359203 - Crash [@ nsHTMLFramesetFrame::MouseDrag]

Status: RESOLVED FIXED

(Core :: Layout: Images, Video, and HTML Frames, defect)

Description

[Olli Pettay [:smaug][bugs@pettay.fi]]

Happens in 1.8 and 1.9.
Testcase and patch coming.

#0  0x00ea5410 in __kernel_vsyscall ()
#1  0x00f58966 in __nanosleep_nocancel () from /lib/libc.so.6
#2  0x00f5878b in sleep () from /lib/libc.so.6
#3  0x00215472 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:134
#4  0x0022bdc2 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0x0188857f in nsHTMLFramesetFrame::MouseDrag (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:1547
#7  0x0188866c in nsHTMLFramesetFrame::HandleEvent (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c, aEventStatus=0xbfbe6b98)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:793
#8  0x01837ac2 in nsPresShellEventCB::HandleEvent (this=0xbfbe6bf4,
    aVisitor=@0xbfbe6b8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/base/nsPresShell.cpp:1500
#9  0x01b53039 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xa013ab0, aVisitor=@0xbfbe6b8c, aFlags=6, aCallback=0xbfbe6bf4)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/content/events/src/nsEventDispatcher.cpp:476

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: testcase

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: proposed patch.

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Fixed on trunk, clearing blocking1.9?

Comment 4

[Daniel Veditz [:dveditz]]

Comment on attachment 244444 [details] [diff] [review]
proposed patch.

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

fixed1.8.0.9, fixed1.8.1.1

Comment 6

[Jay Patel [:jay]]

v.fixed on 1.8.0 and 1.8.1 branches with 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061201 Firefox/1.5.0.9pre
and 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061201 BonEcho/2.0.0.1pre

No crash with testcase, but has a question.

Smaug:  Attempting to drag the frame border doesn't crash, but it also does not move at all.  I lose the "drag" mouse cursor after clicking on the border.  Is that expected behavior?  If so, we're good.  It not, I need to revoke my v.fixed.  Let me know.  Thanks!

Comment 7

[Olli Pettay [:smaug][bugs@pettay.fi]]

Sounds like a some sort of repainting issue.
But the crash itself is related to dragging the border and once the dragging starts, the border is actually deleted.
But if there isn't a crash, this particular bug should be fixed, IMO.

Comment 8

[Alexander Sack]

Attachment: testcase 1.7 branch

adapted testcase for 1.7 branch ... press any key before you drag to crash