Closed Bug 363960 Opened 18 years ago Closed 18 years ago

Crash when clicking on the image inside a designMode-enabled IFRAME [@ nsHTMLEditor::SetShadowPosition]

Categories

(Core :: DOM: Editor, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bugzilla.mozilla.org, Assigned: martijn.martijn)

References

()

Details

(5 keywords)

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)

I initialized the IFRAME contentDocument by replaceNode() the contentDocument.documentElement.

At first: when there is a image in the content on click it crashes firefox (tested with FF2.0 on Windows/Gentoo/Ubuntu).

When the content is bigger then the IFRAME then scrollbars does not work. (I'm not sure if it is related or not.)

Reproducible: Always

Steps to Reproduce:
1.Visit the page: http://crash.webdevelopers.cz/index.xul
2.Click twice on the image in the IFRAME


Actual Results:  
Crash, sometimes with slight delay but in 100% crash.

Expected Results:  
Don't crash.
Yeah, I see it crash in latest branch, also in trunk, but the problem is that your test case is not displayed anymore after the fix of Bug 300030.
Branch talkback: TB27369243M
Incident ID: 27369243
Stack Signature	nsHTMLEditor::SetShadowPosition 3460106f
Product ID	Firefox2
Build ID	2006121303
Trigger Time	2006-12-15 10:01:28.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (003e2913)
URL visited	
User Comments	
Since Last Crash	3258 sec
Total Uptime	3258 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp, line 809
Stack Trace 	
nsHTMLEditor::SetShadowPosition  [mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp, line 809]
nsHTMLEditor::RefreshResizers  [mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp, line 329]
nsHTMLEditor::`vftable'
nsHTMLEditor::AddRef  [mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 250]
0x558b0c4d
Summary: Crash when clicking on the image inside a designMode-enabled IFRAME → Crash when clicking on the image inside a designMode-enabled IFRAME [@ nsHTMLEditor::SetShadowPosition]
Regression range 1.8b2_2005040506 - 1.8b2_2005040606:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-04-05+05%3A00&maxdate=2005-04-06+07%3A00
Blocks: 283897
Status: UNCONFIRMED → NEW
Component: General → Editor
Ever confirmed: true
Product: Firefox → Core
QA Contact: general
Version: unspecified → Trunk
Attached patch patchSplinter Review
Well, this fixes the crash, but there is something more fundamental wrong.
The Backspace key and cut/copy commands are not working for example in the designMode iframe.
(In reply to comment #1)
> Yeah, I see it crash in latest branch, also in trunk, but the problem is that
> your test case is not displayed anymore after the fix of Bug 300030.

I filed bug 364014 for it.
Flags: blocking1.8.1.2?
Attachment #248795 - Flags: review?(jst)
Comment on attachment 248795 [details] [diff] [review]
patch

r+sr=jst, but I think this should simply return NS_OK, not an error code.
Attachment #248795 - Flags: superreview+
Attachment #248795 - Flags: review?(jst)
Attachment #248795 - Flags: review+
Well, if it would return NS_OK, the crash would still occur.
(In reply to comment #7)
> Well, if it would return NS_OK, the crash would still occur.

Ok, fair enough.
Assignee: nobody → martijn.martijn
Flags: blocking1.8.1.2? → blocking1.8.1.2+
There is a bug (already filed) on trunk that makes the url testcase not show up the iframe, this testcase shows up on trunk.
Checking in nsHTMLObjectResizer.cpp;
/cvsroot/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,v  <--  nsHTMLObj
ectResizer.cpp
new revision: 1.25; previous revision: 1.24
done

Fixed on trunk.
Probably a new bug should be filed on the fact that certain things aren't working correctly for the testcase, that normally work in designMode iframes.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Martijn:  Is this something we need to fix on both branches?  I know we want this for 1.8, but have you seen this on the 1.8.0 branch?  Please ask for patch approval on the branches we need this one.  Thanks!
Happens in 1.5.0.x too, should we take the fix there?
Flags: blocking1.8.0.10?
Comment on attachment 248795 [details] [diff] [review]
patch

Sorry, asking approval for the patch now.
Attachment #248795 - Flags: approval1.8.1.2?
Attachment #248795 - Flags: approval1.8.0.10?
Comment on attachment 248795 [details] [diff] [review]
patch

Approved for both branches, a=jay for drivers.
Attachment #248795 - Flags: approval1.8.1.2?
Attachment #248795 - Flags: approval1.8.1.2+
Attachment #248795 - Flags: approval1.8.0.10?
Attachment #248795 - Flags: approval1.8.0.10+
Checking in nsHTMLObjectResizer.cpp;
/cvsroot/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,v  <--  nsHTMLObj
ectResizer.cpp
new revision: 1.22.16.2; previous revision: 1.22.16.1
done

Checked in on the 1.8.0.10 branch.

Checking in nsHTMLObjectResizer.cpp;
/cvsroot/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,v  <--  nsHTMLObj
ectResizer.cpp
new revision: 1.22.8.2; previous revision: 1.22.8.1
done

Checked in on the 1.8.1 branch.
I filed bug 367125 for the issuethat all kinds of editor stuff is not working with the testcase.
Flags: blocking1.8.0.10?
Verified fixed for 1.8.1.2 and 1.8.0.10. Tested with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.2pre) Gecko/20070125 BonEcho/2.0.0.2pre ID:2007012503 and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.10pre) Gecko/20070124 Firefox/1.5.0.10pre ID:2007012405

On XP x64 SP1 and Linux Fedora FC 6
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsHTMLEditor::SetShadowPosition]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: