Last Comment Bug 405783 - Midas crashes [@ GetNearestCapturingView] when iframe style is changed during editing
: Midas crashes [@ GetNearestCapturingView] when iframe style is changed during...
[sg:critical?] 1.8 branch
: crash, testcase, verified1.8.1.13
Product: Core
Classification: Components
Component: Event Handling (show other bugs)
: 1.8 Branch
: All All
-- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (pto-ish for couple of days)
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2007-11-28 06:11 PST by tgirmann
Modified: 2011-06-13 10:01 PDT (History)
10 users (show)
dveditz: blocking1.8.1.13+
dveditz: wanted1.8.1.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Test case (666 bytes, text/html)
2007-11-28 06:11 PST, tgirmann
no flags Details
possible patch (3.70 KB, patch)
2008-02-29 06:27 PST, Olli Pettay [:smaug] (pto-ish for couple of days)
roc: review+
roc: superreview+
dveditz: approval1.8.1.13+
Details | Diff | Splinter Review

Description User image tgirmann 2007-11-28 06:11:23 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/20071115 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/20071115 Firefox/

An iframe's document has an event handler attached that changes the iframe's position style to "relative" when the user tries to select some text with the mouse. When Midas (designMode="on") is enabled on that iframe the browser crashes.

Reproducible: Always

Steps to Reproduce:
Select some text.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox shouldn't crash.

On bug 373344 I was told the following after posting the test case (because I thought it belongs there due to its similarity):

"Doesn't seem to crash on trunk and on branch the stack trace looks quite
different to this bug.
But the trace does look familiar. Could you perhaps file a new (security
sensitive) bug and attach the testcase there."
Comment 1 User image tgirmann 2007-11-28 06:11:59 PST
Created attachment 290525 [details]
Test case
Comment 2 User image Martijn Wargers [:mwargers] 2007-11-28 13:40:08 PST
I get this stacktrace in a debug build:
#0  0x05a73b37 in GetNearestCapturingView (aFrame=0x1037295c)
    at c:/mozilla181/mozilla/layout/generic/nsFrame.cpp:1713
#1  0x05a73e9d in nsFrame::HandleDrag (this=0x1037295c,
    aPresContext=0x1010ed70, aEvent=0x22f504, aEventStatus=0x22f24c)
    at c:/mozilla181/mozilla/layout/generic/nsFrame.cpp:1769
#2  0x05a71d0b in nsFrame::HandleEvent (this=0x1037295c,
    aPresContext=0x1010ed70, aEvent=0x22f504, aEventStatus=0x22f24c)
    at c:/mozilla181/mozilla/layout/generic/nsFrame.cpp:985
#3  0x05a42596 in PresShell::HandleEventInternal (this=0x4da2a48,
    aEvent=0x22f504, aView=0x101773c0, aFlags=1, aStatus=0x22f24c)
    at c:/mozilla181/mozilla/layout/base/nsPresShell.cpp:6472
#4  0x05a41d3c in PresShell::HandleEvent (this=0x4da2a48, aView=0x101773c0,
    aEvent=0x22f504, aEventStatus=0x22f24c, aForceHandle=1,
    at c:/mozilla181/mozilla/layout/base/nsPresShell.cpp:6267
#5  0x05d96ec8 in nsViewManager::HandleEvent (this=0x1fe9048,
    aView=0x101773c0, aEvent=0x22f504, aCaptured=1)
    at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:2564
#6  0x05d9630c in nsViewManager::DispatchEvent (this=0x1fe9048,
    aEvent=0x22f504, aStatus=0x22f358)
    at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:2253
#7  0x05d8babf in HandleEvent (aEvent=0x22f504)
    at c:/mozilla181/mozilla/view/src/nsView.cpp:171
#8  0x6434403b in nsWindow::DispatchEvent (this=0x101fb818, event=0x22f504,
---Type <return> to continue, or q <return> to quit---
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:1319
#9  0x643440f5 in nsWindow::DispatchWindowEvent (this=0x101fb818,
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:1339
#10 0x6434e883 in nsWindow::DispatchMouseEvent (this=0x101fb818,
    aEventType=300, wParam=1, aPoint=0x0)
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:6323
#11 0x6434ef01 in ChildWindow::DispatchMouseEvent (this=0x101fb818,
    aEventType=300, wParam=1, aPoint=0x0)
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:6572
#12 0x6434bb0c in nsWindow::ProcessMessage (this=0x101fb818, msg=512,
    wParam=1, lParam=983054, aRetValue=0x22f95c)
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:4829
#13 0x643446a1 in nsWindow::WindowProc (hWnd=0x230800, msg=512, wParam=1,
    at c:/mozilla181/mozilla/widget/src/windows/nsWindow.cpp:1507
#14 0x7e398734 in USER32!GetDC ()
#15 0x00230800 in ?? ()
Comment 4 User image Jesse Ruderman 2008-01-16 15:43:15 PST
Using a branch debug build on Mac, I get:

* ###!!! ASSERTION: Must have view manager: '!isSafeToFlush || mViewManager', file /Users/jruderman/branch/mozilla/layout/base/nsPresShell.cpp, line 5432

* ###!!! ASSERTION: index out of range: '0 <= aIndex && aIndex < Count()', file ../../dist/include/xpcom/nsVoidArray.h, line 71

* Crash [@ GetNearestCapturingView] dereferencing 0x000000fc.

Line 71 is in nsVoidArray::FastElementAt (in contrast to ElementAt/SafeElementAt) so this could easily be bad.
Comment 5 User image Daniel Veditz [:dveditz] 2008-01-17 11:15:51 PST
-> Smaug since he wrote the likely trunk-fixing patch (bug 349931). Given other blockers this isn't likely to be done in time for the release.
Comment 6 User image Daniel Veditz [:dveditz] 2008-02-22 13:33:29 PST
On a windows debug branch build I get shut down with a DEP exception (thus likely exploitable since DEP is not supported in branch release builds) with the following stack:

> 	fdfdfdfd	
	nsDocument::QueryInterface() Line 984	C++
 	nsHTMLDocument::QueryInterface() Line 313	C++
 	nsWeakReference::QueryReferent() Line 115	C++
 	nsQueryReferent::operator()() Line 52	C++
 	nsCOMPtr<nsIDOMDocument>::assign_from_helper() Line 1292	C++
 	nsCOMPtr<nsIDOMDocument>::nsCOMPtr<nsIDOMDocument>() Line 695	C++
 	nsEditor::GetDocument() Line 612	C++
 	mozInlineSpellWordUtil::Init() Line 97	C++
 	mozInlineSpellChecker::ResumeCheck() Line 1457	C++
 	HandleSpellCheckResumePLEvent() Line 496	C++
 	PL_HandleEvent() Line 688	C
 	PL_ProcessPendingEvents() Line 623	C
Comment 7 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2008-02-29 06:27:20 PST
Created attachment 306512 [details] [diff] [review]
possible patch

Can't reproduce this on linux. The patch is basically the same as for bug 349931.
Someone should test whether the patch fixes this. (It should, I think, at least if the stack trace on this bug is right.)
Comment 8 User image Daniel Veditz [:dveditz] 2008-03-04 14:33:38 PST
This patch seems to fix the problem on branch. Immediately after loading the first attempt to select something fails (The console says "GetPrimaryFrameFor() called while nsFrameManager is being destroyed!" twice), but doesn't crash and selecting works fine after that.
Comment 9 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2008-03-05 14:50:35 PST
Comment on attachment 306512 [details] [diff] [review]
possible patch

>   frameselection->StopAutoScrollTimer();
>+  // If we have capturing view, it must be ensured that |this| doesn't 
>+  // get deleted during HandleDrag.
>+  nsWeakFrame weakFrame = GetNearestCapturingView(this) ? this : nsnull;

and for reviewer, frameselection is a strong ref here.
Comment 10 User image Daniel Veditz [:dveditz] 2008-03-06 11:09:19 PST
Comment on attachment 306512 [details] [diff] [review]
possible patch

approved for, a=dveditz for release-drivers
Comment 11 User image Stephen Donner [:stephend] 2008-03-16 03:24:54 PDT
I can reproduce the crash in Firefox (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008020121 Firefox/, using the testcase in comment 1 but NOT in:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008031114 Firefox/

Replacing fixed1.8.1.13 keyword with verified1.8.1.13
Comment 12 User image Alexander Sack 2008-03-22 15:38:57 PDT
Comment on attachment 306512 [details] [diff] [review]
possible patch

applies cleanly on 1.8.0
Comment 13 User image Daniel Veditz [:dveditz] 2008-05-29 13:52:52 PDT
-> FIXED in, branch-only bug.

Note You need to log in before you can comment on or make changes to this bug.