Bugzilla@Mozilla – Bug 637621
Crash [@ nsRange::IsValidBoundary] after selected node is GCed
Last modified: 2011-05-23 13:27:40 PDT
Summon comment box
Created attachment 515877 [details] testcase (requires extension for GC) 1. Install 'DOM Fuzz Lite' from https://www.squarefree.com/extensions/domFuzzLite.xpi 2. Load the testcase. Crash [@ nsRange::IsValidBoundary] http://hg.mozilla.org/mozilla-central/file/410519307e63/content/base/src/nsRange.cpp#l598 is the crashing line
Created attachment 515878 [details] stack trace
Seems to be debug-only with this testcase, but that's probably just because opt is lucky and memory isn't overwritten.
patch coming.
Created attachment 515901 [details] [review] patch Clear(presContext) in nsTypedSelection::Collapse deletes range objects, and the method is called Collapse(lastRange->GetEndParent(), lastRange->EndOffset()); So, the safest patch I can think is to just keep aParentNode alive. I know, the caller should do it, but in this case this is just simpler and safer.
Not blocking, but we'll take the patch once reviewed.
Comment on attachment 515901 [details] [review] patch r+a=jst
http://hg.mozilla.org/mozilla-central/rev/ab7fd603bb9d
Need to test if also branches need fixing.
The code being patched looks equivalent on the branches, assuming we need this and blocking next releases.
Comment on attachment 515901 [details] [review] patch Seems to apply cleanly (some fuzz) to branches.
Comment on attachment 515901 [details] [review] patch a=LegNeato for 1.9.2.16 and 1.9.1.18
Can we get this landed on branches?
Sorry, I need to land this asap.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/74fd63b96277 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/33488621d2a4
Had to land a bustage fix for 1.9.1 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fbb2dfda1784 I hadn't noticed that nsIDOMNode* parameter was changed to nsINode*