Closed Bug 359203 Opened 14 years ago Closed 14 years ago

Crash [@ nsHTMLFramesetFrame::MouseDrag]

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: smaug, Assigned: smaug)

Details

(Keywords: verified1.8.0.9, verified1.8.1.1, Whiteboard: [sg:critical?] freed memory use?)

Attachments

(3 files)

Happens in 1.8 and 1.9.
Testcase and patch coming.

#0  0x00ea5410 in __kernel_vsyscall ()
#1  0x00f58966 in __nanosleep_nocancel () from /lib/libc.so.6
#2  0x00f5878b in sleep () from /lib/libc.so.6
#3  0x00215472 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:134
#4  0x0022bdc2 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0x0188857f in nsHTMLFramesetFrame::MouseDrag (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:1547
#7  0x0188866c in nsHTMLFramesetFrame::HandleEvent (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c, aEventStatus=0xbfbe6b98)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:793
#8  0x01837ac2 in nsPresShellEventCB::HandleEvent (this=0xbfbe6bf4,
    aVisitor=@0xbfbe6b8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/base/nsPresShell.cpp:1500
#9  0x01b53039 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xa013ab0, aVisitor=@0xbfbe6b8c, aFlags=6, aCallback=0xbfbe6bf4)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/content/events/src/nsEventDispatcher.cpp:476
Attached file testcase
Attached patch proposed patch.Splinter Review
Attachment #244444 - Flags: superreview?(bzbarsky)
Attachment #244444 - Flags: review?(bzbarsky)
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Attachment #244444 - Flags: superreview?(bzbarsky)
Attachment #244444 - Flags: superreview+
Attachment #244444 - Flags: review?(bzbarsky)
Attachment #244444 - Flags: review+
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #244444 - Flags: approval1.8.1.1?
Attachment #244444 - Flags: approval1.8.0.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical?] freed memory use?
Fixed on trunk, clearing blocking1.9?
Flags: blocking1.9?
Comment on attachment 244444 [details] [diff] [review]
proposed patch.

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #244444 - Flags: approval1.8.1.1?
Attachment #244444 - Flags: approval1.8.1.1+
Attachment #244444 - Flags: approval1.8.0.9?
Attachment #244444 - Flags: approval1.8.0.9+
Keywords: fixed1.8.0.9
fixed1.8.0.9, fixed1.8.1.1
Keywords: fixed1.8.1.1
v.fixed on 1.8.0 and 1.8.1 branches with 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061201 Firefox/1.5.0.9pre
and 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061201 BonEcho/2.0.0.1pre

No crash with testcase, but has a question.

Smaug:  Attempting to drag the frame border doesn't crash, but it also does not move at all.  I lose the "drag" mouse cursor after clicking on the border.  Is that expected behavior?  If so, we're good.  It not, I need to revoke my v.fixed.  Let me know.  Thanks!
Sounds like a some sort of repainting issue.
But the crash itself is related to dragging the border and once the dragging starts, the border is actually deleted.
But if there isn't a crash, this particular bug should be fixed, IMO.


Attached file testcase 1.7 branch
adapted testcase for 1.7 branch ... press any key before you drag to crash
Group: security
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.