Closed Bug 580151 Opened 14 years ago Closed 14 years ago

Crash [@ nsSelectionState::DoTraverse] with textarea, changing root

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b4
Tracking Flags:
Tracking Status
blocking2.0 --- -
status2.0 --- wanted
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: jruderman, Assigned: ehsan.akhgari)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] [qa-examined-191] [qa-examined-192])

Crash Data

Attachments

(5 files)

testcase (crashes Firefox later, during cycle collection)
(deleted), text/html
Details
Part 1: Fix the first assertion
(deleted), patch
roc
: review+
Details | Diff | Splinter Review
Part 2: Fix the second assertion
(deleted), patch
roc
: review+
Details | Diff | Splinter Review
Part 3: crashtest
(deleted), patch
roc
: review+
Details | Diff | Splinter Review
Rolled up patch
(deleted), patch
dbaron
: approval2.0+
dveditz
: approval1.9.2.11+
dveditz
: approval1.9.1.14+
Details | Diff | Splinter Review
###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file editor/libeditor/text/nsTextEditRules.cpp, line 250 ###!!! ASSERTION: zero or negative placeholder batch count when ending batch!: 'mPlaceHolderBatch > 0', file editor/libeditor/base/nsEditor.cpp, line 876 Crash [@ nsSelectionState::DoTraverse]
blocking2.0: --- → ?
Attached patch Part 1: Fix the first assertion (deleted) — Splinter Review
The first assertion is caused by the fact that nsTextEditRules::BeforeEdit can be bailing out early if nsEditor::GetSelection fails, and therefore not incrementing mActionNesting as expected.
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #458641 - Flags: review?(roc)
The cause of the second assertion is similar: failing to increment mPlaceHolderBatch because we bail out early if we can't get the selection. These two patches fix the crash as well (as it was caused by a partially initialized placeholder transaction.)
Attachment #458644 - Flags: review?(roc)
Attached patch Part 3: crashtest (deleted) — Splinter Review
Attachment #458645 - Flags: review?(roc)
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Why would this block the branch releases? Seems nice to have on the branches so request approval when you've got reviews, etc. If we're misunderstanding the importance of this apparently non-security, non-topcrash bug please let us know.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Attached patch Rolled up patch (deleted) — Splinter Review
Attachment #462449 - Flags: approval2.0?
Comment on attachment 462449 [details] [diff] [review] Rolled up patch a2.0=dbaron
Attachment #462449 - Flags: approval2.0? → approval2.0+
blocking2.0: ? → -
status2.0: --- → wanted
http://hg.mozilla.org/mozilla-central/rev/6a75787301c4 http://hg.mozilla.org/mozilla-central/rev/c87965964a17 http://hg.mozilla.org/mozilla-central/rev/440a4bfe2f5f
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b4
Attachment #462449 - Flags: approval1.9.2.10?
Attachment #462449 - Flags: approval1.9.1.13?
Comment on attachment 462449 [details] [diff] [review] Rolled up patch Approved for 1.9.2.10 and 1.9.1.13, a=dveditz for release-drivers
Attachment #462449 - Flags: approval1.9.2.10?
Attachment #462449 - Flags: approval1.9.2.10+
Attachment #462449 - Flags: approval1.9.1.13?
Attachment #462449 - Flags: approval1.9.1.13+
Looks like this might've caused a new mochitest failure in editor code on 1.9.1: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.5/1282941921.1282944723.14877.gz OS X 10.5.2 mozilla-1.9.1 test mochitests on 2010/08/27 13:45:21 s: moz2-darwin9-slave55 >44652 ERROR TEST-UNEXPECTED-FAIL | /tests/editor/libeditor/html/tests/test_CF_HTML_clipboard.html | [SimpleTest/SimpleTest.js, window.onerror] An error occurred - SimpleTest.waitForFocus is not a function
I had aki|buildduty trigger another round of mochitests for that box, to see if the orange from comment 11 sticks.
Actually it looks like that test has been perma-orange on 1.9.1 for a while (probably ever since it landed in bug 572642) I filed Bug 591544 on it.
Running the testcase in comment 0 and comment 3 in my own debug 1.9.2 build (pre-fix) on Windows XP, I don't trigger any crash, even if I sit around for a while. How do we trigger cycle collection to cause this crash?
Loading the page in a tab, closing the tab and waiting for a while should be enough.
Nothing here running a 1.9.2.9pre build in order to see the crash. What operating system are you using?
Whiteboard: [sg:critical?] → [sg:critical?] [qa-examined-191] [qa-examined-192]
Mac.
I just tried with 10.6.4, using both testcases, opening them in a new tab, waiting a minute, closing the tab, and then watching. I see no asserts and no crashes in 1.9.2.11pre.
Hmm, weird. What about 1.9.1?
(In reply to comment #20) > The same. Then something else is probably in play here...
Group: core-security
Crash Signature: [@ nsSelectionState::DoTraverse]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: