The default bug view has changed. See this FAQ.

Crash [@ nsHTMLFramesetFrame::MouseDrag]

RESOLVED FIXED

Status

()

Core
Layout: HTML Frames
--
critical
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

({verified1.8.0.9, verified1.8.1.1})

Trunk
x86
All
verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.8.1.1 +
blocking1.8.0.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] freed memory use?)

Attachments

(3 attachments)

Happens in 1.8 and 1.9.
Testcase and patch coming.

#0  0x00ea5410 in __kernel_vsyscall ()
#1  0x00f58966 in __nanosleep_nocancel () from /lib/libc.so.6
#2  0x00f5878b in sleep () from /lib/libc.so.6
#3  0x00215472 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:134
#4  0x0022bdc2 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0x0188857f in nsHTMLFramesetFrame::MouseDrag (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:1547
#7  0x0188866c in nsHTMLFramesetFrame::HandleEvent (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c, aEventStatus=0xbfbe6b98)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:793
#8  0x01837ac2 in nsPresShellEventCB::HandleEvent (this=0xbfbe6bf4,
    aVisitor=@0xbfbe6b8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/base/nsPresShell.cpp:1500
#9  0x01b53039 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xa013ab0, aVisitor=@0xbfbe6b8c, aFlags=6, aCallback=0xbfbe6bf4)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/content/events/src/nsEventDispatcher.cpp:476
Created attachment 244443 [details]
testcase
Created attachment 244444 [details] [diff] [review]
proposed patch.
Attachment #244444 - Flags: superreview?(bzbarsky)
Attachment #244444 - Flags: review?(bzbarsky)
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Attachment #244444 - Flags: superreview?(bzbarsky)
Attachment #244444 - Flags: superreview+
Attachment #244444 - Flags: review?(bzbarsky)
Attachment #244444 - Flags: review+
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Attachment #244444 - Flags: approval1.8.1.1?
Attachment #244444 - Flags: approval1.8.0.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical?] freed memory use?
Fixed on trunk, clearing blocking1.9?
Flags: blocking1.9?
Comment on attachment 244444 [details] [diff] [review]
proposed patch.

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #244444 - Flags: approval1.8.1.1?
Attachment #244444 - Flags: approval1.8.1.1+
Attachment #244444 - Flags: approval1.8.0.9?
Attachment #244444 - Flags: approval1.8.0.9+
Keywords: fixed1.8.0.9
fixed1.8.0.9, fixed1.8.1.1
Keywords: fixed1.8.1.1

Comment 6

11 years ago
v.fixed on 1.8.0 and 1.8.1 branches with 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061201 Firefox/1.5.0.9pre
and 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061201 BonEcho/2.0.0.1pre

No crash with testcase, but has a question.

Smaug:  Attempting to drag the frame border doesn't crash, but it also does not move at all.  I lose the "drag" mouse cursor after clicking on the border.  Is that expected behavior?  If so, we're good.  It not, I need to revoke my v.fixed.  Let me know.  Thanks!
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1
Sounds like a some sort of repainting issue.
But the crash itself is related to dragging the border and once the dragging starts, the border is actually deleted.
But if there isn't a crash, this particular bug should be fixed, IMO.


Comment 8

10 years ago
Created attachment 249264 [details]
testcase 1.7 branch

adapted testcase for 1.7 branch ... press any key before you drag to crash
Group: security
You need to log in before you can comment on or make changes to this bug.