browser crash when input element type is changed

RESOLVED FIXED in mozilla22

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: sheretov, Assigned: Ehsan)

Tracking

({crash, regression, testcase})

18 Branch
mozilla22
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox18 affected, firefox19 affected, firefox20-, firefox21-, firefox22-)

Details

(crash signature)

Attachments

(2 attachments)

Reporter

Description

6 years ago
Posted file inputAttrMod.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Steps to reproduce:

Load test file, click on the input element to put the cursor at the beginning of the text, hit the Delete key.


Actual results:

Browser crashes.


Expected results:

No crash
Here is a crash report: bp-237353d6-426d-4ec3-ad5e-21e7c2130220
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsTextEditRules::WillDeleteSelection(mozilla::Selection*, short, bool*, bool*) ] [@ nsTextEditRules::WillDeleteSelection]
Component: Untriaged → Editor
Ever confirmed: true
OS: Mac OS X → All
Product: Firefox → Core
Hardware: x86 → All
Version: 19 Branch → Trunk

Updated

6 years ago
Attachment #715837 - Attachment mime type: text/plain → text/html

Comment 2

6 years ago
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/c8e785e18be8
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121206 Firefox/20.0 ID:20121206125552
Crash:
http://hg.mozilla.org/mozilla-central/rev/739f20de3c1e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121206 Firefox/20.0 ID:20121206200151
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c8e785e18be8&tochange=739f20de3c1e

Suspected:
c6e99da8ea9d	Olli Pettay — Bug 803853, make sure to not leak mRules, r=ehsan
Version: Trunk → 18 Branch
We don't have evidence that this is critical for any major web properties, and this isn't a top crasher. No need to track for release.
Assignee

Comment 4

6 years ago
This is the stack under which DetachEditor is called:

#0  nsTextEditRules::DetachEditor (this=0x1231f7680) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsTextEditRules.cpp:140
#1  0x0000000102949ddd in nsPlaintextEditor::Init (this=0x123f933c0, aDoc=0x122cf2a38, aRoot=0x113e32f80, aSelCon=0x11c5d06b0, aFlags=16643) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsPlaintextEditor.cpp:123
#2  0x00000001021f857b in nsTextEditorState::PrepareEditor (this=0x122a37e00, aValue=0x112c7adb8) at /Users/ehsanakhgari/moz/tmp/content/html/content/src/nsTextEditorState.cpp:1246
#3  0x00000001021ffc91 in PrepareEditorEvent::Run (this=0x112c7ad90) at /Users/ehsanakhgari/moz/tmp/content/html/content/src/nsTextEditorState.cpp:1041
#4  0x0000000101e5a09f in nsContentUtils::RemoveScriptBlocker () at /Users/ehsanakhgari/moz/tmp/content/base/src/nsContentUtils.cpp:4982
#5  0x000000010197db39 in nsAutoScriptBlocker::~nsAutoScriptBlocker (this=0x7fff5fbfb188) at nsContentUtils.h:2236
#6  0x0000000101978de5 in nsAutoScriptBlocker::~nsAutoScriptBlocker (this=0x7fff5fbfb188) at nsContentUtils.h:2235
#7  0x0000000101a3abfd in PresShell::FlushPendingNotifications (this=0x121809800, aFlush={mFlushType = Flush_Layout, mFlushAnimations = true}) at /Users/ehsanakhgari/moz/tmp/layout/base/nsPresShell.cpp:3881
#8  0x0000000101a3a6ab in PresShell::FlushPendingNotifications (this=0x121809800, aType=Flush_Layout) at /Users/ehsanakhgari/moz/tmp/layout/base/nsPresShell.cpp:3765
#9  0x0000000101b5d91c in nsFrameSelection::MoveCaret (this=0x121d6fb00, aKeycode=46, aContinueSelection=true, aAmount=eSelectCluster, aVisualMovement=false) at /Users/ehsanakhgari/moz/tmp/layout/generic/nsSelection.cpp:749
#10 0x0000000101b5d84e in nsFrameSelection::MoveCaret (this=0x121d6fb00, aKeycode=46, aContinueSelection=true, aAmount=eSelectCluster) at /Users/ehsanakhgari/moz/tmp/layout/generic/nsSelection.cpp:737
#11 0x0000000101b64893 in nsFrameSelection::CharacterExtendForDelete (this=0x121d6fb00) at /Users/ehsanakhgari/moz/tmp/layout/generic/nsSelection.cpp:1842
#12 0x00000001021f454b in nsTextInputSelectionImpl::CharacterExtendForDelete (this=0x1233b79c0) at /Users/ehsanakhgari/moz/tmp/content/html/content/src/nsTextEditorState.cpp:429
#13 0x00000001021f458c in non-virtual thunk to nsTextInputSelectionImpl::CharacterExtendForDelete() () at /Users/ehsanakhgari/moz/tmp/content/html/content/src/nsTextEditorState.cpp:431
#14 0x000000010294ce96 in nsPlaintextEditor::ExtendSelectionForDelete (this=0x123f933c0, aSelection=0x122abff20, aAction=0x7fff5fbfb896) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsPlaintextEditor.cpp:581
#15 0x0000000102959b9b in nsTextEditRules::WillDeleteSelection (this=0x1231f7680, aSelection=0x122abff20, aCollapsedAction=1, aCancel=0x7fff5fbfb9df, aHandled=0x7fff5fbfb9de) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsTextEditRules.cpp:834
#16 0x00000001029580cb in nsTextEditRules::WillDoAction (this=0x1231f7680, aSelection=0x122abff20, aInfo=0x7fff5fbfb9e0, aCancel=0x7fff5fbfb9df, aHandled=0x7fff5fbfb9de) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsTextEditRules.cpp:238
#17 0x000000010294d701 in nsPlaintextEditor::DeleteSelection (this=0x123f933c0, aAction=1, aStripWrappers=0) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsPlaintextEditor.cpp:673
#18 0x0000000102979e0b in nsEditor::HandleKeyPressEvent (this=0x123f933c0, aKeyEvent=0x121811d30) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/base/nsEditor.cpp:4925
#19 0x000000010294b74d in nsPlaintextEditor::HandleKeyPressEvent (this=0x123f933c0, aKeyEvent=0x121811d30) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/text/nsPlaintextEditor.cpp:370
#20 0x000000010298a90a in nsEditorEventListener::KeyPress (this=0x123f39d00, aKeyEvent=0x121811ca0) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/base/nsEditorEventListener.cpp:452
#21 0x0000000102989c63 in nsEditorEventListener::HandleEvent (this=0x123f39d00, aEvent=0x121811ca0) at /Users/ehsanakhgari/moz/tmp/editor/libeditor/base/nsEditorEventListener.cpp:291
#22 0x000000010213a569 in nsEventListenerManager::HandleEventSubType (this=0x122a37f00, aListenerStruct=0x111bf5680, aListener=0x123f39d00, aDOMEvent=0x121811ca0, aCurrentTarget=0x11fca2d50, aPusher=0x7fff5fbfc368) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventListenerManager.cpp:923
#23 0x000000010213a8f3 in nsEventListenerManager::HandleEventInternal (this=0x122a37f00, aPresContext=0x121474400, aEvent=0x7fff5fbfd5f0, aDOMEvent=0x7fff5fbfc398, aCurrentTarget=0x11fca2d50, aEventStatus=0x7fff5fbfc3a0, aPusher=0x7fff5fbfc368) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventListenerManager.cpp:990
#24 0x000000010218fb63 in nsEventListenerManager::HandleEvent (this=0x122a37f00, aPresContext=0x121474400, aEvent=0x7fff5fbfd5f0, aDOMEvent=0x7fff5fbfc398, aCurrentTarget=0x11fca2d50, aEventStatus=0x7fff5fbfc3a0, aPusher=0x7fff5fbfc368) at nsEventListenerManager.h:278
#25 0x000000010218ef6b in nsEventTargetChainItem::HandleEvent (this=0x1107f2188, aVisitor=@0x7fff5fbfc388, aMayHaveNewListenerManagers=false, aPusher=0x7fff5fbfc368) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventDispatcher.cpp:181
#26 0x000000010218c3fb in nsEventTargetChainItem::HandleEventTargetChain (this=0x1107f2230, aVisitor=@0x7fff5fbfc388, aCallback=0x7fff5fbfc6f0, aMayHaveNewListenerManagers=false, aPusher=0x7fff5fbfc368) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventDispatcher.cpp:310
#27 0x000000010218c69d in nsEventTargetChainItem::HandleEventTargetChain (this=0x1107f2230, aVisitor=@0x7fff5fbfc388, aCallback=0x7fff5fbfc6f0, aMayHaveNewListenerManagers=false, aPusher=0x7fff5fbfc368) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventDispatcher.cpp:366
#28 0x000000010218dad0 in nsEventDispatcher::Dispatch (aTarget=0x11fca2d50, aPresContext=0x121474400, aEvent=0x7fff5fbfd5f0, aDOMEvent=0x0, aEventStatus=0x7fff5fbfd3a8, aCallback=0x7fff5fbfc6f0, aTargets=0x0) at /Users/ehsanakhgari/moz/tmp/content/events/src/nsEventDispatcher.cpp:678
#29 0x0000000101a45536 in PresShell::HandleEventInternal (this=0x121809800, aEvent=0x7fff5fbfd5f0, aStatus=0x7fff5fbfd3a8) at /Users/ehsanakhgari/moz/tmp/layout/base/nsPresShell.cpp:6625
#30 0x0000000101a43f33 in PresShell::HandleEvent (this=0x121809800, aFrame=0x122dba420, aEvent=0x7fff5fbfd5f0, aDontRetargetEvents=true, aEventStatus=0x7fff5fbfd3a8) at /Users/ehsanakhgari/moz/tmp/layout/base/nsPresShell.cpp:6253
#31 0x0000000101a42097 in PresShell::HandleEvent (this=0x113911a00, aFrame=0x113969420, aEvent=0x7fff5fbfd5f0, aDontRetargetEvents=false, aEventStatus=0x7fff5fbfd3a8) at /Users/ehsanakhgari/moz/tmp/layout/base/nsPresShell.cpp:5824
#32 0x000000010258d4b0 in nsViewManager::DispatchEvent (this=0x112efd580, aEvent=0x7fff5fbfd5f0, aView=0x112efb710, aStatus=0x7fff5fbfd3a8) at /Users/ehsanakhgari/moz/tmp/view/src/nsViewManager.cpp:716
#33 0x000000010258ac5f in nsView::HandleEvent (this=0x112efb710, aEvent=0x7fff5fbfd5f0, aUseAttachedEvents=false) at /Users/ehsanakhgari/moz/tmp/view/src/nsView.cpp:1013
#34 0x00000001036ab862 in nsChildView::DispatchEvent (this=0x10ff56720, event=0x7fff5fbfd5f0, aStatus=@0x7fff5fbfd51c) at /Users/ehsanakhgari/moz/tmp/widget/cocoa/nsChildView.mm:1485
#35 0x00000001036ab906 in nsChildView::DispatchWindowEvent (this=0x10ff56720, event=@0x7fff5fbfd5f0) at /Users/ehsanakhgari/moz/tmp/widget/cocoa/nsChildView.mm:1493
#36 0x00000001036ef89d in mozilla::widget::TextInputHandlerBase::DispatchEvent (this=0x112ec8430, aEvent=@0x7fff5fbfd5f0) at /Users/ehsanakhgari/moz/tmp/widget/cocoa/TextInputHandler.mm:3986
#37 0x00000001036f313d in mozilla::widget::TextInputHandler::DoCommandBySelector (this=0x112ec8430, aSelector=0x7fff893dbcfe "deleteForward:") at /Users/ehsanakhgari/moz/tmp/widget/cocoa/TextInputHandler.mm:2005
Assignee

Comment 5

6 years ago
Posted patch Patch (v1)Splinter Review
I tried writing a test for this, but for whatever reason I cannot reproduce this crash in our mochitest environment, not even with the original test case attached to the bug!
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #717227 - Flags: review?(bugs)
Comment on attachment 717227 [details] [diff] [review]
Patch (v1)

Would it make sense to have scriptblocker higher up, maybe in
nsPlaintextEditor::DeleteSelection ?
Comment on attachment 717227 [details] [diff] [review]
Patch (v1)

Hmm, maybe that is too high up.
Attachment #717227 - Flags: review?(bugs) → review+
Assignee

Comment 8

6 years ago
(In reply to comment #7)
> Comment on attachment 717227 [details] [diff] [review]
>   --> https://bugzilla.mozilla.org/attachment.cgi?id=717227
> Patch (v1)
> 
> Hmm, maybe that is too high up.

Yeah, I'd rather keep it here...
https://hg.mozilla.org/mozilla-central/rev/8ae71ffcc43d
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.