Closed Bug 295519 Opened 19 years ago Closed 19 years ago

Inserting iframe crashes Editor [@ nsVoidArray::FastElementAt] [@ nsHTMLEditor::InsertHTMLWithContext]

Categories

(Core :: DOM: HTML Parser, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: mcsmurf, Assigned: mrbkap)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

To reproduce:
1. Open Composer or HTML Mail Editor
2. Insert->HTML: <iframe src="http://www.google.de">
3. Press OK
4. Crash

This regressed between 2005-02-18-06 and 2005-02-19-06.
Stacktrace:
nsVoidArray::FastElementAt(const nsVoidArray * const 0x00000000, int 0x00000000)
line 72 + 7 bytes
nsHTMLEditor::InsertHTMLWithContext(nsHTMLEditor * const 0x043ec544, const
nsAString & {...}, const nsAString & {...}, const nsAString & {...}, const
nsAString & {...}, nsIDOMDocument * 0x00000000, nsIDOMNode * 0x00000000, int
0x00000000, int 0x00000001) line 458 + 18 bytes
nsHTMLEditor::InsertHTML(nsHTMLEditor * const 0x043ec544, const nsAString &
{...}) line 253 + 24 bytes
XPTC_InvokeByIndex(nsISupports * 0x043ec544, unsigned int 0x00000012, unsigned
int 0x00000001, nsXPTCVariant * 0x0012ca80) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
0xb9179de8) line 2097 + 22 bytes
XPC_WN_CallMethod(JSContext * 0x048f67e8, JSObject * 0x04179de8, unsigned int
0x00000001, long * 0x0450c334, long * 0x0450c268) line 1330 + 10 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000000) line 1182 + 17 bytes
js_Interpret(JSContext * 0x048f67e8, unsigned char * 0x03f12c81, long *
0x0012cf60) line 3473
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000002) line 1202 + 12 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x024ce058,
nsXPCWrappedJS * 0x018b7590, unsigned short 0x0003, const nsXPTMethodInfo *
0x00fa9538, nsXPTCMiniVariant * 0x0012d108) line 1339 + 16 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x048b7590, unsigned short
0x0003, const nsXPTMethodInfo * 0x00fa9538, nsXPTCMiniVariant * 0x0012d108) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x00000000, unsigned int 0x00000003,
unsigned int * 0x0012d1c0, unsigned int * 0x0012d1b0) line 117 + 18 bytes
SharedStub() line 147
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const
0x00000000, nsListenerStruct * 0x048bb3e8, nsIDOMEvent * 0x04465400,
nsIDOMEventTarget * 0x044c2208, unsigned int 0x04465408, unsigned int
0x00000007) line 1568 + 11 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x048b75f0,
nsPresContext * 0x00000000, nsEvent * 0x00000001, nsIDOMEvent * * 0x0012d4f0,
nsIDOMEventTarget * 0x044c2208, unsigned int 0x00000007, nsEventStatus *
0x0012d640) line 1669 + 32 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext *
0x04983d30, nsEvent * 0x0498cb58, nsIDOMEvent * * 0x0012d4f0, unsigned int
0x00000007, nsEventStatus * 0x0012d640) line 2194
PresShell::HandleDOMEventWithTarget(PresShell * const 0x048e7324, nsIContent *
0x048e7324, nsEvent * 0x0012d5f4, nsEventStatus * 0x0012d640) line 6422
nsButtonBoxFrame::DoMouseClick(nsButtonBoxFrame * const 0x00000000, nsGUIEvent *
0x0012d750, int 0x00000000) line 178
Attached patch patch v1Splinter Review
There were two bugs here (I've only fixed one):
* The scanner's mIncremental was not getting set correctly, so that the
<iframe> was getting lost in the tokenizer. This patch corrects that, and tells
the scanner that there's definitely no more data coming so we should use what
we have.

* The editor code that's calling the parser is assuming that there's going to
be something coming back from the parser. I note that I crash if I try to
insert a couple of spaces. I've left this problem alone, since I haven't
investigated it (and don't know the editor code as well).
Assignee: mozeditor → mrbkap
Status: NEW → ASSIGNED
Attachment #184540 - Flags: superreview?(jst)
Attachment #184540 - Flags: review?(jst)
Component: Editor → HTML: Parser
QA Contact: bugzilla → mrbkap
Comment on attachment 184540 [details] [diff] [review]
patch v1

r+sr=jst
Attachment #184540 - Flags: superreview?(jst)
Attachment #184540 - Flags: superreview+
Attachment #184540 - Flags: review?(jst)
Attachment #184540 - Flags: review+
Comment on attachment 184540 [details] [diff] [review]
patch v1

This might be something that we want in for 1.8b2. It fixes a crash in editor
and a problem with handling malformed innerHTML assignments.
Attachment #184540 - Flags: approval1.8b2?
I've filed bug 295531 on the editor problem.
Attachment #184540 - Flags: approval1.8b2? → approval1.8b3?
Comment on attachment 184540 [details] [diff] [review]
patch v1

a=shaver
Attachment #184540 - Flags: approval1.8b3? → approval1.8b3+
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED using build 2005-06-02-06 on Windows XP Seamonkey trunk.

Using the testcase in comment 0, I see Google.de successfully load in an iframe.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsVoidArray::FastElementAt] [@ nsHTMLEditor::InsertHTMLWithContext]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: