372676 - Crash [@nsTypedSelection::selectFrames] with testcase that triple clicks and uses designmode

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect, P3)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.

Talkback ID: TB29937925Q
0x65742074
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 4956]
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 5068]
nsTypedSelection::Repaint  [mozilla/layout/generic/nsselection.cpp, line 5216]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1342]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 206]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 264]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 472]
nsEventStateManager::PreHandleEvent  [mozilla/content/events/src/nseventstatemanager.cpp, line 845]
0x0012eb50
0x8b550093

Mats, I guess this would be fixed by your fix from bug 368760?

Comment 1

[Johnny Stenback (:jst)]

FWIW, I don't see this crash on Linux trunk or Win32 branch.

Comment 2

[Martijn Wargers (dead)]

I'm still crashing with current trunk build, talkback ID: TB30501163X
The testcase won't work on branch, since it uses code that was checked in on trunk only.

Comment 3

[Johnny Stenback (:jst)]

Hmm. The stack in this bug seems to indicate a potentially exploitable crash, while the stack in the talkback you just submitted looks like a null pointer crash, which wouldn't be exploitable.

Comment 4

[Martijn Wargers (dead)]

Attachment: testcase

Another testcase, that crashes with this stacktrace, to reproduce:
- Click on the select drop down
- Click on the iframe
This testcase also crashes on branch.

Comment 5

[Jesse Ruderman]

Smaug, can you fix this, or do you know who might be able to?

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

Can't reproduce on debug nor on non-debug build (Linux).
Mats will fix something similar in bug 368760.

Comment 7

[Olli Pettay [:smaug][bugs@pettay.fi]]

Martijn, do you get the same stack with both testcases?
What is that latest stack trace?

Comment 8

[Martijn Wargers (dead)]

With the second testcase, I get this stacktrace.
Talkback ID: TB31902931E
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 4954]
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 5068]
nsTypedSelection::AddRange  [mozilla/layout/generic/nsselection.cpp, line 5723]
nsEventStateManager::MoveCaretToFocus  [mozilla/content/events/src/nseventstatemanager.cpp, line 5023]
nsGenericHTMLElement::SetElementFocus  [mozilla/content/html/content/src/nsgenerichtmlelement.cpp, line 3103]
nsHTMLInputElement::Focus  [mozilla/content/html/content/src/nshtmlinputelement.cpp, line 1148]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]

Comment 9

[Samuel Sidler (old account; do not CC)]

roc, can you take a look at this?

Comment 10

[Martijn Wargers (dead)]

I think Mats has a patch in bug 368760 that might fix this.

Comment 11

[Damon Sicore (:damons)]

Poke.  

Roc, had a chance to look at this?

Comment 12

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Lets get 368760 fixed and see if that fixes this one.

Comment 13

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Yep this is fixed now that 368760 is fixed. Yay!

Comment 14

[Martijn Wargers (dead)]

Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112805 Minefield/3.0b2pre

Both testcases don't seem to crash anymore.