Closed Bug 418582 Opened 16 years ago Closed 16 years ago

Crash [@ GetFrameFromLine] if a click event of a iframe inside a div with position fixed changes styles display or position of the div.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 235405

People

(Reporter: b4rret, Unassigned)

Details

Attachments

(1 file)

Page with error
553 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

If a page with a div with style position:fixed contains an iframe, and that iframe has a button or a link with  onclick event that changes the style display from that div to none, or style position to absolute, when the button is clicked, firefox crashes.
This only happens if the code to change the style in in an onclick event of iframe. The crash doesn´t happen in other events like onload.


Reproducible: Always

Steps to Reproduce:
1.Create this page:
<html>
<head>
<script>
	function writeIframe()
	{
		var i = document.getElementById("myIframe").contentWindow.document;
		i.open();
		i.write("<html><body><button onclick = 'parent.document.getElementById(\"myDiv\").style.position=\"absolute\"'>Crash</button></body></html>");
		i.close();
	}
	window.onload = writeIframe;
</script>	
</head>
<body>
<div id = "myDiv" style ="position: fixed; top:0px; left:0px; width:50%; height:50%">
	<iframe id = "myIframe"width = "100%" height = "100%"></iframe>
</div>
</body>
</html>

2.Press the button.
Actual Results:  
Firefox crashes.


Expected Results:  
It should have changed style position of div tag to value "absolute".


I doesn´t occur in firefox 3 beta 3

Signature error
AppName: firefox.exe	 AppVer: 1.8.20080.20121	 ModName: firefox.exe
ModVer: 1.8.20080.20121	 Offset: 002d522f
Attached file Page with error 

    
    

    
  
B4rret, could you get a talkback ID of the crash?
http://kb.mozillazine.org/Talkback

    
    

    
  
Yes, here is : TB41679269Q

    
    

    
  
Thanks, from:
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41679269Q
GetFrameFromLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 6898]
nsBlockFrame::GetFrameForPointUsing  [mozilla/layout/generic/nsBlockFrame.cpp, line 6973]
nsBlockFrame::GetFrameForPoint  [mozilla/layout/generic/nsBlockFrame.cpp, line 7009]
PresShell::HandleEvent  [mozilla/layout/base/nsPresShell.cpp, line 6300]
nsViewManager::HandleEvent  [mozilla/view/src/nsViewManager.cpp, line 2521]
nsViewManager::DispatchEvent  [mozilla/view/src/nsViewManager.cpp, line 2253]
HandleEvent  [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 1319]
nsWindow::DispatchFocus  [mozilla/widget/src/windows/nsWindow.cpp, line 6515]
nsWindow::ProcessMessage  [mozilla/widget/src/windows/nsWindow.cpp, line 5034]
nsWindow::WindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1507]
USER32.dll + 0x8734 (0x7e398734)
USER32.dll + 0x8816 (0x7e398816)
USER32.dll + 0xb4c0 (0x7e39b4c0)
USER32.dll + 0xb50c (0x7e39b50c)
ntdll.dll + 0xeae3 (0x7c91eae3)
nsView::~nsView  [mozilla/view/src/nsView.cpp, line 268]
nsSubDocumentFrame::Destroy  [mozilla/layout/generic/nsFrameFrame.cpp, line 612]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrame  [mozilla/layout/generic/nsFrameList.cpp, line 234]
nsCSSFrameConstructor::ContentRemoved  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10125]
nsCSSFrameConstructor::RecreateFramesForContent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12076]
nsCSSFrameConstructor::RestyleElement  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10593]
nsCSSFrameConstructor::ProcessOneRestyle  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14150]
nsCSSFrameConstructor::ProcessPendingRestyles  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14203]
nsCSSFrameConstructor::RestyleEvent::HandleEvent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14274]
HandleRestyleEvent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14284]
0x778b0c24
nsPluginInstanceOwner::GetURL  [mozilla/layout/generic/nsObjectFrame.cpp, line 2499]
0x0282027c

This looks like the same bug as bug 235405.
The testcase and crash stacktrace looks the same as this one, so duping against that bug.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Summary: Crash if a click event of a iframe inside a div with position fixed changes styles display or position of the div. → Crash [@ GetFrameFromLine] if a click event of a iframe inside a div with position fixed changes styles display or position of the div.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: