Bugzilla@Mozilla – Bug 580151
Crash [@ nsSelectionState::DoTraverse] with textarea, changing root
Last modified: 2010-10-30 18:14:38 PDT
Summon comment box
Created attachment 458543 [details] testcase (crashes Firefox later, during cycle collection) ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file editor/libeditor/text/nsTextEditRules.cpp, line 250 ###!!! ASSERTION: zero or negative placeholder batch count when ending batch!: 'mPlaceHolderBatch > 0', file editor/libeditor/base/nsEditor.cpp, line 876 Crash [@ nsSelectionState::DoTraverse]
Created attachment 458641 [details] [review] Part 1: Fix the first assertion The first assertion is caused by the fact that nsTextEditRules::BeforeEdit can be bailing out early if nsEditor::GetSelection fails, and therefore not incrementing mActionNesting as expected.
Created attachment 458644 [details] [review] Part 2: Fix the second assertion The cause of the second assertion is similar: failing to increment mPlaceHolderBatch because we bail out early if we can't get the selection. These two patches fix the crash as well (as it was caused by a partially initialized placeholder transaction.)
Created attachment 458645 [details] [review] Part 3: crashtest
Why would this block the branch releases? Seems nice to have on the branches so request approval when you've got reviews, etc. If we're misunderstanding the importance of this apparently non-security, non-topcrash bug please let us know.
Created attachment 462449 [details] [review] Rolled up patch
Comment on attachment 462449 [details] [review] Rolled up patch a2.0=dbaron
http://hg.mozilla.org/mozilla-central/rev/6a75787301c4 http://hg.mozilla.org/mozilla-central/rev/c87965964a17 http://hg.mozilla.org/mozilla-central/rev/440a4bfe2f5f
crashing in cycle collection, and a smattering of definitely NOT near-null addresses in http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=startswith&query=nsSelectionState%3A%3ADoTraverse&date=08%2F27%2F2010%2010%3A21%3A14&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsSelectionState%3A%3ADoTraverse%28nsCycleCollectionTraversalCallback%26%29 make me think this is possible a security problem.
Comment on attachment 462449 [details] [review] Rolled up patch Approved for 1.9.2.10 and 1.9.1.13, a=dveditz for release-drivers
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a41c2b7f926b http://hg.mozilla.org/releases/mozilla-1.9.1/rev/595868e7f677
Looks like this might've caused a new mochitest failure in editor code on 1.9.1: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.5/1282941921.1282944723.14877.gz OS X 10.5.2 mozilla-1.9.1 test mochitests on 2010/08/27 13:45:21 s: moz2-darwin9-slave55 >44652 ERROR TEST-UNEXPECTED-FAIL | /tests/editor/libeditor/html/tests/test_CF_HTML_clipboard.html | [SimpleTest/SimpleTest.js, window.onerror] An error occurred - SimpleTest.waitForFocus is not a function
I had aki|buildduty trigger another round of mochitests for that box, to see if the orange from comment 11 sticks.
Actually it looks like that test has been perma-orange on 1.9.1 for a while (probably ever since it landed in bug 572642) I filed Bug 591544 on it.
Running the testcase in comment 0 and comment 3 in my own debug 1.9.2 build (pre-fix) on Windows XP, I don't trigger any crash, even if I sit around for a while. How do we trigger cycle collection to cause this crash?
Loading the page in a tab, closing the tab and waiting for a while should be enough.
Nothing here running a 1.9.2.9pre build in order to see the crash. What operating system are you using?
Mac.
I just tried with 10.6.4, using both testcases, opening them in a new tab, waiting a minute, closing the tab, and then watching. I see no asserts and no crashes in 1.9.2.11pre.
Hmm, weird. What about 1.9.1?
The same.
(In reply to comment #20) > The same. Then something else is probably in play here...