Closed
Bug 411896
Opened 17 years ago
Closed 15 years ago
designMode + key events + print preview = virtual method or SEGV [@ nsIView::HasWidget]
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: guninski, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] 1.8 branch)
Crash Data
Attachments
(3 files)
putting a document in designMode, then sending some synthetic key events to it, print preview (and possibly pressing a key) leads to "pure virtual method called" or random crash. macosx seems not affected. 2 testcases for the 2 cases attached.
|
Reporter | |
Comment 1•17 years ago
|
||
|
||
Comment 2•17 years ago
|
||
These assertions I see prior to the crash: ###!!! ASSERTION: no frame, see bug #188946: 'frame', file c:/mozilla181/mozilla /editor/libeditor/base/nsEditor.cpp, line 4425 ###!!! ASSERTION: Must have view manager: '!isSafeToFlush || mViewManager', file c:/mozilla181/mozilla/layout/base/nsPresShell.cpp, line 5382 ###!!! ASSERTION: Must have view!: 'aView', file c:/mozilla181/mozilla/view/src/ nsViewManager.cpp, line 3222 And then it crashes here: #0 0x04381c3a in nsIView::HasWidget (this=0x0) at ../../../../../../dist/include/view/nsIView.h:345 #1 0x041a8713 in nsViewManager::UpdateWidgetsForView (this=0x13312600, aView=0x0) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3224 #2 0x041a9898 in nsViewManager::ForceUpdate (this=0x13312600) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3663 #3 0x041a493e in nsViewManager::Composite (this=0x13312600) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:1631 #4 0x041a8e02 in nsViewManager::EnableRefresh (this=0x13312600, aUpdateFlags=2) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3445
|
|
Reporter | |
Comment 3•17 years ago
|
||
print preview shows blank page and this doesn't seem correct. trunk correctly shows generated content
|
|
||
Comment 4•17 years ago
|
||
I guess this might be related to bug 323740.
|
|
||
Updated•17 years ago
|
|
|
Reporter | |
Comment 5•17 years ago
|
||
i suspect this may be race related - adding waste of memory between the events stops the crash. this doesn't seem just a null deref - the virtual method is strange.
|
|
||
Comment 6•17 years ago
|
||
This regressed on branch somehow between 2007-07-06 and 2007-07-07: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-07-06+04&maxdate=2007-07-07+09&cvsroot=%2Fcvsroot So it seems to me a regression from bug 386561.
Blocks: 386561
|
|
Reporter | |
Comment 7•17 years ago
|
||
hm, if component is really editor, js, xbl, document.open() and killing stuff in editor probably can cause other crashes.
|
|
||
Comment 8•17 years ago
|
||
The content not showing up on print preview was fixed between 2006-02-22 and 2006-02-25, which is when Cairo was turned on on windows.
|
|
Reporter | |
Comment 9•17 years ago
|
||
do you do binary search for regression by hand? probably a simple tool can do it automatically?
|
|
||
Comment 10•17 years ago
|
||
Yes, I do it by hand. I think Mark Banner (db48x on IRC) has some kind of tool to automate regression ranges. Not sure how it works, but I have doubts it would work on windows (and doubts on how helpful it would be, in general). There is also a fix range where the editor remained working after print preview. That was fixed between 2006-06-29 and 2006-06-30: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-06-29+04&maxdate=2006-06-30+09&cvsroot=%2Fcvsroot No idea what fixed it.
|
|
||
Comment 11•17 years ago
|
||
(In reply to comment #10) > There is also a fix range where the editor remained working after print > preview. That was fixed between 2006-06-29 and 2006-06-30: That turns out to be bug 377371.
|
||
Comment 12•17 years ago
|
||
I get the crash with or without the patch for bug 386561, so I don't think that has caused this.
|
||
Comment 13•17 years ago
|
||
Martijn / georgi, does this happen on trunk? "Pure virtual method called" usually indicates that you are trying to call a virtual method from a base class destructor. If that's what's happening here, it's not exploitable (just like null derefs are not exploitable).
|
|
Reporter | |
Comment 14•17 years ago
|
||
trunk seems safe. this is on branch.
|
|
||
Updated•17 years ago
|
Whiteboard: 1.8 branch
|
|
Reporter | |
Comment 15•17 years ago
|
||
hm, if this is editor bug, aren't editor interfaces expected to show up somewhere and be accessible from js?
|
|
Reporter | |
Comment 16•17 years ago
|
||
jesse, this seems [sg:nse?], right?
Whiteboard: 1.8 branch → 1.8 branch [sg:nse?]
|
|
||
Comment 17•17 years ago
|
||
Yes, see comment 13.
|
|
Reporter | |
Comment 18•17 years ago
|
||
[sg:nse] [sg:dos] per comment 13
Whiteboard: 1.8 branch [sg:nse?] → 1.8 branch [sg:nse] [sg:dos]
|
|
||
Comment 19•15 years ago
|
||
wontfix (unmaintained branch)
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Whiteboard: 1.8 branch [sg:nse] [sg:dos] → [sg:dos] 1.8 branch
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ nsIView::HasWidget]
You need to log in
before you can comment on or make changes to this bug.
Description
•