Closed Bug 284024 Opened 20 years ago Closed 20 years ago

double click on "empty space" near INPUT and BR tags causes memory access crash [@ nsContentIterator::NextNode]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.7 Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED EXPIRED

People

(Reporter: cj_little, Unassigned)

Details

(Keywords: crash)

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 An HTML document similar to the following, when viewed on the windows platform (not Linux, I tried it out on there, no problem) - and double clicking the mouse on the same horizontal area as the input tag displayed text box causes a crash in the firefox 1.0.1 browser. ( in the sample, there's 3 cases, one fails, the other 2 do not fail, even wrapping the input tag avoided the crash ) HTML: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title> crash test page </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head> <body> double click anywhere to the right of the input box 0x005beced referenced memory at 0x00000000 ... <input name="nothing" size="8" value="nothing" type="text"> <br> <pre> This one does not <input name="nothing" size="8" value="nothing" type="text"> <br> </pre> Neither does this one ... <input name="nothing" size="8" value="nothing" type="text"><br> </body></html> Reproducible: Always Steps to Reproduce: 1. load up the example (short) HTML doc into the browser 2. double click on the same line as the input field Actual Results: dialog box stating exception at 0x005beced referenced memory at 0x00000000 Expected Results: nothing at all, no actual content was being selected crash occurred in firefox.exe, but the stack appears to have gone throught the javascript code
Cj. Little: Could you provide Talkback incident id for your crash?
Severity: normal → critical
Keywords: crash
(In reply to comment #1) > Cj. Little: Could you provide Talkback incident id for your crash? Unfortunately the feedback agent is not trapping/listing anything for this crash. Stack dump from msvc any help?
I reinstalled, and QFA now captures it, Talkback ID : TB4045925X
Incident ID: 4045925 Stack Signature nsContentIterator::NextNode ef4f25cc Product ID Firefox10 Build ID 2005022304 Trigger Time 2005-03-01 15:35:37.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module firefox.exe + (001beced) URL visited re: bug id 284024 User Comments Since Last Crash 7 sec Total Uptime 24 sec Trigger Reason Access violation Source File, Line No. d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentIterator.cpp, line 834 Stack Trace nsContentIterator::NextNode [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentIterator.cpp, line 834] nsContentIterator::Next [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsContentIterator.cpp, line 1011] XPTC_InvokeByIndex [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2034] XPC_WN_CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1287] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 949] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] nsXPCWrappedJSClass::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1339] nsXPCWrappedJS::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 450] SharedStub [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] nsEventListenerManager::HandleEventSubType [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1436] nsEventListenerManager::HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1516] GlobalWindowImpl::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 927] nsXULDocument::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1257] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2823] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2821] nsXULElement::HandleChromeEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 3988] GlobalWindowImpl::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 916] nsDocument::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 3742] nsGenericElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1918] nsGenericElement::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1915] PresShell::HandleEventInternal [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6059] PresShell::HandleEventWithTarget [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 5984] nsEventStateManager::CheckForAndDispatchClick [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3011] nsEventStateManager::PostHandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1973] PresShell::HandleEventInternal [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6111] PresShell::HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 5921] nsViewManager::HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2326] nsViewManager::DispatchEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2066] HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 77] nsWindow::DispatchEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::DispatchMouseEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5261] ChildWindow::DispatchMouseEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5511] nsWindow::WindowProc [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.DLL + 0x2ca8 (0x77e12ca8) USER32.DLL + 0x2dc5 (0x77e12dc5) USER32.DLL + 0x2f0f (0x77e12f0f) nsAppShellService::Run [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 58] KERNEL32.DLL + 0x87f5 (0x7c4e87f5)
Summary: double click on "empty space" near INPUT and BR tags causes memory access crash → double click on "empty space" near INPUT and BR tags causes memory access crash [@ nsContentIterator::NextNode]
Assignee: firefox → general
Component: General → DOM
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → 1.7 Branch
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
This bug has been automatically resolved after a period of inactivity (see above comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → EXPIRED
Crash Signature: [@ nsContentIterator::NextNode]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.