175896 - crash when selecting data overflowing vertically in a textarea having the overflow = hidden property [@ nsSelection::GetFrameForNodeOffset ]

Status: VERIFIED FIXED

(Core :: Layout: Form Controls, defect, P1)

Description

[Edouard Hue]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021

Take a textarea having the css property "overflow: hidden;". When you enter
lines so that a vertical overflow happens, the cursor comes back on top of the
element and writes on top of in place data. When trying to select this data, the
browser will crash. Happens in standard compliance mode and in quirks mode.

Reproducible: Always

Steps to Reproduce:
1. Give the overflow: hidden property (stylesheet, in line, has you want) to a
textarea
2. fill in enough lines of data for it to overflow vertically
3. try to select the data

Actual Results:  
Browser crashed

Expected Results:  
Should have overlined the selected data viewable in the textarea element.

Crashes with Modern and Classic themes

Comment 1

[Edouard Hue]

Error signature (provided by WinXP) :
AppName: mozilla.exe
AppVer: 1.2.0.0
ModName: gkcontent.dll
ModVer: 1.2.0.0
Offset: 000cbfe4

Comment 2

[Edouard Hue]

Attachment: Testcase

Comment 3

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Wow, fun.

First I see:

###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) ||
entry->frame != aFrame', file
/builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1049
Break: at file /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1049

And then I see:

###!!! ASSERTION: existing overflow list: 'rv !=
NS_IFRAME_MGR_PROP_OVERWRITTEN', file
/builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4725
Break: at file /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line
4725

And then I crash at:

#6  <signal handler called>
#7  0x41651d6b in nsSelection::GetFrameForNodeOffset(nsIContent*, int,
nsIFrameSelection::HINT, nsIFrame**, int*) (this=0x88f3560, aNode=0x8200930,
    aOffset=-1073752032, aHint=1124675407, aReturnFrame=0x1,
    aReturnOffset=0x8200930)
    at /builds/trunk/mozilla/content/base/src/nsSelection.cpp:3166
#8  0x43091a75 in nsCaret::SetupDrawingFrameAndOffset() (this=0x88f3560)
    at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:558
#9  0x43092f81 in nsCaret::DrawCaret() (this=0x88f3560)
    at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:948
#10 0x430914be in nsCaret::StartBlinking() (this=0x88f3560)
    at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:492
#11 0x43090397 in nsCaret::SetCaretVisible(int) (this=0x88f3560,
    inMakeVisible=1) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:233
#12 0x42f3f730 in PresShell::SetCaretEnabled(int) (this=0x8907948, aInEnable=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:3196
#13 0x42f4da10 in PresShellViewEventListener::RestoreCaretVisibility() (
    this=0x8957db8)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7332
#14 0x42f4dabe in PresShellViewEventListener::DidRefreshRegion(nsIViewManager*,
nsIView*, nsIRenderingContext*, nsIRegion*, unsigned) (this=0x8957db8,
    aViewManager=0x88dbb30, aView=0x8956470, aContext=0x85e97c8,
    aRegion=0x86ce728, aUpdateFlags=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7367
#15 0x431e3ab0 in nsViewManager::Refresh(nsView*, nsIRenderingContext*,
nsIRegion*, unsigned) (this=0x88dbb30, aView=0x8956470, aContext=0x85e97c8,
    aRegion=0x86ce728, aUpdateFlags=1)
    at /builds/trunk/mozilla/view/src/nsViewManager.cpp:797
#16 0x431e66f4 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) (
    this=0x88dbb30, aEvent=0xbfffddc0, aStatus=0xbfffdc50)
    at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1784
#17 0x431d66fe in HandleEvent (aEvent=0xbfffddc0)
    at /builds/trunk/mozilla/view/src/nsView.cpp:80
#18 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) (
    this=0x89564f8, aEvent=0xbfffddc0, aStatus=@0xbfffdd00)
    at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448
#19 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89564f8,
    event=0xbfffddc0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336
#20 0x419dca9e in nsWindow::DoPaint(int, int, int, int, nsIRegion*) (
    this=0x89564f8, aX=9, aY=10, aWidth=74, aHeight=17, aClipRegion=0x891feb8)
    at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:821
#21 0x419dcc1f in nsWindow::Update() (this=0x89564f8)
    at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:857
#22 0x419dce89 in nsWindow::Update() (this=0x89293d8)
    at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:891
#23 0x431e5a53 in nsViewManager::Composite() (this=0x88dbb30)
    at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1462
#24 0x431e9d50 in nsViewManager::EnableRefresh(unsigned) (this=0x88dbb30,
    aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3204
#25 0x431e9e2d in nsViewManager::EndUpdateViewBatch(unsigned) (this=0x88dbb30,
    aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3238
#26 0x43a1c607 in nsEditor::EndUpdateViewBatch() (this=0x8958f48)
    at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:4308
#27 0x43a0eb27 in nsEditor::EndPlaceHolderTransaction() (this=0x8958f48)
    at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:746
#28 0x43974458 in ~nsAutoPlaceHolderBatch (this=0xbfffe1d0)
    at /builds/trunk/mozilla/editor/libeditor/base/nsEditorUtils.h:66
#29 0x439f371f in nsPlaintextEditor::TypedText(nsAString const&, int) (
    this=0x8958f48, aString=@0xbfffe2a0, aAction=2)
    at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:568
#30 0x439f3577 in nsPlaintextEditor::HandleKeyPress(nsIDOMKeyEvent*) (
    this=0x8958f48, aKeyEvent=0x86ce6c8)
    at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:530
#31 0x43a03f6e in nsTextEditorKeyListener::KeyPress(nsIDOMEvent*) (
    this=0x88e9560, aKeyEvent=0x86ce6d0)
    at /builds/trunk/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:280
#32 0x412f57b7 in nsEventListenerManager::HandleEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x885e888,
    aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c,
    aCurrentTarget=0x8876610, aFlags=7, aEventStatus=0xbfffed6c)
    at /builds/trunk/mozilla/content/events/src/nsEventListenerManager.cpp:1621
#33 0x4161d57d in nsGenericElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360,
    aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c, aFlags=1,
    aEventStatus=0xbfffed6c)
    at /builds/trunk/mozilla/content/base/src/nsGenericElement.cpp:2023
#34 0x413dddc7 in nsHTMLTextAreaElement::HandleDOMEvent(nsIPresContext*,
nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360,
    aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0x0, aFlags=1,
    aEventStatus=0xbfffed6c)
    at /builds/trunk/mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp:729
#35 0x42f49b2f in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned, n
sEventStatus*) (this=0x8907948, aEvent=0xbfffeff0, aView=0x88ba390, aFlags=1,
    aStatus=0xbfffed6c)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6233
#36 0x42f496bd in PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus*,
int, int&) (this=0x8907948, aView=0x88ba390, aEvent=0xbfffeff0,
    aEventStatus=0xbfffed6c, aForceHandle=1, aHandled=@0xbfffed68)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6155
#37 0x431e763a in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int) (
    this=0x88dbb30, aView=0x88ba390, aEvent=0xbfffeff0, aCaptured=0)
    at /builds/trunk/mozilla/view/src/nsViewManager.cpp:2161
#38 0x431d73f2 in nsView::HandleEvent(nsViewManager*, nsGUIEvent*, int) (
    this=0x88ba390, aVM=0x88dbb30, aEvent=0xbfffeff0, aCaptured=0)
    at /builds/trunk/mozilla/view/src/nsView.cpp:303
#39 0x431e6e46 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) (
    this=0x88dbb30, aEvent=0xbfffeff0, aStatus=0xbfffee90)
    at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1943
#40 0x431d66fe in HandleEvent (aEvent=0xbfffeff0)
    at /builds/trunk/mozilla/view/src/nsView.cpp:80
#41 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) (
    this=0x89293d8, aEvent=0xbfffeff0, aStatus=@0xbfffef40)
    at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448
#42 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89293d8,
    event=0xbfffeff0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336
#43 0x419d3dcd in nsWidget::OnKey(nsKeyEvent&) (this=0x89293d8,
    aEvent=@0xbfffeff0)
    at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:104
#44 0x419cacd5 in handle_key_press_event(_GtkObject*, _GdkEventKey*, void*) (
    w=0x0, event=0x8240988, p=0x89564f8)
    at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:637
#45 0x419cb641 in dispatch_superwin_event (event=0x8240988, window=0x89564f8)
    at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:955
#46 0x419cb24d in handle_gdk_event(_GdkEvent*, void*) (event=0x8240988,
    data=0x0) at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:819
#47 0x407be2d5 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#48 0x407f397e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#49 0x407f3e59 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#50 0x407f40f4 in g_main_run () from /usr/lib/libglib-1.2.so.0
#51 0x406f36df in ?? () from /usr/lib/libgtk-1.2.so.0
#52 0x419bbb04 in nsAppShell::Run() (this=0x8137490)
    at /builds/trunk/mozilla/widget/src/gtk/nsAppShell.cpp:332
#53 0x4196a7a3 in nsAppShellService::Run() (this=0x815e4e8)
    at /builds/trunk/mozilla/xpfe/appshell/src/nsAppShellService.cpp:471
#54 0x08060094 in main1 (argc=3, argv=0xbffff594, nativeApp=0x80b89f8)
    at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1522
#55 0x08060d22 in main (argc=3, argv=0xbffff594)
    at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1883

Comment 4

[Madhur Bhatia]

==> all platforms
tested on win2k, linux 7.2, macOS 10.1 -- today's trunk build

Incident ID :- 12922931
Stack Signature :- nsTypedSelection::selectFrames

bugs with the same stack signature :- 
1. bug 129945 [verified - WFM]
2. bug 161444 [verified - Fixed]
3. bug 161517 [resolved - DDP of bug 161444]
4. bug 161538 [Reopened]

There are 2 distinct bugs over here :
1. Actual  : When u keep typing in the same line, the cursor moves out of the
textarea. [in macOS 10.1 , this leaves a trail of vertical lines]
   Expected: The text should wrap automatically
2. Actual  : Keep entering lines so that the vertical overflow happens, the
cursor comes back on top of the element and starts entering text from the first
line. If u hit enter key to go to  the next line, the cursor goes back to the
start of the first line, but the text is entered after the previous line.
   Expected: hmmmm........
3. Actual  : selecting text at this point results in a crash.


Good bug, Edouard :-)

Comment 5

[Madhur Bhatia]

from comment 4  :

>1. Actual  : When u keep typing in the same line, the cursor moves out of the
textarea. [in macOS 10.1 , this leaves a trail of vertical lines]
>   Expected: The text should wrap automatically

This is bug 59018

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

->HTML Form Controls.

Comment 7

[Kevin McCluskey (gone)]

nsbeta1+

Comment 8

[Olivier Cahagne]

still crashing using build 20030112 on Win2k.

Comment 9

[Kevin McCluskey (gone)]

nsbeta1-. John is overloaded with higher priority issues.

Comment 10

[Olivier Cahagne]

*** Bug 202726 has been marked as a duplicate of this bug. ***

Comment 11

[José Jeria]

Attachment: Minimzed Testcase

Comment 12

[José Jeria]

Attachment: Minimized Testcase

Comment 13

[Simon Fraser [no longer active]]

->mjudge

Comment 14

[Andrew Schultz]

*** Bug 215238 has been marked as a duplicate of this bug. ***

Comment 15

[Felix Miata]

*** Bug 215420 has been marked as a duplicate of this bug. ***

Comment 16

[Darin Fisher]

-> me

Comment 17

[Darin Fisher]

Attachment: v0 patch : hackish, awful, ugly stop-gap measure ... avoid if possible

this patch prevents the crash, with no bad side-effects, but i really doubt it
is the right fix.  it could perhaps be used in a pinch if need be.

the problem here is that we are blowing out the stack while recursively calling
GetChildFrameContainingOffset.	the first frame realizes that it does not
contain the offset (the offset is greater than its rightmost edge), so it asks
its "next frame in flow" to GetChildFrameContainingOffset.  the next frame,
however, realizes that it does not contain the given offset either (the offset
is less than its leftmost edge).  as a result, the frame asks its "prev frame
in flow" to GetChildFrameContainingOffset, and that continues until the stack
blows out.  my hackish patch just sets a member variable to indicate that
GetChildFrameContainingOffset was already called.  in which case we just give
up and return an error indicating that no such child frame exists.  this seems
to result in sane behavior, and it eliminates the crash.

however, i strongly suspect that this situation should simply never occur.  it
is likely that something is incorrectly dropping a frame that should have
appeared "in-flow" between the two previously mentioned frames.  finding that
frame is my next task.

Comment 18

[Darin Fisher]

nevermind, this patch only fixes one particular crash instance.  i found two
others...

Comment 19

[Darin Fisher]

Attachment: v0.1 patch : more workarounds...

this patch is more of the same... it blocks another crash, probably not in the
best way.  i'm just posting it here in case we need something in a pinch.

Comment 20

[Darin Fisher]

ok, though this patch prevents the crash, it seems that lines of text can get lost.

Comment 21

[Darin Fisher]

i moved part of this patch into bug 216736 since it is not related to the crash.

Comment 22

[Darin Fisher]

Attachment: v1 patch

thanks to dbaron for suggesting this patch!  with the way overflow:hidden on a
textarea was implemented, the text frame was getting a block frame as its
parent. that is apparently not supposed to happen.  the solution here is to
replace overflow:hidden with overflow:-moz-scrollbars-none.  as a result, we
end up with the same frame heirarchy only the textarea has no scrollbars.  in
addition, our behavior ends up being consistent with the behavior of IE, which
is probably not a bad thing.  thanks dbaron!

Comment 23

[Brendan Eich [:brendan]]

Comment on attachment 130109 [details] [diff] [review]
v1 patch

approved for 1.4.x.

/be

Comment 24

[Brendan Eich [:brendan]]

Need this in the 1.5b trunk too, right?  If so, please nominate.

/be

Comment 25

[Doron Rosenberg (IBM)]

Yeah, would be great to have this in 1.5

Comment 26

[chris hofmann]

darin, can you land today?  trying to get 1.5b builds thursday or friday morning.

Comment 27

[Darin Fisher]

fixed-on-trunk

Comment 28

[Darin Fisher]

fixed1.4.1

Comment 29

[Doron Rosenberg (IBM)]

verified on trunk

Comment 30

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

*** Bug 140256 has been marked as a duplicate of this bug. ***