Closed Bug 421294 Opened 17 years ago Closed 17 years ago

Crash [@ DocumentViewerImpl::GetCopyable] with testcase that toggles iframe and sends focus event

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

possible patch
848 bytes, patch
jst
: review+
jst
: superreview+
beltzner
: approval1.9+
Details | Diff | Splinter Review
testcase
1.01 KB, text/html
Details
See testcase that crashes current trunk build for me when right-clicking on the toggling iframe. You need to download the testcase to your computer because of the use of enhanced privileges. http://crash-stats.mozilla.com/report/index/ca64ac8a-eb93-11dc-98bd-001a4bd43ef6 0 DocumentViewerImpl::GetCopyable(int*) mozilla/layout/base/nsDocumentViewer.cpp:2455 1 nsClipboardCopyCommand::IsClipboardCommandEnabled(char const*, nsIContentViewerEdit*, int*) mozilla/dom/src/base/nsGlobalWindowCommands.cpp:553 2 nsClipboardBaseCommand::IsCommandEnabled(char const*, nsISupports*, int*) mozilla/dom/src/base/nsGlobalWindowCommands.cpp:448 3 nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, int*) mozilla/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:138 4 nsBaseCommandController::IsCommandEnabled(char const*, int*) mozilla/embedding/components/commandhandler/src/nsBaseCommandController.cpp:138 5 NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 6 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369 Regression range: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=1203847680&maxdate=1203851699 --> bug 418457. The iframe source consists of this: <script> function doEvent() { netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); var ev = document.createEvent ('HTMLEvents'); ev.initEvent('focus', true,true, window, 1,5, 5, 400, 400, 0, 0, 0,0,0,null); document.documentElement.dispatchEvent(ev); var x=top.document.getElementById('content'); x.style.display == 'none' ? x.style.display = '' : x.style.display = 'none'; setTimeout(doEvent, 50); } setTimeout(doEvent, 50); </script>
Attached patch possible patchSplinter Review
Which testcase? Anyway, there used to be mPresShell null check, it was just inside FireClipboardEvent, which was removed when before* events were removed, so this patch is needed.
Attachment #307765 - Flags: superreview?(jst)
Attachment #307765 - Flags: review?(jst)
Attached file testcase
Ugh, sorry about that, I blame bugzilla of course.
The patch seems to fix the crash here.
Attachment #307765 - Flags: superreview?(jst)
Attachment #307765 - Flags: superreview+
Attachment #307765 - Flags: review?(jst)
Attachment #307765 - Flags: review+
Comment on attachment 307765 [details] [diff] [review] possible patch a1.9=beltzner
Attachment #307765 - Flags: approval1.9? → approval1.9+
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008030706 Minefield/3.0b5pre. No crash with test case.
Status: RESOLVED → VERIFIED
Crash Signature: [@ DocumentViewerImpl::GetCopyable]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: