Closed
Bug 309981
Opened 20 years ago
Closed 20 years ago
When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.8beta5
People
(Reporter: cbaldwin, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
|
145 bytes,
text/html
|
Details | |
|
822 bytes,
text/html
|
Details | |
|
735 bytes,
patch
|
dbaron
:
review+
dbaron
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Ok there are two pages to the issue.
First is the page that causes the crash.
Second is the page loaded in the frame via src.
page1:
<html >
<head>
<script language="JavaScript" type="text/JavaScript">
// initialize
function init(){
// Attach event to objects
document.getElementById("fittowin").onclick = testcrash;
document.getElementById("testbut").onclick = testcrash;
// turn on design mode
document.getElementById('editor').contentWindow.document.designMode = "on";
return;
}
// Make it crash
function testcrash(e){
// Set the container position to absolute
document.getElementById("container").style.position = "absolute";
// Get the offsetTop.
var cy = document.getElementById('editor').offsetTop;
// Show the value of cy
alert("cy = " + cy)
// Set the return;
return;
}
</script>
</head>
<body onload="init();" >
<div id="container" >
<ul style=" position:absolute; display:block; width:175px; top:100px;
left:100px; background-color:#FF0000;">
<li id="fittowin" >crash it!</li>
</ul>
<iframe id="editor" src="../index2.htm" ></iframe>
<form action="" method="get"><input id="testbut" name="" type="button"
value="button" /></form>
</div>
</body>
</html>
Page2:
<html>
<head>
<title >test page</title>
</head>
<body >
<table>
<tr>
<td >Edit/Click here First</td>
</tr>
</table>
</body>
</html>
Reproducible: Always
Steps to Reproduce:
1. Set the page up so that you can view them. make sure that the second page
shows in the iframe.
2. Click on the text in the iframe "Edit/Click here First" and type anything.
3. Click the red "crash it!" item and you get a crash.
4. If it does not crash then you did not follow the steps exactly.
Actual Results:
Crash-- FF takes a dump and you have to restart every time.
Expected Results:
Get the offsettop of the iframe.
I have tested this for about four hours and have found many ways to make it
crash on the OffsetTop of the iframe. The code above is the simplest that i
could conger up.
Note: That for the error to occur the styles are important!
if you change the position to any thing other that absoulte the the error does
not occur.
|
||
Comment 1•20 years ago
|
||
talkbackid ?
|
||
Comment 2•20 years ago
|
||
I crash with 2005-09-24 trunk build, talkback ID: TB9724817K
|
||
Updated•20 years ago
|
|
|
||
Comment 3•20 years ago
|
||
|
|
||
Comment 4•20 years ago
|
||
|
||
Updated•20 years ago
|
Flags: blocking1.8b5?
|
||
Comment 5•20 years ago
|
||
Crash from José's testcase:
Incident ID: 9732775
Stack Signature nsFrameManager::RestoreFrameStateFor faa005a9
Product ID FirefoxTrunk
Build ID 2005092407
Trigger Time 2005-09-25 18:24:34.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (00221bfe)
URL visited
User Comments
Since Last Crash 10816 sec
Total Uptime 88794 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 1523
Stack Trace
nsFrameManager::RestoreFrameStateFor
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 1523]
PresShell::GetLayoutObjectFor
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5311]
nsHTMLEditor::CreateAnonymousElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 155]
nsHTMLEditor::ShowInlineTableEditingUI
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLInlineTableEditor.cpp,
line 96]
nsHTMLEditor::nsHTMLEditor
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 167]
nsHTMLEditor::nsHTMLEditor
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,
line 167]
nsHTMLDocument::ConvertToMidasInternalCommand
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 3733]
nsSubDocumentFrame::ShowDocShell
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp,
line 666]
nsSubDocumentFrame::AddRef
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp,
line 113]
nsCSSFrameConstructor::ConstructMathMLFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6919]
nsCSSFrameConstructor::ConstructHTMLFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 5626]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7778]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7673]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11655]
nsCSSFrameConstructor::ConstructInline
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12707]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6639]
nsCSSFrameConstructor::ReconstructDocElementHierarchy
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7882]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7673]
nsCSSFrameConstructor::ContentInserted
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9406]
nsCSSFrameConstructor::HaveSpecialBlockStyle
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11540]
nsCSSFrameConstructor::ContentStatesChanged
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10418]
nsCSSFrameConstructor::ProcessPendingRestyles
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13201]
nsCSSFrameConstructor::PostRestyleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13229]
PresShell::ContentAppended
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5123]
nsDocument::IsScriptEnabled
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp,
line 4507]
nsHTMLDocument::CreateElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 1263]
nsGenericHTMLElement::GetOffsetRect
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 734]
nsGenericHTMLElement::GetInnerHTML
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 867]
nsGenericHTMLElement::CopyInnerTo
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 277]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2149]
$E35
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1551]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163]
js_InternalInvoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1303]
js_GetProperty
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2869]
js_Interpret
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3294]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183]
js_InternalInvoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260]
JS_CallFunctionValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4016]
nsJSContext::InitContext
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1554]
nsJSEventListener::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 195]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1760]
nsEventListenerManager::CreateEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1876]
nsGenericElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2194]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6068]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5973]
nsEventStateManager::SetClickCount
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2924]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1887]
PresShell::WillPaint
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6135]
PresShell::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5738]
nsViewManager::InsertChild
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2690]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2264]
nsIView::CreateWidget
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line
703]
nsWindow::DispatchAppCommandEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1111]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5850]
nsWindow::SetIcon
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6071]
nsWindow::StandardWindowCreate
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1315]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
$E63
nsAppStartup::Release
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 124]
main
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor]
Version: unspecified → 1.5 Branch
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
|
|
||
Comment 6•20 years ago
|
||
There's only three crashes with RestoreFrameStateFor in the signature showing up
in talkback-public, and two are from people reproducing this bug (Martijn and Adam)
Flags: blocking1.8b5? → blocking1.8b5-
|
|
||
Comment 7•20 years ago
|
||
This crasher regressed between 2005-07-13 and 2005-07-14.
The fix for bug 297926 seems to me a likely candidate.
Blocks: 297926
Keywords: regression
|
|
Assignee | |
Comment 8•20 years ago
|
||
Editor is coming down after Destroy() has been called on the frame manager...
So we end up trying to remove stuff from the undisplayed map after deleting it,
which causes us to jump to all sorts of fun memory locations.
The fix is to just null out the undisplayed map; frame manager has the
requisite null-checks.
Attachment #197621 -
Flags: superreview?(dbaron)
Attachment #197621 -
Flags: review?(dbaron)
Attachment #197621 -
Flags: superreview?(dbaron)
Attachment #197621 -
Flags: superreview+
Attachment #197621 -
Flags: review?(dbaron)
Attachment #197621 -
Flags: review+
|
|
Assignee | |
Updated•20 years ago
|
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
Version: 1.8 Branch → Trunk
|
|
Assignee | |
Comment 9•20 years ago
|
||
Comment on attachment 197621 [details] [diff] [review]
Proposed patch
Requesting 1.8b5 approval. This is a very simple fix to keep us from accessing
deleted memory. Very safe.
Attachment #197621 -
Flags: approval1.8b5?
|
|
Assignee | |
Comment 10•20 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED using SeaMonkey 1.1a:Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9a1) Gecko/20051001 Mozilla/1.0
Status: RESOLVED → VERIFIED
|
||
Updated•20 years ago
|
Attachment #197621 -
Flags: approval1.8b5? → approval1.8b5+
|
||
Updated•20 years ago
|
Keywords: fixed1.8 → verified1.8
Summary: When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [ @ nsFrameManager::RestoreFrameStateFor] → When item is clicked and the offsetTop of iframe in editmode is accessed ff crashes [@ nsFrameManager::RestoreFrameStateFor]
|
||
Updated•14 years ago
|
Crash Signature: [@ nsFrameManager::RestoreFrameStateFor]
You need to log in
before you can comment on or make changes to this bug.
Description
•