Closed Bug 338129 Opened 19 years ago Closed 19 years ago

Crash [@ nsQueryInterface::operator()] with designMode and window gets removed on mousedown/click of resizer

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

Details

(4 keywords, Whiteboard: [sg:critical] dead pointer, sometimes null)

Crash Data

Attachments

(3 files, 2 obsolete files)

testcase
717 bytes, text/html
Details
just make sure that event listeners are removed on time
14.19 KB, patch
glazou
: review+
neil
: superreview+
glazou
: approval-branch-1.8.1+
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review
1st aviary backport with regressions.
11.42 KB, patch
Details | Diff | Splinter Review
Filing this under core->editor, but it might also be Event handling, don't know. Filing it as security sensitive just to be sure (although it seems to be a null dereference crash?). Talkback ID: TB18747259H 0x00000000 nsQueryInterface::operator() nsCOMPtr<nsIHTMLEditor>::nsCOMPtr<nsIHTMLEditor> nsEventListenerManager::HandleEvent nsEventTargetChainItem::HandleEvent nsEventTargetChainItem::HandleEventTargetChain nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventTargetChainItem::CreateChainAndHandleEvent nsEventDispatcher::Dispatch PresShell::HandleEventInternal PresShell::HandlePositionedEvent PresShell::HandleEvent nsViewManager::HandleEvent nsViewManager::DispatchEvent HandleEvent nsWindow::DispatchEvent nsWindow::DispatchMouseEvent Also crashes in Mozilla1.7.
Attached file testcase
this triggers the assert ###!!! ASSERTION: Unexpected ContentRemoved: '!mIsDocumentGone', file d:/moz_src/mozilla/layout/base/nsPresShell.cpp, line 5258 http://lxr.mozilla.org/seamonkey/source/layout/base/nsPresShell.cpp#5263
And the crash happens in editor since there are few event listeners which have a pointer to the editor and that pointer is not set to null when editor is deleted.
Attached patch Use weak reference to nsEditor (obsolete) — Splinter Review
nsEditor is deleted before some event listeners. So better to use weak reference and check whether the editor is still alive before trying to use it. The change to DeleteRefToAnonymousNode is needed to remove the assertions Bernd mentioned.
Assignee: mozeditor → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #222858 - Flags: review?(daniel)
Or should I ask someone else to review, Daniel?
Btw, this is not a null dereference crash, but reference to a dead pointer. Should this block 1.8.0.5 ?
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
any other editor reviewers?
Flags: blocking1.9a1? → blocking1.9a1+
Comment on attachment 222858 [details] [diff] [review] Use weak reference to nsEditor yes, everything seems to be ok but unfortunately I have no time to test this patch. I suggest you ask Neil for sr. r=daniel@glazman.org
Attachment #222858 - Flags: review?(daniel) → review+
Comment on attachment 222858 [details] [diff] [review] Use weak reference to nsEditor btw, I tried to keep the changes as simple as possible so that the functionality shouldn't change at all. That way this could be taken also to branches - I hope.
Attachment #222858 - Flags: superreview?(neil)
Sorry Daniel, but Neil complained something about nsEditor::RemoveEventListeners and I started to re-debug this and noticed a simpler way to fix the crash. Patch size 1/4 of the previous one :) So the problem is just that mMouseListenerP is used for many things and it must be removed from all event targets it is listening.
Attachment #222858 - Attachment is obsolete: true
Attachment #224888 - Flags: superreview?(neil)
Attachment #224888 - Flags: review?(daniel)
Attachment #222858 - Flags: superreview?(neil)
Attachment #224888 - Flags: superreview?(neil) → superreview+
Please land on trunk and 1.8 branch before requesting 1.8.0.5 approval on the patch. Thanks!
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Attached patch v3 (obsolete) — Splinter Review
Got some comments from Daniel on IRC. Does this look safer and better now?
Attachment #224888 - Attachment is obsolete: true
Attachment #225402 - Flags: review?(daniel)
Attachment #224888 - Flags: review?(daniel)
Comment on attachment 225402 [details] [diff] [review] v3 Neil, is this still ok to you?
Attachment #225402 - Flags: superreview?(neil)
Comment on attachment 224888 [details] [diff] [review] just make sure that event listeners are removed on time r=daniel@glazman.org
Attachment #224888 - Flags: review+
Comment on attachment 224888 [details] [diff] [review] just make sure that event listeners are removed on time so this should be ok, after all
Attachment #224888 - Attachment is obsolete: false
Attachment #225402 - Flags: superreview?(neil)
Attachment #225402 - Flags: review?(daniel)
Attachment #224888 - Flags: approval-branch-1.8.1?(bugmail)
Attachment #224888 - Flags: approval1.8.0.5?
Comment on attachment 224888 [details] [diff] [review] just make sure that event listeners are removed on time Actually, I think Daniel should approve this, as it's the module owner that does that.
Attachment #224888 - Flags: approval-branch-1.8.1?(bugmail) → approval-branch-1.8.1?(daniel)
Whiteboard: needs trunk landing, need 1.8.1 approval (glazman)
Checked in to trunk
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: needs trunk landing, need 1.8.1 approval (glazman) → needs 1.8.1 approval (glazman)
The existence of the apparently blessed "v3" patch different from the one glazman actually reviewed later is confusing us. Waiting for an explicit approval for 1.8.1 from glazman on which one we want for the 1.8 and 1.8.0 branches
Attachment #225402 - Attachment is obsolete: true
Comment on attachment 224888 [details] [diff] [review] just make sure that event listeners are removed on time yeah, go on.
Attachment #224888 - Flags: approval-branch-1.8.1?(daniel) → approval-branch-1.8.1+
Keywords: fixed1.8.1
Whiteboard: needs 1.8.1 approval (glazman)
Comment on attachment 224888 [details] [diff] [review] just make sure that event listeners are removed on time approved for 1.8.0 branch, a=dveditz for drivers
Attachment #224888 - Flags: approval1.8.0.5? → approval1.8.0.5+
Flags: blocking1.8.1?
Keywords: fixed1.8.0.5
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase. BUT the iframe disappears on click... is that acceptable behavior? From the bug summary, it looks like that was half of this bug? Crash is gone, but iframe still goes away. :-(
Keywords: fixed1.8.0.5verified1.8.0.5
No, the iframe should go away with the testcase, so that's not a bug.
Whiteboard: [sg:critical] dead pointer, sometimes null
This patch makes the crash go away. On the first click, it shows the same behaviour as described in bug: frame + resizer go away. However, when reloading, the resizer is never drawn again. Instead there is some activity under the hood (looks like HideResizer and ShowResizer are called in an infinite loop). I see the following assertions on console: ###!!! ASSERTION: Please remove this from the document properly: '!mDocument', file nsGenericElement.cpp, line 839 Break: at file nsGenericElement.cpp, line 839 Any ideas?
https://bugzilla.mozilla.org/attachment.cgi?id=222170 ff2b2 windows, linux no crash; macppc no resizer to click ff2b2 debug windows, linux no crash
Keywords: fixed1.8.1verified1.8.1
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsQueryInterface::operator()]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: