Closed
Bug 1034103
Opened 10 years ago
Closed 10 years ago
crash in nsEditor::BeginIMEComposition(mozilla::WidgetCompositionEvent*)
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
People
(Reporter: martijn.martijn, Assigned: masayuki)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files)
|
425 bytes,
application/xhtml+xml
|
Details | |
|
4.33 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
|
3.71 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
See testcase, you need to have the specialpowers extension to see the crash: http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers_20140612.xpi Then load the testcase and click inside the document. Result->crash This bug was filed from the Socorro interface and is report bp-2d8a9f86-4b6c-4547-89c4-b189d2140703. ============================================================= 0 XUL nsEditor::BeginIMEComposition(mozilla::WidgetCompositionEvent*) editor/libeditor/base/nsEditor.cpp 1 XUL nsEditorEventListener::HandleEvent(nsIDOMEvent*) editor/libeditor/base/nsEditorEventListener.cpp 2 XUL mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp 3 XUL mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp 4 XUL mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp 5 XUL mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp 6 XUL mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) dom/events/EventDispatcher.cpp 7 XUL mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp 8 XUL nsINode::DispatchEvent(nsIDOMEvent*, bool*) content/base/src/nsINode.cpp 9 XUL mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) content/base/src/nsINode.cpp 10 XUL mozilla::dom::EventTargetBinding::dispatchEvent obj-firefox/x86_64/dom/bindings/EventTargetBinding.cpp
|
Assignee | |
Comment 1•10 years ago
|
||
Oh, good catch. I wonder why did you find such hacky case, by reading the code of nsEditor?
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
Reporter | |
Comment 2•10 years ago
|
||
No, by fuzzing.
|
|
Assignee | |
Comment 3•10 years ago
|
||
This patch checks that composition events which are created by JS are not handled by editor. (It's impossible to create mozilla::TextComposition for such case since such composition events don't have WidgetGUIEvent::widget) And also I confirmed that this patch can reproduce this bug.
Attachment #8451808 -
Flags: review?(ehsan)
|
|
Assignee | |
Comment 4•10 years ago
|
||
This patch makes IsAcceptableInputEvent() use Widget*Event this allows following new check and might improve performance because of avoiding some virtual calls, QI and comparing string of event type. nsEditor should not accept all events whose message is incorrect for the event instance. At this time, the message value is always NS_USER_DEFINED_EVENT as far as I researched. So, this check should be performed for all events. This patch also changes QI to nsIDOMMouseEvent since it equals to use WidgetEvent::IsUsingCorrdinates() and its meaning is more explicitly. Currently, ns*Editor handles "mousedown", "mouseup", "click", "dragenter", "dragover", "dragexit" and "drop". http://mxr.mozilla.org/mozilla-central/source/editor/libeditor/base/nsEditorEventListener.cpp#136 So, the DOM event instance must be DragEvent or MouseEvent. DragEvent inherits MouseEvent. MouseEvent inherits nsIDOMMouseEvent. Therefore, IsUsingCoordinates() always same as QI'ing nsIDOMMouseEvent in this method.
Attachment #8451818 -
Flags: review?(ehsan)
Attachment #8451818 -
Flags: review?(bugs)
|
|
Assignee | |
Comment 5•10 years ago
|
||
Oh, and also, QI'ing nsIDOMMouseEvent is always same as widgetEvent->AsMouseEventBase(). MouseEvent, DragEvent, WheelEvent, MouseScrollEvent, PointerEvent and SimpleGestureEvent inherit nsIDOMMouseEvent. WidgetMouseEvent, WidgetDragEvent, WidgetWheelEvent, WidgetMouseScrollEvent, WidgetPointerEvent and WidgetSimpleGestureEvent inherit WidgetMouseEventBase. http://mxr.mozilla.org/mozilla-central/ident?i=nsIDOMMouseEvent&tree=mozilla-central&filter=Event.h http://mxr.mozilla.org/mozilla-central/ident?i=MouseEvent&tree=mozilla-central&filter=Event.h http://mxr.mozilla.org/mozilla-central/ident?i=WidgetMouseEventBase&tree=mozilla-central&filter=Events.h http://mxr.mozilla.org/mozilla-central/ident?i=WidgetMouseEvent&tree=mozilla-central&filter=Events.h
|
||
Updated•10 years ago
|
Attachment #8451808 -
Flags: review?(ehsan) → review+
|
|
||
Comment 6•10 years ago
|
||
Comment on attachment 8451818 [details] [diff] [review] part.2 editor shouldn't accept all events which are created with incorrect event interface Review of attachment 8451818 [details] [diff] [review]: ----------------------------------------------------------------- I'm fine with Olli's review here.
Attachment #8451818 -
Flags: review?(ehsan)
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8451818 [details] [diff] [review] part.2 editor shouldn't accept all events which are created with incorrect event interface A bit ugly, but fine.
Attachment #8451818 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cab8bac9117a https://hg.mozilla.org/integration/mozilla-inbound/rev/0d3889868608
|
||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cab8bac9117a https://hg.mozilla.org/mozilla-central/rev/0d3889868608
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
||
Updated•10 years ago
|
QA Whiteboard: [good first verify]
|
||
Comment 10•10 years ago
|
||
I was able to reproduce this bug on Nightly 33.0a1 (2014-07-03), using Mac OSX 10.9.5. Verified fixed on Mac OSX 10.9.5 using Nightly 35.0a1 (2014-10-12). This fix can be marked as verified. [bugday-20141015]
|
|
Reporter | |
Comment 11•10 years ago
|
||
Thanks!
Status: RESOLVED → VERIFIED
QA Whiteboard: [good first verify]
You need to log in
before you can comment on or make changes to this bug.
Description
•