Closed
Bug 309981
Opened 19 years ago
Closed 19 years ago
When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.8beta5
People
(Reporter: cbaldwin, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
145 bytes,
text/html
|
Details | |
822 bytes,
text/html
|
Details | |
735 bytes,
patch
|
dbaron
:
review+
dbaron
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Ok there are two pages to the issue. First is the page that causes the crash. Second is the page loaded in the frame via src. page1: <html > <head> <script language="JavaScript" type="text/JavaScript"> // initialize function init(){ // Attach event to objects document.getElementById("fittowin").onclick = testcrash; document.getElementById("testbut").onclick = testcrash; // turn on design mode document.getElementById('editor').contentWindow.document.designMode = "on"; return; } // Make it crash function testcrash(e){ // Set the container position to absolute document.getElementById("container").style.position = "absolute"; // Get the offsetTop. var cy = document.getElementById('editor').offsetTop; // Show the value of cy alert("cy = " + cy) // Set the return; return; } </script> </head> <body onload="init();" > <div id="container" > <ul style=" position:absolute; display:block; width:175px; top:100px; left:100px; background-color:#FF0000;"> <li id="fittowin" >crash it!</li> </ul> <iframe id="editor" src="../index2.htm" ></iframe> <form action="" method="get"><input id="testbut" name="" type="button" value="button" /></form> </div> </body> </html> Page2: <html> <head> <title >test page</title> </head> <body > <table> <tr> <td >Edit/Click here First</td> </tr> </table> </body> </html> Reproducible: Always Steps to Reproduce: 1. Set the page up so that you can view them. make sure that the second page shows in the iframe. 2. Click on the text in the iframe "Edit/Click here First" and type anything. 3. Click the red "crash it!" item and you get a crash. 4. If it does not crash then you did not follow the steps exactly. Actual Results: Crash-- FF takes a dump and you have to restart every time. Expected Results: Get the offsettop of the iframe. I have tested this for about four hours and have found many ways to make it crash on the OffsetTop of the iframe. The code above is the simplest that i could conger up. Note: That for the error to occur the styles are important! if you change the position to any thing other that absoulte the the error does not occur.
Comment 1•19 years ago
|
||
talkbackid ?
Comment 2•19 years ago
|
||
I crash with 2005-09-24 trunk build, talkback ID: TB9724817K
Updated•19 years ago
|
Comment 3•19 years ago
|
||
Comment 4•19 years ago
|
||
Updated•19 years ago
|
Flags: blocking1.8b5?
Comment 5•19 years ago
|
||
Crash from José's testcase: Incident ID: 9732775 Stack Signature nsFrameManager::RestoreFrameStateFor faa005a9 Product ID FirefoxTrunk Build ID 2005092407 Trigger Time 2005-09-25 18:24:34.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (00221bfe) URL visited User Comments Since Last Crash 10816 sec Total Uptime 88794 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 1523 Stack Trace nsFrameManager::RestoreFrameStateFor [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 1523] PresShell::GetLayoutObjectFor [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5311] nsHTMLEditor::CreateAnonymousElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp, line 155] nsHTMLEditor::ShowInlineTableEditingUI [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLInlineTableEditor.cpp, line 96] nsHTMLEditor::nsHTMLEditor [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 167] nsHTMLEditor::nsHTMLEditor [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 167] nsHTMLDocument::ConvertToMidasInternalCommand [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 3733] nsSubDocumentFrame::ShowDocShell [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 666] nsSubDocumentFrame::AddRef [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 113] nsCSSFrameConstructor::ConstructMathMLFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6919] nsCSSFrameConstructor::ConstructHTMLFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 5626] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7778] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7673] nsCSSFrameConstructor::WrapFramesInFirstLineFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11655] nsCSSFrameConstructor::ConstructInline [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12707] nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6639] nsCSSFrameConstructor::ReconstructDocElementHierarchy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7882] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7673] nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9406] nsCSSFrameConstructor::HaveSpecialBlockStyle [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11540] nsCSSFrameConstructor::ContentStatesChanged [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10418] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13201] nsCSSFrameConstructor::PostRestyleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13229] PresShell::ContentAppended [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5123] nsDocument::IsScriptEnabled [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4507] nsHTMLDocument::CreateElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1263] nsGenericHTMLElement::GetOffsetRect [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 734] nsGenericHTMLElement::GetInnerHTML [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 867] nsGenericHTMLElement::CopyInnerTo [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 277] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2149] $E35 [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1551] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163] js_InternalInvoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1303] js_GetProperty [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2869] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3294] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183] js_InternalInvoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4016] nsJSContext::InitContext [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1554] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1760] nsEventListenerManager::CreateEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1876] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2194] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6068] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5973] nsEventStateManager::SetClickCount [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2924] nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1887] PresShell::WillPaint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6135] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5738] nsViewManager::InsertChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2690] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2264] nsIView::CreateWidget [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 703] nsWindow::DispatchAppCommandEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1111] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5850] nsWindow::SetIcon [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6071] nsWindow::StandardWindowCreate [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1315] USER32.dll + 0x8734 (0x77d48734) USER32.dll + 0x8816 (0x77d48816) USER32.dll + 0x89cd (0x77d489cd) USER32.dll + 0x8a10 (0x77d48a10) $E63 nsAppStartup::Release [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 124] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor]
Version: unspecified → 1.5 Branch
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
Comment 6•19 years ago
|
||
There's only three crashes with RestoreFrameStateFor in the signature showing up in talkback-public, and two are from people reproducing this bug (Martijn and Adam)
Flags: blocking1.8b5? → blocking1.8b5-
Comment 7•19 years ago
|
||
This crasher regressed between 2005-07-13 and 2005-07-14. The fix for bug 297926 seems to me a likely candidate.
Blocks: 297926
Keywords: regression
Assignee | ||
Comment 8•19 years ago
|
||
Editor is coming down after Destroy() has been called on the frame manager... So we end up trying to remove stuff from the undisplayed map after deleting it, which causes us to jump to all sorts of fun memory locations. The fix is to just null out the undisplayed map; frame manager has the requisite null-checks.
Attachment #197621 -
Flags: superreview?(dbaron)
Attachment #197621 -
Flags: review?(dbaron)
Attachment #197621 -
Flags: superreview?(dbaron)
Attachment #197621 -
Flags: superreview+
Attachment #197621 -
Flags: review?(dbaron)
Attachment #197621 -
Flags: review+
Assignee | ||
Updated•19 years ago
|
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
Version: 1.8 Branch → Trunk
Assignee | ||
Comment 9•19 years ago
|
||
Comment on attachment 197621 [details] [diff] [review] Proposed patch Requesting 1.8b5 approval. This is a very simple fix to keep us from accessing deleted memory. Very safe.
Attachment #197621 -
Flags: approval1.8b5?
Assignee | ||
Comment 10•19 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED using SeaMonkey 1.1a:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051001 Mozilla/1.0
Status: RESOLVED → VERIFIED
Updated•19 years ago
|
Attachment #197621 -
Flags: approval1.8b5? → approval1.8b5+
Updated•19 years ago
|
Keywords: fixed1.8 → verified1.8
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor] → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]
Updated•13 years ago
|
Crash Signature: [@ nsFrameManager::RestoreFrameStateFor]
You need to log in
before you can comment on or make changes to this bug.
Description
•