Closed
Bug 432025
Opened 17 years ago
Closed 16 years ago
Crash [@ CallQueryInterface<nsIDOMElement, nsIContent>] with contenteditable and execCommand contentReadOnly
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
|
374 bytes,
application/xhtml+xml
|
Details | |
|
914 bytes,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
|
914 bytes,
patch
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build within 100ms. This regressed between 2007-11-13 and 2007-11-14:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-13+04&maxdate=2007-11-14+09&cvsroot=%2Fcvsroot
so I think a regression from bug 207531.
http://crash-stats.mozilla.com/report/index/19aa9ea6-1927-11dd-8373-001cc45a2ce4?p=1
0 xul.dll CallQueryInterface<nsIDOMElement, nsIContent> nsCOMPtr.h:1691
1 xul.dll FindSelectionRoot mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1084
2 xul.dll nsTextEditorFocusListener::Focus mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1142
3 xul.dll nsEventListenerManager::HandleEvent mozilla/content/events/src/nsEventListenerManager.cpp:1181
4 xul.dll nsEventTargetChainItem::HandleEventTargetChain mozilla/content/events/src/nsEventDispatcher.cpp:241
5 xul.dll nsEventDispatcher::Dispatch mozilla/content/events/src/nsEventDispatcher.cpp:483
6 xul.dll nsEventStateManager::SendFocusBlur mozilla/content/events/src/nsEventStateManager.cpp:4687
7 xul.dll nsEventStateManager::SetContentState mozilla/content/events/src/nsEventStateManager.cpp:4243
8 xul.dll nsGenericElement::SetFocus mozilla/content/base/src/nsGenericElement.cpp:2539
9 xul.dll nsGenericHTMLElement::SetElementFocus mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3074
10 xul.dll nsHTMLInputElement::Focus mozilla/content/html/content/src/nsHTMLSelectElement.cpp:1247
11 xul.dll nsGenericHTMLElementTearoff::Focus mozilla/content/html/content/src/nsGenericHTMLElement.cpp:197
12 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
13 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
The stacktrace looks rather similar to the one in bug 403965, so perhaps this is a security problem too? Marking security sensitive too.
this triggers first:
###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file d:/moz_src/mozil
la/editor/libeditor/html/nsHTMLEditRules.cpp, line 387
and then
###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU
tils::IsSafeToRunScript()', file d:/moz_src/mozilla/layout/base/nsPresShell.cpp,
line 4505
|
||
Comment 2•17 years ago
|
||
(In reply to comment #1)
> ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush ==
> nsContentU
> tils::IsSafeToRunScript()', file
The stack to this is similar to that in bug 434790
|
Reporter | |
Comment 3•16 years ago
|
||
Still crashes using current trunk build.
|
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
|
||
Comment 4•16 years ago
|
||
The last assertion I see is: ASSERTION: null parameter: 'aSource', file ../../../../dist/include/xpcom/
Because, indeed, aSource == 0x0.
Exception by nsISupportsUtils.h:202: return aSource->QueryInterface(....), so it looks like a null deref to me.
Further up the stack it looks like we are getting a null rootElement around nsEditorEventListeners.cpp:1044
But I'd feel better if someone who knows the code could take a closer look to make sure rootElement couldn't be a bogus address than 0.
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → Olli.Pettay
|
|
Assignee | |
Comment 5•16 years ago
|
||
this is null pointer crash. patch coming
Whiteboard: [sg:critical?]
|
|
Assignee | |
Comment 6•16 years ago
|
||
Adds a null check and removes code which could never be executed (because CallQueryInterface would have crashed before that code).
Attachment #353245 -
Flags: superreview?(peterv)
Attachment #353245 -
Flags: review?(peterv)
|
||
Comment 7•16 years ago
|
||
Comment on attachment 353245 [details] [diff] [review]
proposed patch
>diff --git a/editor/libeditor/text/nsEditorEventListeners.cpp b/editor/libeditor/text/nsEditorEventListeners.cpp
>+ }
New line.
> CallQueryInterface(rootElement, &root);
New line.
> return root;
Attachment #353245 -
Flags: superreview?(peterv)
Attachment #353245 -
Flags: superreview+
Attachment #353245 -
Flags: review?(peterv)
Attachment #353245 -
Flags: review+
|
|
Assignee | |
Comment 8•16 years ago
|
||
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 9•16 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081229 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Crash Signature: [@ CallQueryInterface<nsIDOMElement, nsIContent>]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•