Closed
Bug 372676
Opened 17 years ago
Closed 17 years ago
Crash [@nsTypedSelection::selectFrames] with testcase that triple clicks and uses designmode
Categories
(Core :: DOM: Selection, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: roc)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical][dbaron-1.9:Rs])
Crash Data
Attachments
(2 files)
See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges. Talkback ID: TB29937925Q 0x65742074 nsTypedSelection::selectFrames [mozilla/layout/generic/nsselection.cpp, line 4956] nsTypedSelection::selectFrames [mozilla/layout/generic/nsselection.cpp, line 5068] nsTypedSelection::Repaint [mozilla/layout/generic/nsselection.cpp, line 5216] nsEventListenerManager::HandleEvent [mozilla/content/events/src/nseventlistenermanager.cpp, line 1342] nsEventTargetChainItem::HandleEvent [mozilla/content/events/src/nseventdispatcher.cpp, line 206] nsEventTargetChainItem::HandleEventTargetChain [mozilla/content/events/src/nseventdispatcher.cpp, line 264] nsEventDispatcher::Dispatch [mozilla/content/events/src/nseventdispatcher.cpp, line 472] nsEventStateManager::PreHandleEvent [mozilla/content/events/src/nseventstatemanager.cpp, line 845] 0x0012eb50 0x8b550093 Mats, I guess this would be fixed by your fix from bug 368760?
Comment 1•17 years ago
|
||
FWIW, I don't see this crash on Linux trunk or Win32 branch.
Reporter | ||
Comment 2•17 years ago
|
||
I'm still crashing with current trunk build, talkback ID: TB30501163X The testcase won't work on branch, since it uses code that was checked in on trunk only.
Comment 3•17 years ago
|
||
Hmm. The stack in this bug seems to indicate a potentially exploitable crash, while the stack in the talkback you just submitted looks like a null pointer crash, which wouldn't be exploitable.
Reporter | ||
Comment 4•17 years ago
|
||
Another testcase, that crashes with this stacktrace, to reproduce: - Click on the select drop down - Click on the iframe This testcase also crashes on branch.
Comment 5•17 years ago
|
||
Smaug, can you fix this, or do you know who might be able to?
Whiteboard: [sg:critical]
Comment 6•17 years ago
|
||
Can't reproduce on debug nor on non-debug build (Linux). Mats will fix something similar in bug 368760.
Comment 7•17 years ago
|
||
Martijn, do you get the same stack with both testcases? What is that latest stack trace?
Reporter | ||
Comment 8•17 years ago
|
||
With the second testcase, I get this stacktrace. Talkback ID: TB31902931E nsTypedSelection::selectFrames [mozilla/layout/generic/nsselection.cpp, line 4954] nsTypedSelection::selectFrames [mozilla/layout/generic/nsselection.cpp, line 5068] nsTypedSelection::AddRange [mozilla/layout/generic/nsselection.cpp, line 5723] nsEventStateManager::MoveCaretToFocus [mozilla/content/events/src/nseventstatemanager.cpp, line 5023] nsGenericHTMLElement::SetElementFocus [mozilla/content/html/content/src/nsgenerichtmlelement.cpp, line 3103] nsHTMLInputElement::Focus [mozilla/content/html/content/src/nshtmlinputelement.cpp, line 1148] XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]
Comment 9•17 years ago
|
||
roc, can you take a look at this?
Assignee: selection → roc
QA Contact: selection
Reporter | ||
Comment 10•17 years ago
|
||
I think Mats has a patch in bug 368760 that might fix this.
Updated•17 years ago
|
Flags: blocking1.9+
Comment 11•17 years ago
|
||
Poke. Roc, had a chance to look at this?
Assignee | ||
Comment 12•17 years ago
|
||
Lets get 368760 fixed and see if that fixes this one.
Assignee | ||
Updated•17 years ago
|
Whiteboard: [sg:critical] → [sg:critical] [depends on 386760]
Whiteboard: [sg:critical] [depends on 386760] → [sg:critical] [depends on 386760][dbaron-1.9:Rs]
Assignee | ||
Updated•17 years ago
|
Priority: -- → P3
Assignee | ||
Comment 13•17 years ago
|
||
Yep this is fixed now that 368760 is fixed. Yay!
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] [depends on 386760][dbaron-1.9:Rs] → [sg:critical][dbaron-1.9:Rs]
Reporter | ||
Comment 14•17 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112805 Minefield/3.0b2pre Both testcases don't seem to crash anymore.
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Group: core-security
Flags: wanted1.8.1.x-
Updated•13 years ago
|
Crash Signature: [@nsTypedSelection::selectFrames]
You need to log in
before you can comment on or make changes to this bug.
Description
•