Closed
Bug 373586
Opened 18 years ago
Closed 18 years ago
Crash [@ nsTextInputSelectionImpl::ScrollSelectionIntoView] [@ nsTextControlFrame::SetValue] with XBL, textarea
Categories
(Core :: XBL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?] post 1.8 branch)
Crash Data
Attachments
(6 files, 1 obsolete file)
709 bytes,
application/xhtml+xml
|
Details | |
2.68 KB,
patch
|
Details | Diff | Splinter Review | |
5.28 KB,
text/plain
|
Details | |
15.43 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
16.03 KB,
patch
|
Details | Diff | Splinter Review | |
1.87 KB,
text/html
|
Details |
Loading this testcase makes a debug build of Firefox crash: * dereferencing 0xdddddddd from nsTextControlFrame::SetValue or * dereferencing something close to zero from nsTextInputSelectionImpl::ScrollSelectionIntoView
Flags: blocking1.9?
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Comment 1•18 years ago
|
||
Any idea whether this is a regression, or just a bug?
Reporter | ||
Comment 2•18 years ago
|
||
Regressed between 2007-03-04_1651 and 2007-03-04_1750. Same regression range as bug 373122.
Blocks: 363253
Keywords: regression
Assignee | ||
Updated•18 years ago
|
OS: Mac OS X → All
Assignee | ||
Comment 3•18 years ago
|
||
hmm, keeping pointers to scrollable view in nsIFrame, nsFrameSelection objects etc. isn't that good idea.
Assignee: general → Olli.Pettay
Assignee | ||
Comment 4•18 years ago
|
||
Actually this bug can be fixed with a flush. (I'll file a new bug to clean up scrollable view usage.)
Attachment #258321 -
Flags: superreview?(roc)
Attachment #258321 -
Flags: review?(roc)
Comment 5•18 years ago
|
||
Uh... why is the flush needed? What goes wrong without it? We want to be _removing_ flushes except as needed for correctness, not adding them to fix glitches...
Assignee | ||
Comment 6•18 years ago
|
||
Without flush SetValue in nsTextContentFrame will call editor's InsertText, which may cause a flush, and then the nsTextContentFrame object gets possibly deleted...
Comment 7•18 years ago
|
||
> which may cause a flush
With what stack?
And isn't that a problem that the frame should handle? I don't think we want content to have to worry about when exactly frames perform unsafe operations... it's fragile.
Assignee | ||
Comment 8•18 years ago
|
||
Well, IMO, nsTextControlFrame shouldn't own the editor, which can do lots of unsafe operations. Will upload the stack asap...
Comment 9•18 years ago
|
||
> nsTextControlFrame shouldn't own the editor
Also possible, yes.
Assignee | ||
Comment 10•18 years ago
|
||
Assignee | ||
Comment 11•18 years ago
|
||
An uglier way to fix this is to remove nsIScrollableView members, have a kungfudeathgrip for editor and add few weakframe.IsAlive() tests to SetValue. So comparing to that the patch seems quite a bit nicer, but better ideas are of course very welcome :)
Comment 12•18 years ago
|
||
I'd prefer the weakframe and kungfudeathgrip to flushes... As for the stack, that's truly unfortunate. :( That's a problem for textcontrolframe init too, no?
Assignee | ||
Comment 13•18 years ago
|
||
Using strong refs, weakFrames and making sure that scroll view is always the right one (this includes the patch for bug 373674). That way the crash is fixed. Also to fix potential crashes related to InitEditor, instead of using nsIAnonymousContentCreator::PostCreateFrames nsIReflowCallback::ReflowFinished is used now. (We must not flush while creating frames for textcontrolframe.) ... hoping reflow callback works well enough here :)
Attachment #258344 -
Flags: review?(bzbarsky)
Comment 14•18 years ago
|
||
> instead of using nsIAnonymousContentCreator::PostCreateFrames
> nsIReflowCallback::ReflowFinished is used now.
I'm not sure you can do that, actually. Testcases that involve inserting the node and then setting its value (before reflow happens) worry me. As well as various permutations thereof.
In any case, for 1.9 I'm hoping to make editor init fully async so I wouldn't worry about it here too much... and for branches we need a heck of a lot of testing for that change.
Note that I won't be in a position to review anything until April, basically.
Assignee | ||
Comment 15•18 years ago
|
||
Before calling InitEditor nsHTMLTextArea/InputElements handles the |value|. So things should be ok, but this definitely needs testing. I don't really know what else could be used than reflow callback.
Assignee | ||
Comment 16•18 years ago
|
||
Comment on attachment 258321 [details] [diff] [review] possible patch So this wouldn't probably be enough for the potential crash in InitEditor().
Attachment #258321 -
Flags: superreview?(roc)
Attachment #258321 -
Flags: review?(roc)
Comment 17•18 years ago
|
||
Like I said, I'm happy to handle InitEditor in a separate bug.
Assignee | ||
Comment 18•18 years ago
|
||
Roc, maybe you have time to look at this. (InitEditor is still a hypothetical place for a crash anyway.)
Attachment #258344 -
Attachment is obsolete: true
Attachment #258360 -
Flags: review?(roc)
Attachment #258344 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Comment on attachment 258360 [details] [diff] [review] no handling for InitEditor + nsCOMPtr<nsIPlaintextEditor> htmlEditor = do_QueryInterface(editor); Could you fix this misnamed variable while you're at it?
Attachment #258360 -
Flags: superreview+
Attachment #258360 -
Flags: review?(roc)
Attachment #258360 -
Flags: review+
Assignee | ||
Updated•18 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 20•18 years ago
|
||
This caused one chrome test to fail.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 21•18 years ago
|
||
I checked in this patch with the simple fix.
Assignee | ||
Updated•18 years ago
|
Status: REOPENED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
Comment 22•18 years ago
|
||
Since this is fixed and doesn't affect shipping releases we should be able to unhide this bug now, right?
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8 branch
Updated•18 years ago
|
Flags: blocking1.9?
Reporter | ||
Updated•18 years ago
|
Group: security
Updated•18 years ago
|
Flags: wanted1.8.1.x-
Comment 23•18 years ago
|
||
This crashes current branch builds when clicking on the button. You need to run the testcase from chrome. I get a [@ nsTextControlFrame::SetValue] (talkback ID: TB32917810X). It doesn't crash on trunk, I think it's because of this patch. I think this is currently nr. 29 of the hit list of crashes on branch: http://talkback-public.mozilla.org/reports/firefox/FF2004/FF2004-topcrashers.html
Comment 24•18 years ago
|
||
Martijn please file a separate bug on comment 23, marked dependent on this bug.
Updated•18 years ago
|
Attachment #267577 -
Attachment is private: true
Comment 25•18 years ago
|
||
Filed as bug 386254, sorry for the delay.
Comment 27•16 years ago
|
||
$ hg log layout/forms/crashtests/373586-1.xhtml changeset: 9399:825d223e8ce4 user: jruderman@hmc.edu date: Mon Dec 17 23:19:21 2007 -0800 summary: Add crashtest
Comment 28•16 years ago
|
||
martijn, is it necessary to keep testcase 2 private?
Comment 29•16 years ago
|
||
Comment on attachment 267577 [details]
testcase2
No, not necessary anymore.
Attachment #267577 -
Attachment is private: false
Comment 30•16 years ago
|
||
Do we want to land it as a crashtest too, then? Similarly, what about comment 23, comment 24, comment 25? Please unmark any relevant privacy flags, including the one on this comment if those are OK to open.
Comment 31•16 years ago
|
||
bz: I'm planning on landing it after I land a number of others I've been working on, but since it requires UniversalXPConnect, I'll set it to skip in the manifest. That is also what I'm planning on doing with several other tests which require elevated privileges. Does that sound ok?
Comment 32•16 years ago
|
||
Yes, if your manifest includes a comment pointing to the bug that would enable reenabling the test. Alternately, we could land these as mochitests....
Updated•13 years ago
|
Crash Signature: [@ nsTextInputSelectionImpl::ScrollSelectionIntoView]
[@ nsTextControlFrame::SetValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•