Closed
Bug 418582
Opened 16 years ago
Closed 16 years ago
Crash [@ GetFrameFromLine] if a click event of a iframe inside a div with position fixed changes styles display or position of the div.
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 235405
People
(Reporter: b4rret, Unassigned)
Details
Attachments
(1 file)
553 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 If a page with a div with style position:fixed contains an iframe, and that iframe has a button or a link with onclick event that changes the style display from that div to none, or style position to absolute, when the button is clicked, firefox crashes. This only happens if the code to change the style in in an onclick event of iframe. The crash doesn´t happen in other events like onload. Reproducible: Always Steps to Reproduce: 1.Create this page: <html> <head> <script> function writeIframe() { var i = document.getElementById("myIframe").contentWindow.document; i.open(); i.write("<html><body><button onclick = 'parent.document.getElementById(\"myDiv\").style.position=\"absolute\"'>Crash</button></body></html>"); i.close(); } window.onload = writeIframe; </script> </head> <body> <div id = "myDiv" style ="position: fixed; top:0px; left:0px; width:50%; height:50%"> <iframe id = "myIframe"width = "100%" height = "100%"></iframe> </div> </body> </html> 2.Press the button. Actual Results: Firefox crashes. Expected Results: It should have changed style position of div tag to value "absolute". I doesn´t occur in firefox 3 beta 3 Signature error AppName: firefox.exe AppVer: 1.8.20080.20121 ModName: firefox.exe ModVer: 1.8.20080.20121 Offset: 002d522f
Comment 2•16 years ago
|
||
B4rret, could you get a talkback ID of the crash? http://kb.mozillazine.org/Talkback
Comment 4•16 years ago
|
||
Thanks, from: http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41679269Q GetFrameFromLine [mozilla/layout/generic/nsBlockFrame.cpp, line 6898] nsBlockFrame::GetFrameForPointUsing [mozilla/layout/generic/nsBlockFrame.cpp, line 6973] nsBlockFrame::GetFrameForPoint [mozilla/layout/generic/nsBlockFrame.cpp, line 7009] PresShell::HandleEvent [mozilla/layout/base/nsPresShell.cpp, line 6300] nsViewManager::HandleEvent [mozilla/view/src/nsViewManager.cpp, line 2521] nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 2253] HandleEvent [mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1319] nsWindow::DispatchFocus [mozilla/widget/src/windows/nsWindow.cpp, line 6515] nsWindow::ProcessMessage [mozilla/widget/src/windows/nsWindow.cpp, line 5034] nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1507] USER32.dll + 0x8734 (0x7e398734) USER32.dll + 0x8816 (0x7e398816) USER32.dll + 0xb4c0 (0x7e39b4c0) USER32.dll + 0xb50c (0x7e39b50c) ntdll.dll + 0xeae3 (0x7c91eae3) nsView::~nsView [mozilla/view/src/nsView.cpp, line 268] nsSubDocumentFrame::Destroy [mozilla/layout/generic/nsFrameFrame.cpp, line 612] nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325] nsFrameList::DestroyFrame [mozilla/layout/generic/nsFrameList.cpp, line 234] nsCSSFrameConstructor::ContentRemoved [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10125] nsCSSFrameConstructor::RecreateFramesForContent [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12076] nsCSSFrameConstructor::RestyleElement [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10593] nsCSSFrameConstructor::ProcessOneRestyle [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14150] nsCSSFrameConstructor::ProcessPendingRestyles [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14203] nsCSSFrameConstructor::RestyleEvent::HandleEvent [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14274] HandleRestyleEvent [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 14284] 0x778b0c24 nsPluginInstanceOwner::GetURL [mozilla/layout/generic/nsObjectFrame.cpp, line 2499] 0x0282027c This looks like the same bug as bug 235405. The testcase and crash stacktrace looks the same as this one, so duping against that bug.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Summary: Crash if a click event of a iframe inside a div with position fixed changes styles display or position of the div. → Crash [@ GetFrameFromLine] if a click event of a iframe inside a div with position fixed changes styles display or position of the div.
You need to log in
before you can comment on or make changes to this bug.
Description
•