Closed Bug 105004 Opened 24 years ago Closed 24 years ago

Crash scrolling absolute positioned textarea

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: nicks, Assigned: smontagu)

Details

(Keywords: crash, testcase, Whiteboard: [selection])

Attachments

(3 files)

testcase
155 bytes, text/html
Details
Patch Rev 1 (Checks firstFrame and lastFrame for NULL before setting newFrame)
1.10 KB, patch
Details | Diff | Splinter Review
Suggested patch
586 bytes, patch
rbs
: review+
kinmoz
: superreview+
Details | Diff | Splinter Review
build 2001101503: 1. Browse the following HTML page: -------- <html> <head> </head> <body > <textarea style="position:absolute;width:100px;height:50px"> this is enough text to scroll </textarea> </body> <html> --------- 2. Click in the textarea. 3. Use the right arrow on the keyboard to scroll to the right. When you get to the end of the text in the textarea, the browser crashes (nsFrame::GetFrameFromDirection)
was able to reproduce. Incident ID 36772655 Stack Signature nsFrame::GetFrameFromDirection 960296e3 Bug ID Trigger Time 2001-10-16 10:17:17 Email Address madhur@netscape.com URL Visited User Comments trying to reproduce bug 105004 Build ID 2001101505 Product ID Netscape6.20 Platform ID Win32 Trigger Reason Access violation Stack Trace nsFrame::GetFrameFromDirection [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp, line 3880] nsTextFrame::PeekOffset [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 3940] nsSelection::MoveCaret [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 1577] nsSelection::CharacterMove [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 2945] nsTextInputSelectionImpl::CharacterMove [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp, line 837] nsSelectionMoveCommands::DoCommand [d:\builds\seamonkey\mozilla\editor\base\nsEditorCommands.cpp, line 389] nsControllerCommandManager::DoCommand [d:\builds\seamonkey\mozilla\content\xul\document\src\nsControllerCommandManager .cpp, line 184] nsEditorController::DoCommand [d:\builds\seamonkey\mozilla\editor\base\nsEditorController.cpp, line 192] nsXBLPrototypeHandler::ExecuteHandler [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLPrototypeHandler.cpp, line 311] DoKey [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLKeyHandler.cpp, line 92] nsXBLKeyHandler::KeyPress [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLKeyHandler.cpp, line 108] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1633] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1688] nsHTMLTextAreaElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLTextAreaElement.cpp, line 594] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5715] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5640] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 377] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 350] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 350] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 2076] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 68] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 730] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 747] nsWindow::DispatchKeyEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2403] nsWindow::OnKeyDown [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2471] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3172]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
crash seen on all plaforms -- win2000, linux 7.1, macOSX
Keywords: testcase
OS: Windows 2000 → All
Attached file testcase
kin, could you take a look?
Assignee: rods → kin
This is a bug in some IBMBIDI code in nsFrame::GetFrameFromDirection(). Apparently in this specific case, GetFirstLeaf() and GetLastLeaf() are both returning NULL, so newFrame gets null'd out, and we crash when calling newFrame->IsSelectable(). I have a patch that works around the crash by checking for null, which I will post, but it would be a good idea for simon@softel.co.il to look into the assumptions being made by the IBMBIDI code to see why they aren't true in this particular case.
Assignee: kin → simon
Whiteboard: [selection]
Attached patch Suggested patchSplinter Review
Checking for null return as well as error return from |GetLine| prevents this crash
Attachment #57536 - Flags: superreview+
Comment on attachment 57536 [details] [diff] [review] Suggested patch sr=kin@netscape.com
Comment on attachment 57536 [details] [diff] [review] Suggested patch r=rbs
Attachment #57536 - Flags: review+
Fix checked in
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
verified fixed on win2k buildID: 2001-11-19-06trunk redhat linux 7.1 buildID: 2001-11-20-08trunk macOS 10 buildID: 2001-11-19-08trunk
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: