Closed Bug 432025 Opened 14 years ago Closed 14 years ago

Crash [@ CallQueryInterface<nsIDOMElement, nsIContent>] with contenteditable and execCommand contentReadOnly

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

testcase
374 bytes, application/xhtml+xml
Details
proposed patch
914 bytes, patch
peterv
: review+
peterv
: superreview+
Details | Diff | Splinter Review
with newlines
914 bytes, patch
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crashes current trunk build within 100ms. This regressed between 2007-11-13 and 2007-11-14:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-13+04&maxdate=2007-11-14+09&cvsroot=%2Fcvsroot
so I think a regression from bug 207531.

http://crash-stats.mozilla.com/report/index/19aa9ea6-1927-11dd-8373-001cc45a2ce4?p=1
0  	xul.dll  	CallQueryInterface<nsIDOMElement, nsIContent>  	 nsCOMPtr.h:1691
1 	xul.dll 	FindSelectionRoot 	mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1084
2 	xul.dll 	nsTextEditorFocusListener::Focus 	mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1142
3 	xul.dll 	nsEventListenerManager::HandleEvent 	mozilla/content/events/src/nsEventListenerManager.cpp:1181
4 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	mozilla/content/events/src/nsEventDispatcher.cpp:241
5 	xul.dll 	nsEventDispatcher::Dispatch 	mozilla/content/events/src/nsEventDispatcher.cpp:483
6 	xul.dll 	nsEventStateManager::SendFocusBlur 	mozilla/content/events/src/nsEventStateManager.cpp:4687
7 	xul.dll 	nsEventStateManager::SetContentState 	mozilla/content/events/src/nsEventStateManager.cpp:4243
8 	xul.dll 	nsGenericElement::SetFocus 	mozilla/content/base/src/nsGenericElement.cpp:2539
9 	xul.dll 	nsGenericHTMLElement::SetElementFocus 	mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3074
10 	xul.dll 	nsHTMLInputElement::Focus 	mozilla/content/html/content/src/nsHTMLSelectElement.cpp:1247
11 	xul.dll 	nsGenericHTMLElementTearoff::Focus 	mozilla/content/html/content/src/nsGenericHTMLElement.cpp:197
12 	xul.dll 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
13 	xul.dll 	XPCWrappedNative::CallMethod 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369

The stacktrace looks rather similar to the one in bug 403965, so perhaps this is a security problem too? Marking security sensitive too.
this triggers first:

###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file d:/moz_src/mozil
la/editor/libeditor/html/nsHTMLEditRules.cpp, line 387

and then 

###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU
tils::IsSafeToRunScript()', file d:/moz_src/mozilla/layout/base/nsPresShell.cpp,
 line 4505
(In reply to comment #1)

> ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush ==
> nsContentU
> tils::IsSafeToRunScript()', file

The stack to this is similar to that in bug 434790 

Still crashes using current trunk build.
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
The last assertion I see is: ASSERTION: null parameter: 'aSource', file ../../../../dist/include/xpcom/

Because, indeed, aSource == 0x0.

Exception by nsISupportsUtils.h:202: return aSource->QueryInterface(....), so it looks like a null deref to me. 

Further up the stack it looks like we are getting a null rootElement around nsEditorEventListeners.cpp:1044

But I'd feel better if someone who knows the code could take a closer look to make sure rootElement couldn't be a bogus address than 0.
Whiteboard: [sg:critical?]
Assignee: nobody → Olli.Pettay
this is null pointer crash. patch coming
Whiteboard: [sg:critical?]
Attached patch proposed patchSplinter Review 
Adds a null check and removes code which could never be executed (because CallQueryInterface would have crashed before that code).
Attachment #353245 - Flags: superreview?(peterv)
Attachment #353245 - Flags: review?(peterv)
Blocks: 386838
Comment on attachment 353245 [details] [diff] [review]
proposed patch

>diff --git a/editor/libeditor/text/nsEditorEventListeners.cpp b/editor/libeditor/text/nsEditorEventListeners.cpp

>+    }

New line.

>     CallQueryInterface(rootElement, &root);

New line.

>     return root;
Attachment #353245 - Flags: superreview?(peterv)
Attachment #353245 - Flags: superreview+
Attachment #353245 - Flags: review?(peterv)
Attachment #353245 - Flags: review+
Attached patch with newlinesSplinter Review
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081229 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ CallQueryInterface<nsIDOMElement, nsIContent>]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.