
|
||
Updated•13 years ago
|
Crash Signature: [@ nsContentIterator::NextNode]
You need to log in
before you can comment on or make changes to this bug.
Description
•