Closed
Bug 295519
Opened 21 years ago
Closed 21 years ago
Inserting iframe crashes Editor [@ nsVoidArray::FastElementAt] [@ nsHTMLEditor::InsertHTMLWithContext]
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: mcsmurf, Assigned: mrbkap)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
908 bytes,
patch
|
jst
:
review+
jst
:
superreview+
shaver
:
approval1.8b3+
|
Details | Diff | Splinter Review |
To reproduce:
1. Open Composer or HTML Mail Editor
2. Insert->HTML: <iframe src="http://www.google.de">
3. Press OK
4. Crash
This regressed between 2005-02-18-06 and 2005-02-19-06.
Stacktrace:
nsVoidArray::FastElementAt(const nsVoidArray * const 0x00000000, int 0x00000000)
line 72 + 7 bytes
nsHTMLEditor::InsertHTMLWithContext(nsHTMLEditor * const 0x043ec544, const
nsAString & {...}, const nsAString & {...}, const nsAString & {...}, const
nsAString & {...}, nsIDOMDocument * 0x00000000, nsIDOMNode * 0x00000000, int
0x00000000, int 0x00000001) line 458 + 18 bytes
nsHTMLEditor::InsertHTML(nsHTMLEditor * const 0x043ec544, const nsAString &
{...}) line 253 + 24 bytes
XPTC_InvokeByIndex(nsISupports * 0x043ec544, unsigned int 0x00000012, unsigned
int 0x00000001, nsXPTCVariant * 0x0012ca80) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
0xb9179de8) line 2097 + 22 bytes
XPC_WN_CallMethod(JSContext * 0x048f67e8, JSObject * 0x04179de8, unsigned int
0x00000001, long * 0x0450c334, long * 0x0450c268) line 1330 + 10 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000000) line 1182 + 17 bytes
js_Interpret(JSContext * 0x048f67e8, unsigned char * 0x03f12c81, long *
0x0012cf60) line 3473
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000002) line 1202 + 12 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x024ce058,
nsXPCWrappedJS * 0x018b7590, unsigned short 0x0003, const nsXPTMethodInfo *
0x00fa9538, nsXPTCMiniVariant * 0x0012d108) line 1339 + 16 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x048b7590, unsigned short
0x0003, const nsXPTMethodInfo * 0x00fa9538, nsXPTCMiniVariant * 0x0012d108) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x00000000, unsigned int 0x00000003,
unsigned int * 0x0012d1c0, unsigned int * 0x0012d1b0) line 117 + 18 bytes
SharedStub() line 147
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const
0x00000000, nsListenerStruct * 0x048bb3e8, nsIDOMEvent * 0x04465400,
nsIDOMEventTarget * 0x044c2208, unsigned int 0x04465408, unsigned int
0x00000007) line 1568 + 11 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x048b75f0,
nsPresContext * 0x00000000, nsEvent * 0x00000001, nsIDOMEvent * * 0x0012d4f0,
nsIDOMEventTarget * 0x044c2208, unsigned int 0x00000007, nsEventStatus *
0x0012d640) line 1669 + 32 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext *
0x04983d30, nsEvent * 0x0498cb58, nsIDOMEvent * * 0x0012d4f0, unsigned int
0x00000007, nsEventStatus * 0x0012d640) line 2194
PresShell::HandleDOMEventWithTarget(PresShell * const 0x048e7324, nsIContent *
0x048e7324, nsEvent * 0x0012d5f4, nsEventStatus * 0x0012d640) line 6422
nsButtonBoxFrame::DoMouseClick(nsButtonBoxFrame * const 0x00000000, nsGUIEvent *
0x0012d750, int 0x00000000) line 178
|
Reporter | |
Comment 1•21 years ago
|
||
|
Assignee | |
Comment 2•21 years ago
|
||
There were two bugs here (I've only fixed one):
* The scanner's mIncremental was not getting set correctly, so that the
<iframe> was getting lost in the tokenizer. This patch corrects that, and tells
the scanner that there's definitely no more data coming so we should use what
we have.
* The editor code that's calling the parser is assuming that there's going to
be something coming back from the parser. I note that I crash if I try to
insert a couple of spaces. I've left this problem alone, since I haven't
investigated it (and don't know the editor code as well).
Assignee: mozeditor → mrbkap
Status: NEW → ASSIGNED
Attachment #184540 -
Flags: superreview?(jst)
Attachment #184540 -
Flags: review?(jst)
|
|
Reporter | |
Updated•21 years ago
|
Component: Editor → HTML: Parser
QA Contact: bugzilla → mrbkap
|
||
Comment 3•21 years ago
|
||
Comment on attachment 184540 [details] [diff] [review]
patch v1
r+sr=jst
Attachment #184540 -
Flags: superreview?(jst)
Attachment #184540 -
Flags: superreview+
Attachment #184540 -
Flags: review?(jst)
Attachment #184540 -
Flags: review+
|
|
Assignee | |
Comment 4•21 years ago
|
||
Comment on attachment 184540 [details] [diff] [review]
patch v1
This might be something that we want in for 1.8b2. It fixes a crash in editor
and a problem with handling malformed innerHTML assignments.
Attachment #184540 -
Flags: approval1.8b2?
|
|
Assignee | |
Comment 5•21 years ago
|
||
I've filed bug 295531 on the editor problem.
|
|
Assignee | |
Updated•21 years ago
|
Attachment #184540 -
Flags: approval1.8b2? → approval1.8b3?
|
||
Comment 6•21 years ago
|
||
Comment on attachment 184540 [details] [diff] [review]
patch v1
a=shaver
Attachment #184540 -
Flags: approval1.8b3? → approval1.8b3+
|
|
Assignee | |
Comment 7•21 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Comment 8•21 years ago
|
||
Verified FIXED using build 2005-06-02-06 on Windows XP Seamonkey trunk.
Using the testcase in comment 0, I see Google.de successfully load in an iframe.
Status: RESOLVED → VERIFIED
|
||
Updated•15 years ago
|
Crash Signature: [@ nsVoidArray::FastElementAt]
[@ nsHTMLEditor::InsertHTMLWithContext]
You need to log in
before you can comment on or make changes to this bug.
Description
•