Closed Bug 309981 Opened 19 years ago Closed 19 years ago

When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: cbaldwin, Assigned: bzbarsky)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Iframe content for tesetcase
145 bytes, text/html
Details
Testcase
822 bytes, text/html
Details
Proposed patch
735 bytes, patch
dbaron
: review+
dbaron
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

Ok there are two pages to the issue. 

First is the page that causes the crash.

Second is the page loaded in the frame via src.

page1:
<html >
<head>
<script language="JavaScript" type="text/JavaScript">

// initialize
function init(){
	// Attach event to objects
	document.getElementById("fittowin").onclick = testcrash;
	document.getElementById("testbut").onclick = testcrash;
	// turn on design mode
	document.getElementById('editor').contentWindow.document.designMode = "on";
	return;
}
// Make it crash
function testcrash(e){
	// Set the container position to absolute
	document.getElementById("container").style.position = "absolute";
	// Get the offsetTop.
	var cy = document.getElementById('editor').offsetTop;
	// Show the value of cy
	alert("cy = " + cy)
	// Set the return;
	return;
}
</script>
</head>
<body onload="init();"  >
	<div id="container" >
		<ul style=" position:absolute; display:block; width:175px; top:100px;
left:100px; background-color:#FF0000;">
			<li id="fittowin" >crash it!</li>
		</ul>
    	<iframe id="editor" src="../index2.htm" ></iframe>
		<form action="" method="get"><input id="testbut"   name="" type="button"
value="button" /></form>
	</div>
</body>
</html>

Page2:

<html>
<head>
<title >test page</title>
</head>
<body >
<table>
	<tr>
		<td >Edit/Click here First</td>
	</tr>
</table>
</body>
</html>


Reproducible: Always

Steps to Reproduce:
1. Set the page up so that you can view them. make sure that the second page
shows in the iframe.

2. Click on the text in the iframe "Edit/Click here First" and type anything. 
3. Click the red "crash it!" item and you get a crash.

4. If it does not crash then you did not follow the steps exactly.



Actual Results:  
Crash-- FF takes a dump and you have to restart every time.

Expected Results:  
Get the offsettop of the iframe.



I have tested this for about four hours and have found many ways to make it
crash on the OffsetTop of the iframe. The code above is the simplest that i
could conger up.

Note: That for the error to occur the styles are important!
if you change the position to any thing other that absoulte the the error does
not occur.
talkbackid ?
I crash with 2005-09-24 trunk build, talkback ID: TB9724817K
Keywords: crash, testcase

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  

    
  
Flags: blocking1.8b5?

    
    

    
  
Crash from José's testcase:

Incident ID: 9732775
Stack Signature	nsFrameManager::RestoreFrameStateFor faa005a9
Product ID	FirefoxTrunk
Build ID	2005092407
Trigger Time	2005-09-25 18:24:34.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (00221bfe)
URL visited	
User Comments	
Since Last Crash	10816 sec
Total Uptime	88794 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 1523
Stack Trace 	
nsFrameManager::RestoreFrameStateFor 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 1523]
PresShell::GetLayoutObjectFor 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5311]
nsHTMLEditor::CreateAnonymousElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 155]
nsHTMLEditor::ShowInlineTableEditingUI 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLInlineTableEditor.cpp,
line 96]
nsHTMLEditor::nsHTMLEditor 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 167]
nsHTMLEditor::nsHTMLEditor 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 167]
nsHTMLDocument::ConvertToMidasInternalCommand 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 3733]
nsSubDocumentFrame::ShowDocShell 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp,
line 666]
nsSubDocumentFrame::AddRef 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp,
line 113]
nsCSSFrameConstructor::ConstructMathMLFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6919]
nsCSSFrameConstructor::ConstructHTMLFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 5626]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7778]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7673]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11655]
nsCSSFrameConstructor::ConstructInline 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12707]
nsCSSFrameConstructor::ConstructFrameByDisplayType 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6639]
nsCSSFrameConstructor::ReconstructDocElementHierarchy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7882]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7673]
nsCSSFrameConstructor::ContentInserted 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9406]
nsCSSFrameConstructor::HaveSpecialBlockStyle 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11540]
nsCSSFrameConstructor::ContentStatesChanged 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10418]
nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13201]
nsCSSFrameConstructor::PostRestyleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13229]
PresShell::ContentAppended 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5123]
nsDocument::IsScriptEnabled 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp,
line 4507]
nsHTMLDocument::CreateElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 1263]
nsGenericHTMLElement::GetOffsetRect 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 734]
nsGenericHTMLElement::GetInnerHTML 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 867]
nsGenericHTMLElement::CopyInnerTo 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 277]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2149]
$E35 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1551]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1303]
js_GetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2869]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3294]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4016]
nsJSContext::InitContext 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1554]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 195]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1760]
nsEventListenerManager::CreateEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1876]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2194]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6068]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5973]
nsEventStateManager::SetClickCount 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2924]
nsEventStateManager::PostHandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1887]
PresShell::WillPaint 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6135]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5738]
nsViewManager::InsertChild 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2690]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2264]
nsIView::CreateWidget 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line
703]
nsWindow::DispatchAppCommandEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1111]
nsWindow::DispatchMouseEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5850]
nsWindow::SetIcon 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6071]
nsWindow::StandardWindowCreate 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1315]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
$E63
nsAppStartup::Release 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 124]
main 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor]
Version: unspecified → 1.5 Branch

    
  
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch

    
    

    
  
There's only three crashes with RestoreFrameStateFor in the signature showing up
in talkback-public, and two are from people reproducing this bug (Martijn and Adam)
Flags: blocking1.8b5? → blocking1.8b5-

    
    

    
  
This crasher regressed between 2005-07-13 and 2005-07-14.
The fix for bug 297926 seems to me a likely candidate.
Blocks: 297926
Keywords: regression

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patchSplinter Review
      

    


  
Editor is coming down after Destroy() has been called on the frame manager...
So we end up trying to remove stuff from the undisplayed map after deleting it,
which causes us to jump to all sorts of fun memory locations.

The fix is to just null out the undisplayed map; frame manager has the
requisite null-checks.

        Attachment #197621 -
        Flags: superreview?(dbaron)

        Attachment #197621 -
        Flags: review?(dbaron)

        Attachment #197621 -
        Flags: superreview?(dbaron)

        Attachment #197621 -
        Flags: superreview+

        Attachment #197621 -
        Flags: review?(dbaron)

        Attachment #197621 -
        Flags: review+

    
  
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
Version: 1.8 Branch → Trunk

    
    

    
  
Comment on attachment 197621 [details] [diff] [review]
Proposed patch

Requesting 1.8b5 approval.  This is a very simple fix to keep us from accessing
deleted memory.  Very safe.

        Attachment #197621 -
        Flags: approval1.8b5?

    
    

    
  
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Verified FIXED using SeaMonkey 1.1a:Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9a1) Gecko/20051001 Mozilla/1.0
Status: RESOLVED → VERIFIED

    
  

        Attachment #197621 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Fixed on branch.
Keywords: fixed1.8
Keywords: fixed1.8verified1.8

    
  
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor] → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]
Crash Signature: [@ nsFrameManager::RestoreFrameStateFor]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: