Closed Bug 270771 Opened 20 years ago Closed 20 years ago

crash inspecting content of IFRAME [@ inLayoutUtils::GetFrameFor ]

Categories

(Other Applications :: DOM Inspector, defect, P2)

Product:
Other Applications
Component:
DOM Inspector
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8alpha6

People

(Reporter: aha, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Patch
2.98 KB, patch
timeless
: review+
jst
: superreview+
Details | Diff | Splinter Review
2004111805/Seamonkey-trunk/W2K Repro: 1. open http://dir.seznam.cz/42/03/35.html with DOMI in sidebar 2. inspect tree until you find IFRAME, expand it Actual: When you'll expand HEAD or BODY of IFRAME, browser will crash (TB2049309M, TB2048338M) TB2049309: inLayoutUtils::GetFrameFor [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/extensions/inspector/base/src/inLayoutUtils.cpp, line 100] inFlasher::ScrollElementIntoView [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/extensions/inspector/base/src/inFlasher.cpp, line 215] XPTC_InvokeByIndex [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2036] XPC_WN_CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1288] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1288] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 3621] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1307] js_InternalInvoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1384] js_InternalGetOrSet [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1427] js_SetProperty [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2788] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 2659] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1307] js_InternalInvoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1384] JS_CallFunctionValue [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3769] nsJSContext::CallEventHandler [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1346] nsJSEventListener::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 181] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1513] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1589] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2820] nsTreeSelection::FireOnSelectHandler [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp, line 760] nsTreeSelection::Select [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp, line 377] XPTC_InvokeByIndex [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2036] XPC_WN_CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1288] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1288] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 3621] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1307] js_InternalInvoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1384] JS_CallFunctionValue [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3769] nsJSContext::CallEventHandler [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1346] nsJSEventListener::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 181] nsXBLPrototypeHandler::ExecuteHandler [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 491] nsXBLEventHandler::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLEventHandler.cpp, line 85] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1513] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1589] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2820] PresShell::HandleEventInternal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5961] PresShell::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5846] nsViewManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2404] nsViewManager::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2133] HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 166] nsWindow::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1078] nsWindow::DispatchWindowEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1095] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5329] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5581] nsWindow::ProcessMessage [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4091] nsWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1356] USER32.dll + 0x1ef0 (0x77e11ef0) USER32.dll + 0x204c (0x77e1204c) USER32.dll + 0x21af (0x77e121af) nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 216] main1 [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1331] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1802] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1828] WinMainCRTStartup() KERNEL32.DLL + 0x2893d (0x796f893d) M 1.7.2 doesn't crash on repro.
2004111805/Seamonkey-1.7branch/W2K is okay regression window is between 2004100605 (okay) and 2004100705 (crash, TB2049682M) builds.
that would correspond to http://tinyurl.com/4uyr8 and bug 262998 explicitely mentions iframes
Attached patch PatchSplinter Review
This code was assuming that having a window means having a presshell. That was true due to the silly way the window was gotten; with bug 262998 fixed this code started getting non-null windows and null presshells.
Attachment #166471 - Flags: superreview?(jst)
Attachment #166471 - Flags: review?(timeless)
Comment on attachment 166471 [details] [diff] [review] Patch Just a couple nits: > nsCOMPtr<nsIPresShell> presShell = inLayoutUtils::GetPresShellFor(window); >- >+ if (!presShell) return NS_OK; >+ > nsPresContext *presContext = presShell->GetPresContext(); Would it be appropriate to dump some sort of message to the terminal? There's no comment explaining why we're returning with an OK early. Of course, I don't fully understand this stuff, so... > nsCOMPtr<nsIDOMWindowInternal> window = inLayoutUtils::GetWindowFor(aElement); > if (!window) { > return NS_OK; > } Same file, but inconsistent brackets. Is that matching local code style?
> Would it be appropriate to dump some sort of message to the terminal? Why would you want a message? This happens any time you have a display:none iframe. > Same file, but inconsistent brackets. Is that matching local code style? Yes, as is clear from the context.
Attachment #166471 - Flags: review?(timeless) → review+
Bug with a crash stack, reproducible steps, a patch and reviews shouldn't be unconfirmed. Settings status to NEW.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 166471 [details] [diff] [review] Patch sr=jst
Attachment #166471 - Flags: superreview?(jst) → superreview+
Product: Core → Other Applications
Assignee: dom-inspector → bzbarsky
OS: Windows 2000 → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha6
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
QA Contact: timeless → dom-inspector
Crash Signature: [@ inLayoutUtils::GetFrameFor ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: