Closed
Bug 712937
Opened 14 years ago
Closed 14 years ago
crash in nsTypedSelection::selectFrames
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
mozilla12
People
(Reporter: kairo, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, regression, Whiteboard: [qa!])
Crash Data
Attachments
(1 file)
|
1.20 KB,
patch
|
bzbarsky
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-bb7f7db3-9398-4501-885b-6355d2111222 .
=============================================================
Crash stack:
0 xul.dll nsTypedSelection::selectFrames layout/generic/nsSelection.cpp:4369
1 xul.dll nsWindowRoot::AddRef content/base/src/nsInProcessTabChildGlobal.cpp:168
2 xul.dll nsTypedSelection::ReplaceAnchorFocusRange layout/generic/nsSelection.cpp:5075
3 xul.dll nsFrameSelection::AdjustForMaintainedSelection layout/generic/nsSelection.cpp:1634
4 xul.dll nsIFrame::GetContentOffsetsFromPoint layout/generic/nsFrame.cpp:3358
5 xul.dll nsFrameSelection::HandleClick layout/generic/nsSelection.cpp:1673
6 xul.dll nsFrameSelection::HandleDrag layout/generic/nsSelection.cpp:1749
7 xul.dll nsLayoutUtils::GetEventCoordinatesRelativeTo layout/base/nsLayoutUtils.cpp:983
8 xul.dll nsFrame::DisplaySelection layout/generic/nsFrame.cpp:1147
9 xul.dll nsCOMPtr<nsIDOMStorage>::StartAssignment obj-firefox/dist/include/nsCOMPtr.h:843
10 xul.dll nsFrame::HandleDrag
11 xul.dll nsJSContext::Release dom/base/nsJSEnvironment.cpp:1166
12 xul.dll nsFrame::HandleEvent layout/generic/nsFrame.cpp:2146
13 xul.dll nsPresShellEventCB::HandleEvent layout/base/nsPresShell.cpp:760
14 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:393
15 xul.dll nsGlobalChromeWindow::AddRef dom/base/nsGlobalWindow.cpp:1402
16 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:681
More reports are listed at https://crash-stats.mozilla.com/report/list?signature=nsTypedSelection::selectFrames(nsPresContext*,%20nsIRange*,%20bool)
This started in the 2011-12-20 builds on 12.0a1 trunk and had over 30 crashes both on that and the -21 build so far.
|
||
Comment 1•14 years ago
|
||
Almost certainly a regression from bug 619273.
Blocks: 619273
tracking-firefox12:
--- → ?
|
Assignee | |
Comment 2•14 years ago
|
||
It looks like a null-pointer crash at line 4369.
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l4369
and indeed I inadvertently removed a null check on aRange (at 1.343):
http://hg.mozilla.org/mozilla-central/diff/e3766ee732cc/layout/generic/nsSelection.cpp#l1.323
I don't quite understand why it's null though since AdjustForMaintainedSelection
does check for a null 'mMaintainRange':
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l1600
I should add back that null-check in selectFrames() anyway...
Assignee: nobody → matspal
tracking-firefox11:
--- → ?
|
|
Assignee | |
Comment 3•14 years ago
|
||
Attachment #583819 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•14 years ago
|
||
Ah, now I see that ReplaceAnchorFocusRange() calls selectFrames()
for mAnchorFocusRange, not aRange, so that could explain it.
http://hg.mozilla.org/mozilla-central/annotate/cd921d073b22/layout/generic/nsSelection.cpp#l5070
|
|
||
Comment 5•14 years ago
|
||
Comment on attachment 583819 [details] [diff] [review]
fix
r=me
Attachment #583819 -
Flags: review?(bzbarsky) → review+
|
||
Comment 7•14 years ago
|
||
Adding Mac version of the signature.
Crash Signature: [@ nsTypedSelection::selectFrames(nsPresContext*, nsIRange*, bool)] → [@ nsTypedSelection::selectFrames(nsPresContext*, nsIRange*, bool)]
[@ nsTypedSelection::selectFrames ]
OS: Windows 7 → All
|
|
Assignee | |
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
tracking-firefox12:
? → ---
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
|
||
Comment 9•14 years ago
|
||
It's #4 top crasher in 11.0a2.
|
|
Assignee | |
Comment 10•14 years ago
|
||
Comment on attachment 583819 [details] [diff] [review]
fix
Adds back a missing null-check. Zero risk.
Attachment #583819 -
Flags: approval-mozilla-aurora?
|
||
Updated•14 years ago
|
|
|
||
Comment 11•14 years ago
|
||
Comment on attachment 583819 [details] [diff] [review]
fix
[Triage Comment]
Top crasher for FF11. Approved for Aurora.
Attachment #583819 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•14 years ago
|
||
|
||
Comment 13•14 years ago
|
||
Is there something QA can do to verify this fix, apart from checking crashstats?
Whiteboard: [qa+]
|
||
Comment 14•14 years ago
|
||
Still about 10 crashes since the fix landed on Aurora (2012-01-06), if I'm reading this correctly.
https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=nsTypedSelection%3A%3AselectFrames%28nsPresContext%2A%2C%20nsIRange%2A%2C%20bool%29
|
|
||
Comment 15•14 years ago
|
||
(In reply to Virgil Dicu [:virgil] [QA] from comment #14)
> Still about 10 crashes since the fix landed on Aurora (2012-01-06), if I'm
> reading this correctly.
I see one crash in 11.0b1 but with a different stack: bp-fb5f61b5-7763-423e-b5c4-5dfb12120207.
The latest crashes on 11.0 happened in 11.0a2/20120106 and on 12.0 in 12.0a1/20111223.
|
|
||
Updated•14 years ago
|
Whiteboard: [qa+] → [qa!]
You need to log in
before you can comment on or make changes to this bug.
Description
•