Closed Bug 372676 Opened 17 years ago Closed 17 years ago

Crash [@nsTypedSelection::selectFrames] with testcase that triple clicks and uses designmode

Categories

(Core :: DOM: Selection, defect, P3)

x86
Windows XP
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical][dbaron-1.9:Rs])

Crash Data

Attachments

(2 files)

Attached file testcase
See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.

Talkback ID: TB29937925Q
0x65742074
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 4956]
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 5068]
nsTypedSelection::Repaint  [mozilla/layout/generic/nsselection.cpp, line 5216]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1342]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 206]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 264]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 472]
nsEventStateManager::PreHandleEvent  [mozilla/content/events/src/nseventstatemanager.cpp, line 845]
0x0012eb50
0x8b550093

Mats, I guess this would be fixed by your fix from bug 368760?
FWIW, I don't see this crash on Linux trunk or Win32 branch.
I'm still crashing with current trunk build, talkback ID: TB30501163X
The testcase won't work on branch, since it uses code that was checked in on trunk only.
Hmm. The stack in this bug seems to indicate a potentially exploitable crash, while the stack in the talkback you just submitted looks like a null pointer crash, which wouldn't be exploitable.
Attached file testcase
Another testcase, that crashes with this stacktrace, to reproduce:
- Click on the select drop down
- Click on the iframe
This testcase also crashes on branch.
Smaug, can you fix this, or do you know who might be able to?
Whiteboard: [sg:critical]
Can't reproduce on debug nor on non-debug build (Linux).
Mats will fix something similar in bug 368760.
Depends on: 368760
Martijn, do you get the same stack with both testcases?
What is that latest stack trace?
With the second testcase, I get this stacktrace.
Talkback ID: TB31902931E
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 4954]
nsTypedSelection::selectFrames  [mozilla/layout/generic/nsselection.cpp, line 5068]
nsTypedSelection::AddRange  [mozilla/layout/generic/nsselection.cpp, line 5723]
nsEventStateManager::MoveCaretToFocus  [mozilla/content/events/src/nseventstatemanager.cpp, line 5023]
nsGenericHTMLElement::SetElementFocus  [mozilla/content/html/content/src/nsgenerichtmlelement.cpp, line 3103]
nsHTMLInputElement::Focus  [mozilla/content/html/content/src/nshtmlinputelement.cpp, line 1148]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]
roc, can you take a look at this?
Assignee: selection → roc
QA Contact: selection
I think Mats has a patch in bug 368760 that might fix this.
Flags: blocking1.9+
Poke.  

Roc, had a chance to look at this?
Lets get 368760 fixed and see if that fixes this one.
Whiteboard: [sg:critical] → [sg:critical] [depends on 386760]
Whiteboard: [sg:critical] [depends on 386760] → [sg:critical] [depends on 386760][dbaron-1.9:Rs]
Yep this is fixed now that 368760 is fixed. Yay!
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] [depends on 386760][dbaron-1.9:Rs] → [sg:critical][dbaron-1.9:Rs]
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112805 Minefield/3.0b2pre

Both testcases don't seem to crash anymore.
Status: RESOLVED → VERIFIED
Group: core-security
Flags: wanted1.8.1.x-
Crash Signature: [@nsTypedSelection::selectFrames]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: