Closed
Bug 432025
Opened 14 years ago
Closed 14 years ago
Crash [@ CallQueryInterface<nsIDOMElement, nsIContent>] with contenteditable and execCommand contentReadOnly
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
374 bytes,
application/xhtml+xml
|
Details | |
914 bytes,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
914 bytes,
patch
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build within 100ms. This regressed between 2007-11-13 and 2007-11-14: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-13+04&maxdate=2007-11-14+09&cvsroot=%2Fcvsroot so I think a regression from bug 207531. http://crash-stats.mozilla.com/report/index/19aa9ea6-1927-11dd-8373-001cc45a2ce4?p=1 0 xul.dll CallQueryInterface<nsIDOMElement, nsIContent> nsCOMPtr.h:1691 1 xul.dll FindSelectionRoot mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1084 2 xul.dll nsTextEditorFocusListener::Focus mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:1142 3 xul.dll nsEventListenerManager::HandleEvent mozilla/content/events/src/nsEventListenerManager.cpp:1181 4 xul.dll nsEventTargetChainItem::HandleEventTargetChain mozilla/content/events/src/nsEventDispatcher.cpp:241 5 xul.dll nsEventDispatcher::Dispatch mozilla/content/events/src/nsEventDispatcher.cpp:483 6 xul.dll nsEventStateManager::SendFocusBlur mozilla/content/events/src/nsEventStateManager.cpp:4687 7 xul.dll nsEventStateManager::SetContentState mozilla/content/events/src/nsEventStateManager.cpp:4243 8 xul.dll nsGenericElement::SetFocus mozilla/content/base/src/nsGenericElement.cpp:2539 9 xul.dll nsGenericHTMLElement::SetElementFocus mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3074 10 xul.dll nsHTMLInputElement::Focus mozilla/content/html/content/src/nsHTMLSelectElement.cpp:1247 11 xul.dll nsGenericHTMLElementTearoff::Focus mozilla/content/html/content/src/nsGenericHTMLElement.cpp:197 12 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 13 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369 The stacktrace looks rather similar to the one in bug 403965, so perhaps this is a security problem too? Marking security sensitive too.
this triggers first: ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file d:/moz_src/mozil la/editor/libeditor/html/nsHTMLEditRules.cpp, line 387 and then ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU tils::IsSafeToRunScript()', file d:/moz_src/mozilla/layout/base/nsPresShell.cpp, line 4505
Comment 2•14 years ago
|
||
(In reply to comment #1) > ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == > nsContentU > tils::IsSafeToRunScript()', file The stack to this is similar to that in bug 434790
Reporter | ||
Comment 3•14 years ago
|
||
Still crashes using current trunk build.
Reporter | ||
Updated•14 years ago
|
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Comment 4•14 years ago
|
||
The last assertion I see is: ASSERTION: null parameter: 'aSource', file ../../../../dist/include/xpcom/ Because, indeed, aSource == 0x0. Exception by nsISupportsUtils.h:202: return aSource->QueryInterface(....), so it looks like a null deref to me. Further up the stack it looks like we are getting a null rootElement around nsEditorEventListeners.cpp:1044 But I'd feel better if someone who knows the code could take a closer look to make sure rootElement couldn't be a bogus address than 0.
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 5•14 years ago
|
||
this is null pointer crash. patch coming
Whiteboard: [sg:critical?]
Assignee | ||
Comment 6•14 years ago
|
||
Adds a null check and removes code which could never be executed (because CallQueryInterface would have crashed before that code).
Attachment #353245 -
Flags: superreview?(peterv)
Attachment #353245 -
Flags: review?(peterv)
Comment 7•14 years ago
|
||
Comment on attachment 353245 [details] [diff] [review] proposed patch >diff --git a/editor/libeditor/text/nsEditorEventListeners.cpp b/editor/libeditor/text/nsEditorEventListeners.cpp >+ } New line. > CallQueryInterface(rootElement, &root); New line. > return root;
Attachment #353245 -
Flags: superreview?(peterv)
Attachment #353245 -
Flags: superreview+
Attachment #353245 -
Flags: review?(peterv)
Attachment #353245 -
Flags: review+
Assignee | ||
Comment 8•14 years ago
|
||
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 9•14 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081229 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Updated•11 years ago
|
Crash Signature: [@ CallQueryInterface<nsIDOMElement, nsIContent>]
Updated•7 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•