Closed
Bug 375093
Opened 18 years ago
Closed 18 years ago
Crash [@ nsTypedSelection::ScrollIntoView] when right-clicking paste in input which then gets destroyed oninput
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
|
594 bytes,
text/html
|
Details | |
|
1.04 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
dveditz
:
approval1.8.1.5+
dveditz
:
approval1.8.0.13+
|
Details | Diff | Splinter Review |
|
1.15 KB,
patch
|
Details | Diff | Splinter Review |
See testcase, when pasting something in the text input with the context menu, the surrounding iframe gets destroyed.
This crashes Mozilla, it also crashes current branch builds, so I'm marking this security sensitive for now.
Talkback ID: TB30519454E
nsTypedSelection::ScrollIntoView [mozilla/layout/generic/nsselection.cpp, line 7293]
nsFrameSelection::ScrollSelectionIntoView [mozilla/layout/generic/nsselection.cpp, line 2535]
nsEditor::ScrollSelectionIntoView [mozilla/editor/libeditor/base/nseditor.cpp, line 2492]
nsPlaintextEditor::InsertTextFromTransferable [mozilla/editor/libeditor/text/nsplaintextdatatransfer.cpp, line 142]
I also got this talkback 2 times, talkback ID: TB30519322Z
MSVCR80.dll + 0x1520a (0x7814520a)
nsVoidArray::RemoveElementsAt [mozilla/xpcom/build/nsvoidarray.cpp, line 591]
nsTextControlFrame::FireOnInput [mozilla/layout/forms/nstextcontrolframe.cpp, line 2472]
nsTextInputListener::EditAction [mozilla/layout/forms/nstextcontrolframe.cpp, line 517]
nsEditor::NotifyEditorObservers [mozilla/editor/libeditor/base/nseditor.cpp, line 1795]
nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch [mozilla/editor/libeditor/base/nseditorutils.h, line 66]
|
Assignee | |
Updated•18 years ago
|
Assignee: events → Olli.Pettay
|
|
Assignee | |
Comment 2•18 years ago
|
||
This is what the code does elsewhere in nsSelection.cpp;
checking both return value and presshell.
Attachment #259419 -
Flags: superreview?(dbaron)
Attachment #259419 -
Flags: review?(dbaron)
Comment on attachment 259419 [details] [diff] [review]
proposed patch
r+sr=dbaron, although it would be nice to deCOMtaminate these getters at some point.
Attachment #259419 -
Flags: superreview?(dbaron)
Attachment #259419 -
Flags: superreview+
Attachment #259419 -
Flags: review?(dbaron)
Attachment #259419 -
Flags: review+
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 4•18 years ago
|
||
I'm still crashing sometimes (let's say in 20% of the times) with the testcase, talkback ID: TB30548433Z
MSVCR80.dll + 0x1520a (0x7814520a)
nsVoidArray::RemoveElementsAt [mozilla/xpcom/build/nsvoidarray.cpp, line 591]
nsTextControlFrame::FireOnInput [mozilla/layout/forms/nstextcontrolframe.cpp, line 2472]
nsTextInputListener::EditAction [mozilla/layout/forms/nstextcontrolframe.cpp, line 517]
nsEditor::NotifyEditorObservers [mozilla/editor/libeditor/base/nseditor.cpp, line 1795]
nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch [mozilla/editor/libeditor/base/nseditorutils.h, line 66]
(this is the same as the second backtrace in comment 0)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 5•18 years ago
|
||
I tested with a 2007-03-24 04 build.
|
|
Assignee | |
Comment 6•18 years ago
|
||
hmm, I never got that stack trace. Is that somehow windows only :/
|
|
Assignee | |
Comment 7•18 years ago
|
||
Martijn, could you test this?
|
|
Reporter | |
Comment 8•18 years ago
|
||
(In reply to comment #7)
> Martijn, could you test this?
Sorry, I haven't been able to reproduce this crash at all in my debug build (tried 20 times or so).
|
|
Assignee | |
Comment 9•18 years ago
|
||
I tried this with non-debug-linux-build, but couldn't get it to crash.
Could there be a new bug to handle the other crash. The stack trace is
anyway quite different.
|
|
Assignee | |
Comment 10•18 years ago
|
||
I opened bug 375196. Closing this one.
Status: REOPENED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 11•18 years ago
|
||
Is this useful for branch? The patch seems safe.
|
|
Reporter | |
Comment 12•18 years ago
|
||
Olli, is the patch useful for branches?
|
|
Assignee | |
Updated•18 years ago
|
Attachment #259419 -
Flags: approval1.8.1.5?
Attachment #259419 -
Flags: approval1.8.0.13?
|
||
Comment 13•18 years ago
|
||
Comment on attachment 259419 [details] [diff] [review]
proposed patch
approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #259419 -
Flags: approval1.8.1.5?
Attachment #259419 -
Flags: approval1.8.1.5+
Attachment #259419 -
Flags: approval1.8.0.13?
Attachment #259419 -
Flags: approval1.8.0.13+
|
|
Assignee | |
Updated•18 years ago
|
Keywords: fixed1.8.0.13,
fixed1.8.1.5
|
||
Comment 14•18 years ago
|
||
verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre ID:2007070403 and the testcase from this bug - no crash -> adding verified keyword
Keywords: fixed1.8.1.5 → verified1.8.1.5
|
|
||
Comment 15•17 years ago
|
||
verified fixed 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre - no crash on testcase
Adding verified keyword
Keywords: fixed1.8.0.13 → verified1.8.0.13
|
||
Updated•14 years ago
|
Crash Signature: [@ nsTypedSelection::ScrollIntoView]
|
||
Updated•11 years ago
|
Flags: in-testsuite?
|
|
||
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•