Page MenuHomePhabricator
Create Task
Maniphest T53987

VisualEditor: Infinite loop (browser lockup) when removing an initial list item with a node inside it (rangy bug?)
Closed, ResolvedPublic
Actions

Description

Firefox - Detected script lockup.

Misplacing a bulleted / numbered list can cause a script lockup. Tested on both Firefox 22 and Chrome 28

Steps to reproduce:

  • Navigate to [[Lauda Air Flight 004]] and open it with the visual editor.
  • Click the "Lauda Air Flight 004" infobox and make sure it remains selected.
  • Click the "Bulleted List" button. A list bullet is added to the article.
  • Click right after the bullet that was just inserted. Now click the "Bulleted list" button again.

Normally this would remove the bullet again. Instead of that both Firefox and Chrome seem to lock up. Firefox will lock up entirely (All open tabs will freeze) and eventually an unresponsive script error will be displayed. Cancelling the script allows you to regain browser control. On Chrome the lockup seems isolated to the tab where we edit Wikipedia, but it only offers the option to close the tab after a while (Losing all changes)

In practice one would never want to add a bulleted list this way, but actually "crashing" makes it severe enough to report i would assume.

Version: unspecified
Severity: normal

Attached:

ScriptLockup.png (214×605 px, 15 KB)

Details

Reference
bz51987

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:10 AM
bzimport added a project: VisualEditor-ContentEditable.
bzimport set Reference to bz51987.
Excirial created this task.Jul 24 2013, 7:53 PM
jayvdb added a comment.Sep 30 2013, 9:51 AM

We should have a 'crash' or 'dataloss' keyword. Bumping priority to get more attention/triaging in case the underlying cause is able to be triggered in other ways.

Jdforrester-WMF added a comment.Oct 3 2013, 9:43 PM

This is an infinite loop inside either Rangy or the bit of ContentEditable that calls it - lots of calls to sel.getRangeAt(index) which end up taking so long that the browser dies (?)

Ryasmeen added a comment.Nov 7 2013, 12:56 AM

Cannot reproduce it now with MAC OS using FireFox and Chrome.So changing the status of the bug as resolved.
If you can still reproduce it ,please reopen the bug.

Aklapper added a comment.Nov 7 2013, 8:38 AM

(In reply to comment #3)

Cannot reproduce it now with MAC OS using FireFox and Chrome.

Please ALWAYS provide version information for browsers.
Note that comment 0 says "Tested on both Firefox 22 and Chrome 28".

So changing the status of the bug as resolved.

No identifiable code commit, hence changing to WORKSFORME instead of FIXED. Also see https://www.mediawiki.org/wiki/Bug_management/Bug_report_life_cycle

Jdforrester-WMF added a comment.Nov 7 2013, 6:25 PM

Resetting to FIXED; this was a confirmed broken behaviour which has subsequently been FIXED, as far as we can tell - probably by the re-write of the Content Editable surface interaction model.

Jdforrester-WMF added a project: VisualEditor.Dec 3 2014, 2:12 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL