Last Comment Bug 234761 - [FIXr]Crash by invalid Content-Style-Type on typing Enters in textarea [@ nsSelection::GetFrameForNodeOffset ]
: [FIXr]Crash by invalid Content-Style-Type on typing Enters in textarea [@ nsS...
Status: RESOLVED FIXED
: crash, testcase, verified1.7
Product: Core
Classification: Components
Component: Layout: Form Controls (show other bugs)
: Trunk
: All All
: P1 critical with 1 vote (vote)
: mozilla1.7final
Assigned To: Boris Zbarsky [:bz] (TPAC)
:
Mentors:
http://www.hyuki.com/diary/1.html
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-18 03:51 PST by HARUNAGA Hirotoshi
Modified: 2011-06-09 14:58 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (2.74 KB, patch)
2004-04-12 17:39 PDT, Boris Zbarsky [:bz] (TPAC)
jonas: review+
jst: superreview+
brendan: approval1.7+
Details | Diff | Splinter Review

Description HARUNAGA Hirotoshi 2004-02-18 03:51:06 PST
If a page has invalid Content-Style-Type as follow,
<meta http-equiv="Content-Style-Type" content="css"> (not text/css),
Mozilla crashes when typing "Enter"s in the form textarea.

Source:
<html>
<head>
<meta http-equiv="Content-Style-Type" content="css" />
</head>
<body>
<form>
<textarea></textarea>
</form>
</body>
</html>

Steps:
1. load http://www.hyuki.com/diary/1.html
2. type "Enter" key 3 times or so.

Result:
Scrollbar doesn't appear, the caret goes under the textarea
and Mozilla crashes.
20040215/WinXP, 20040213/Linux, 20040217/Mac.

Crash log on Mac:
Date/Time:  2004-02-16 23:23:42 +0900
OS Version: 10.2.8 (Build 6R73)
Host:       Macintosh.local.

Command:    mozilla-bin
PID:        436

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000074

Thread 0 Crashed:
 #0   0x00e8211c in nsSelection::GetFrameForNodeOffset(nsIContent*, int,
nsIFrameSelection::HINT, nsIFrame**, int*)
 #1   0x00e172e8 in nsCaret::SetupDrawingFrameAndOffset(nsIDOMNode*, int,
nsIFrameSelection::HINT)
 #2   0x00e1804c in nsCaret::DrawCaret()
 #3   0x00e17178 in nsCaret::StartBlinking()
 #4   0x00e168bc in nsCaret::SetCaretVisible(int)
 #5   0x00d4c1f8 in PresShell::SetCaretEnabled(int)
 #6   0x00d53d68 in PresShellViewEventListener::RestoreCaretVisibility()
 #7   0x00fbba90 in nsViewManager::Refresh(nsView*, nsIRenderingContext*,
nsIRegion*, unsigned)
 #8   0x00fbe51c in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*)
 #9   0x00fb7364 in HandleEvent(nsGUIEvent*)
 #10  0x00a39314 in nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&)
 #11  0x00a393dc in nsWindow::DispatchWindowEvent(nsGUIEvent&, nsEventStatus&)
 #12  0x00a38e8c in nsWindow::UpdateWidget(nsRect&, nsIRenderingContext*)
 #13  0x00a3869c in nsWindow::PaintUpdateRectProc(unsigned short,
OpaqueRgnHandle*, Rect const*, void*)
 #14  0x00a38aa8 in nsWindow::HandleUpdateEvent(OpaqueRgnHandle*)
 #15  0x00a3850c in nsWindow::Update()
 #16  0x00fbda48 in nsViewManager::Composite()
 #17  0x00fc1334 in nsViewManager::EnableRefresh(unsigned)
 #18  0x00fc1404 in nsViewManager::EndUpdateViewBatch(unsigned)
 #19  0x068e9504 in nsEditor::EndUpdateViewBatch()
 #20  0x068e0b30 in nsEditor::EndPlaceHolderTransaction()
 #21  0x068d1c00 in nsPlaintextEditor::TypedText(nsAString const&, int)
 #22  0x068d1a1c in nsPlaintextEditor::HandleKeyPress(nsIDOMKeyEvent*)
 #23  0x068da778 in nsTextEditorKeyListener::KeyPress(nsIDOMEvent*)
 #24  0x00eacd0c in DispatchToInterface(nsIDOMEvent*, nsIDOMEventListener*,
unsigned (nsIDOMEventListener::*)(nsIDOMEvent*), nsID const&, int*)
 #25  0x00eaff50 in nsEventListenerManager::HandleEvent(nsIPresContext*,
nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*)
 #26  0x00e64404 in nsGenericElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*)
 #27  0x00f12f70 in nsHTMLTextAreaElement::HandleDOMEvent(nsIPresContext*,
nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*)
 #28  0x00e64574 in nsGenericElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*)
 #29  0x00d52d8c in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned,
nsEventStatus*)
 #30  0x00d52928 in PresShell::HandleEvent(nsIView*, nsGUIEvent*,
nsEventStatus*, int, int&)
 #31  0x00fbf52c in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int)
 #32  0x00fbeac0 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*)
 #33  0x00fb7364 in HandleEvent(nsGUIEvent*)
 #34  0x00a39314 in nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&)
 #35  0x00a393a0 in nsWindow::DispatchWindowEvent(nsGUIEvent&)
 #36  0x00a20858 in nsMacEventHandler::HandleUKeyEvent(unsigned short*, long,
EventRecord&)
 #37  0x00a24454 in nsMacTSMMessagePump::UnicodeNotFromInputMethodHandler(AEDesc
const*, AEDesc*, long)
 #38  0x91b56570 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned long,
unsigned char*)
 #39  0x91b5a8e4 in sendToSelf(AEDesc const*, AEDesc*, long, long)
 #40  0x91b58124 in AESendMessage
 #41  0x91b5a4e4 in aeSend
 #42  0x96aa68cc in AESend
 #43  0x96a28ea4 in HandleTextInputEvent(OpaqueEventRef*)
 #44  0x969b2898 in ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*,
OpaqueEventRef*, void*)
 #45  0x969a2d0c in DispatchEventToHandlers
 #46  0x969a2fbc in SendEventToEventTargetInternal
 #47  0x969b5494 in SendEventToEventTarget
 #48  0x96a389a4 in SendTSMEvent
 #49  0x969fd32c in SendUnicodeTextAEToUnicodeDoc
 #50  0x96a04194 in utDeliverTSMEvent
 #51  0x96a388b0 in TSMKeyEvent
 #52  0x969e1120 in TSMProcessRawKeyEvent
 #53  0x969f9b10 in HandleCompatibilityKeyEvent(OpaqueEventRef*)
 #54  0x969bb81c in CompatibilityEventHandler(OpaqueEventHandlerCallRef*,
OpaqueEventRef*, void*)
 #55  0x969a2c54 in DispatchEventToHandlers
 #56  0x969a2fbc in SendEventToEventTargetInternal
 #57  0x969a63d0 in SendEventToEventTargetWithOptions
 #58  0x969ece14 in HandleKeyboardEvent(OpaqueEventRef*, unsigned long)
 #59  0x969b288c in ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*,
OpaqueEventRef*, void*)
 #60  0x969a2d0c in DispatchEventToHandlers
 #61  0x969a2fbc in SendEventToEventTargetInternal
 #62  0x969b5494 in SendEventToEventTarget
 #63  0x969b7258 in ToolboxEventDispatcher(OpaqueEventRef*)
 #64  0x969c8740 in CallEventDispatchHook
 #65  0x969b3c90 in TryEventDispatcher
 #66  0x969a4570 in GetOrPeekEvent
 #67  0x969a4330 in GetNextEventMatchingMask
 #68  0x969a8054 in WNEInternal
 #69  0x969adf0c in WaitNextEvent
 #70  0x00a22884 in nsMacMessagePump::GetEvent(EventRecord&)
 #71  0x00a22760 in nsMacMessagePump::DoMessagePump()
 #72  0x00a16110 in nsAppShell::Run()
 #73  0x000054bc in main1(int, char**, nsISupports*)
 #74  0x00005a18 in main
 #75  0x000023a8 in _start
 #76  0x00002228 in start
Comment 1 Boris Zbarsky [:bz] (TPAC) 2004-02-18 15:24:00 PST
Interesting.  The attempt to set those styles we try to set on the anonymous
nodes in the textarea fails because the style language is not CSS.  Then we
crash at:

0x413fbd1c in nsSelection::GetFrameForNodeOffset(nsIContent*, int,
nsIFrameSelection::HINT, nsIFrame**, int*) (this=0x8813d48, aNode=0x871fcd0,
aOffset=4, aHint=HINTRIGHT, 
    aReturnFrame=0xbfffdf88, aReturnOffset=0xbfffdf5c)
    at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsSelection.cpp:2981
2981      result =
(*aReturnFrame)->GetChildFrameContainingOffset(*aReturnOffset, aHint, &aOffset,
aReturnFrame);
(gdb) p aReturnFrame
$2 = (class nsIFrame **) 0xbfffdf88
(gdb) p *aReturnFrame
$3 = (nsIFrame *) 0x88829a4
(gdb) p **aReturnFrame
$4 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, 
    y = -572662307, width = -572662307, height = -572662307}, mContent =
0xdddddddd, 
  mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, 
  mState = 3722304989}

after the following assertions:

###!!! ASSERTION: non-root frame's desired size changed during an incremental
reflow: 'first == root || (aDesiredSize.width == size.width &&
aDesiredSize.height == size.height)', file
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsPresShell.cpp, line 898
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1006
###!!! ASSERTION: existing overflow list: 'rv !=
NS_IFRAME_MGR_PROP_OVERWRITTEN', file
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4356

So the fact that the styles are not getting set is causing issues somewhere in
frame construction or editor, looks like.

Really, we should guarantee that inline style on anonymous content is set as
css, no?
Comment 2 Jonas Sicking (:sicking) No longer reading bugmail consistently 2004-02-18 16:09:24 PST
Yeah, on anonymous content that we create ourselfs I agree. On XBL-created
content i'm not so sure though. I.e. xbl that comes with the webpage
Comment 3 Boris Zbarsky [:bz] (TPAC) 2004-02-18 18:19:57 PST
Sure.  But the upshot is that we need to have a way of setting the style attr
that does _not_ do that check that ParseStyleAttribute does....
Comment 4 Hermann Schwab 2004-02-19 14:36:00 PST
crashed on Win98 using Mozilla 1.4.1, Mozilla 1.5 and current nightly BuildID
20040216
Talkbacks from 1.5: TB30484909M, TB30484793H

Testcase of Bug 234624 also crashed submitting some Enters only, but the
DocWatson Files are about double the size.
Comment 5 Boris Zbarsky [:bz] (TPAC) 2004-02-25 17:28:30 PST
sicking, can you add such a method?
Comment 6 Irmen de Jong 2004-02-28 09:39:53 PST
(also occurs in Firefox 0.8, see
http://forums.mozillazine.org/viewtopic.php?t=49646&highlight=contentstyletype)

I also observe that sometimes the cursor isn't rendered in form fields, and that
when you type a lot of letters the text is drawn outside the form field.

Notice that the Postbank site mentioned in the forum topic above has made a
mistake and had to use Content-Type instead of Content-Style-Type.
Unfortunately, their mistake crashes our browser...
Comment 7 Boris Zbarsky [:bz] (TPAC) 2004-04-10 23:57:20 PDT
sicking?  ping?
Comment 8 Boris Zbarsky [:bz] (TPAC) 2004-04-12 17:39:02 PDT
Created attachment 145961 [details] [diff] [review]
Fix
Comment 9 Boris Zbarsky [:bz] (TPAC) 2004-04-12 17:39:30 PDT
Comment on attachment 145961 [details] [diff] [review]
Fix

sicking, this is what we talked about.
Comment 10 Jonas Sicking (:sicking) No longer reading bugmail consistently 2004-04-13 11:38:24 PDT
Comment on attachment 145961 [details] [diff] [review]
Fix

looks good to me. Though why wasn't the div already native-anonymous? Are we
only setting that on the top native-anonymous and it doesn't get cascaded down
into the children?
Comment 11 Boris Zbarsky [:bz] (TPAC) 2004-04-13 12:06:14 PDT
> Though why wasn't the div already native-anonymous?

It's not _yet_ native anonymous.  It gets set so later, when it's returned to
the frame constructor from this method.
Comment 12 Johnny Stenback (:jst, jst@mozilla.com) 2004-04-13 15:49:52 PDT
Comment on attachment 145961 [details] [diff] [review]
Fix

sr=jst
Comment 13 Boris Zbarsky [:bz] (TPAC) 2004-04-13 19:06:09 PDT
Checked in for 1.8a.  I think we should take this for 1.7, so leaving open.
Comment 14 Boris Zbarsky [:bz] (TPAC) 2004-04-13 19:06:50 PDT
Comment on attachment 145961 [details] [diff] [review]
Fix

Could this please be approved for 1.7?	This is a very safe patch that fixes a
crash that pages can trigger by simply including a meta element other browsers
ignore...
Comment 15 Brendan Eich [:brendan] 2004-04-13 19:20:22 PDT
Comment on attachment 145961 [details] [diff] [review]
Fix

a=brendan@mozilla.org for 1.7final.

/be
Comment 16 Boris Zbarsky [:bz] (TPAC) 2004-04-13 22:55:56 PDT
Checked in to 1.7 branch.
Comment 17 David Epstein 2004-07-01 18:04:03 PDT
Verified on Mozilla 1.7 branch (Win & Mac). Test case doesn't crash. Verified
patch checkin on the branch (nsGenericHTMLElement.cpp and nsTextControlFrame.cpp)

Note You need to log in before you can comment on or make changes to this bug.