Closed Bug 175896 Opened 22 years ago Closed 21 years ago

crash when selecting data overflowing vertically in a textarea having the overflow = hidden property [@ nsSelection::GetFrameForNodeOffset ]

Categories

(Core :: Layout: Form Controls, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.5beta

People

(Reporter: edouardh, Assigned: darin.moz)

References

Details

(5 keywords)

Crash Data

Attachments

(4 files, 2 obsolete files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021 Take a textarea having the css property "overflow: hidden;". When you enter lines so that a vertical overflow happens, the cursor comes back on top of the element and writes on top of in place data. When trying to select this data, the browser will crash. Happens in standard compliance mode and in quirks mode. Reproducible: Always Steps to Reproduce: 1. Give the overflow: hidden property (stylesheet, in line, has you want) to a textarea 2. fill in enough lines of data for it to overflow vertically 3. try to select the data Actual Results: Browser crashed Expected Results: Should have overlined the selected data viewable in the textarea element. Crashes with Modern and Classic themes
Error signature (provided by WinXP) : AppName: mozilla.exe AppVer: 1.2.0.0 ModName: gkcontent.dll ModVer: 1.2.0.0 Offset: 000cbfe4
Attached file Testcase (deleted) —
Keywords: css2, testcase
Wow, fun. First I see: ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1049 Break: at file /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1049 And then I see: ###!!! ASSERTION: existing overflow list: 'rv != NS_IFRAME_MGR_PROP_OVERWRITTEN', file /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4725 Break: at file /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4725 And then I crash at: #6 <signal handler called> #7 0x41651d6b in nsSelection::GetFrameForNodeOffset(nsIContent*, int, nsIFrameSelection::HINT, nsIFrame**, int*) (this=0x88f3560, aNode=0x8200930, aOffset=-1073752032, aHint=1124675407, aReturnFrame=0x1, aReturnOffset=0x8200930) at /builds/trunk/mozilla/content/base/src/nsSelection.cpp:3166 #8 0x43091a75 in nsCaret::SetupDrawingFrameAndOffset() (this=0x88f3560) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:558 #9 0x43092f81 in nsCaret::DrawCaret() (this=0x88f3560) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:948 #10 0x430914be in nsCaret::StartBlinking() (this=0x88f3560) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:492 #11 0x43090397 in nsCaret::SetCaretVisible(int) (this=0x88f3560, inMakeVisible=1) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:233 #12 0x42f3f730 in PresShell::SetCaretEnabled(int) (this=0x8907948, aInEnable=1) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:3196 #13 0x42f4da10 in PresShellViewEventListener::RestoreCaretVisibility() ( this=0x8957db8) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7332 #14 0x42f4dabe in PresShellViewEventListener::DidRefreshRegion(nsIViewManager*, nsIView*, nsIRenderingContext*, nsIRegion*, unsigned) (this=0x8957db8, aViewManager=0x88dbb30, aView=0x8956470, aContext=0x85e97c8, aRegion=0x86ce728, aUpdateFlags=1) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7367 #15 0x431e3ab0 in nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned) (this=0x88dbb30, aView=0x8956470, aContext=0x85e97c8, aRegion=0x86ce728, aUpdateFlags=1) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:797 #16 0x431e66f4 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) ( this=0x88dbb30, aEvent=0xbfffddc0, aStatus=0xbfffdc50) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1784 #17 0x431d66fe in HandleEvent (aEvent=0xbfffddc0) at /builds/trunk/mozilla/view/src/nsView.cpp:80 #18 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) ( this=0x89564f8, aEvent=0xbfffddc0, aStatus=@0xbfffdd00) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448 #19 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89564f8, event=0xbfffddc0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336 #20 0x419dca9e in nsWindow::DoPaint(int, int, int, int, nsIRegion*) ( this=0x89564f8, aX=9, aY=10, aWidth=74, aHeight=17, aClipRegion=0x891feb8) at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:821 #21 0x419dcc1f in nsWindow::Update() (this=0x89564f8) at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:857 #22 0x419dce89 in nsWindow::Update() (this=0x89293d8) at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:891 #23 0x431e5a53 in nsViewManager::Composite() (this=0x88dbb30) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1462 #24 0x431e9d50 in nsViewManager::EnableRefresh(unsigned) (this=0x88dbb30, aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3204 #25 0x431e9e2d in nsViewManager::EndUpdateViewBatch(unsigned) (this=0x88dbb30, aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3238 #26 0x43a1c607 in nsEditor::EndUpdateViewBatch() (this=0x8958f48) at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:4308 #27 0x43a0eb27 in nsEditor::EndPlaceHolderTransaction() (this=0x8958f48) at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:746 #28 0x43974458 in ~nsAutoPlaceHolderBatch (this=0xbfffe1d0) at /builds/trunk/mozilla/editor/libeditor/base/nsEditorUtils.h:66 #29 0x439f371f in nsPlaintextEditor::TypedText(nsAString const&, int) ( this=0x8958f48, aString=@0xbfffe2a0, aAction=2) at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:568 #30 0x439f3577 in nsPlaintextEditor::HandleKeyPress(nsIDOMKeyEvent*) ( this=0x8958f48, aKeyEvent=0x86ce6c8) at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:530 #31 0x43a03f6e in nsTextEditorKeyListener::KeyPress(nsIDOMEvent*) ( this=0x88e9560, aKeyEvent=0x86ce6d0) at /builds/trunk/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:280 #32 0x412f57b7 in nsEventListenerManager::HandleEvent(nsIPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x885e888, aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c, aCurrentTarget=0x8876610, aFlags=7, aEventStatus=0xbfffed6c) at /builds/trunk/mozilla/content/events/src/nsEventListenerManager.cpp:1621 #33 0x4161d57d in nsGenericElement::HandleDOMEvent(nsIPresContext*, nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360, aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c, aFlags=1, aEventStatus=0xbfffed6c) at /builds/trunk/mozilla/content/base/src/nsGenericElement.cpp:2023 #34 0x413dddc7 in nsHTMLTextAreaElement::HandleDOMEvent(nsIPresContext*, nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360, aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfffed6c) at /builds/trunk/mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp:729 #35 0x42f49b2f in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned, n sEventStatus*) (this=0x8907948, aEvent=0xbfffeff0, aView=0x88ba390, aFlags=1, aStatus=0xbfffed6c) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6233 #36 0x42f496bd in PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus*, int, int&) (this=0x8907948, aView=0x88ba390, aEvent=0xbfffeff0, aEventStatus=0xbfffed6c, aForceHandle=1, aHandled=@0xbfffed68) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6155 #37 0x431e763a in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int) ( this=0x88dbb30, aView=0x88ba390, aEvent=0xbfffeff0, aCaptured=0) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:2161 #38 0x431d73f2 in nsView::HandleEvent(nsViewManager*, nsGUIEvent*, int) ( this=0x88ba390, aVM=0x88dbb30, aEvent=0xbfffeff0, aCaptured=0) at /builds/trunk/mozilla/view/src/nsView.cpp:303 #39 0x431e6e46 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) ( this=0x88dbb30, aEvent=0xbfffeff0, aStatus=0xbfffee90) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1943 #40 0x431d66fe in HandleEvent (aEvent=0xbfffeff0) at /builds/trunk/mozilla/view/src/nsView.cpp:80 #41 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) ( this=0x89293d8, aEvent=0xbfffeff0, aStatus=@0xbfffef40) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448 #42 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89293d8, event=0xbfffeff0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336 #43 0x419d3dcd in nsWidget::OnKey(nsKeyEvent&) (this=0x89293d8, aEvent=@0xbfffeff0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:104 #44 0x419cacd5 in handle_key_press_event(_GtkObject*, _GdkEventKey*, void*) ( w=0x0, event=0x8240988, p=0x89564f8) at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:637 #45 0x419cb641 in dispatch_superwin_event (event=0x8240988, window=0x89564f8) at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:955 #46 0x419cb24d in handle_gdk_event(_GdkEvent*, void*) (event=0x8240988, data=0x0) at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:819 #47 0x407be2d5 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0 #48 0x407f397e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #49 0x407f3e59 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #50 0x407f40f4 in g_main_run () from /usr/lib/libglib-1.2.so.0 #51 0x406f36df in ?? () from /usr/lib/libgtk-1.2.so.0 #52 0x419bbb04 in nsAppShell::Run() (this=0x8137490) at /builds/trunk/mozilla/widget/src/gtk/nsAppShell.cpp:332 #53 0x4196a7a3 in nsAppShellService::Run() (this=0x815e4e8) at /builds/trunk/mozilla/xpfe/appshell/src/nsAppShellService.cpp:471 #54 0x08060094 in main1 (argc=3, argv=0xbffff594, nativeApp=0x80b89f8) at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1522 #55 0x08060d22 in main (argc=3, argv=0xbffff594) at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1883
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
==> all platforms tested on win2k, linux 7.2, macOS 10.1 -- today's trunk build Incident ID :- 12922931 Stack Signature :- nsTypedSelection::selectFrames bugs with the same stack signature :- 1. bug 129945 [verified - WFM] 2. bug 161444 [verified - Fixed] 3. bug 161517 [resolved - DDP of bug 161444] 4. bug 161538 [Reopened] There are 2 distinct bugs over here : 1. Actual : When u keep typing in the same line, the cursor moves out of the textarea. [in macOS 10.1 , this leaves a trail of vertical lines] Expected: The text should wrap automatically 2. Actual : Keep entering lines so that the vertical overflow happens, the cursor comes back on top of the element and starts entering text from the first line. If u hit enter key to go to the next line, the cursor goes back to the start of the first line, but the text is entered after the previous line. Expected: hmmmm........ 3. Actual : selecting text at this point results in a crash. Good bug, Edouard :-)
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
from comment 4 : >1. Actual : When u keep typing in the same line, the cursor moves out of the textarea. [in macOS 10.1 , this leaves a trail of vertical lines] > Expected: The text should wrap automatically This is bug 59018
->HTML Form Controls.
Assignee: dbaron → jkeiser
Component: Style System → HTML Form Controls
QA Contact: ian → tpreston
nsbeta1+
Keywords: nsbeta1+
Target Milestone: --- → mozilla1.3alpha
still crashing using build 20030112 on Win2k.
Keywords: assertion
Summary: crash when selecting data overflowing vertically in a textarea having the overflow = hidden property → crash when selecting data overflowing vertically in a textarea having the overflow = hidden property [@ nsSelection::GetFrameForNodeOffset ]
nsbeta1-. John is overloaded with higher priority issues.
Keywords: nsbeta1+nsbeta1-
Priority: P1 → P3
Target Milestone: mozilla1.3alpha → Future
*** Bug 202726 has been marked as a duplicate of this bug. ***
Attached file Minimzed Testcase (deleted) —
Attached file Minimized Testcase (deleted) —
->mjudge
Assignee: jkeiser → mjudge
*** Bug 215238 has been marked as a duplicate of this bug. ***
*** Bug 215420 has been marked as a duplicate of this bug. ***
-> me
Assignee: mjudge → darin
Priority: P3 → P1
Target Milestone: Future → mozilla1.5beta
this patch prevents the crash, with no bad side-effects, but i really doubt it is the right fix. it could perhaps be used in a pinch if need be. the problem here is that we are blowing out the stack while recursively calling GetChildFrameContainingOffset. the first frame realizes that it does not contain the offset (the offset is greater than its rightmost edge), so it asks its "next frame in flow" to GetChildFrameContainingOffset. the next frame, however, realizes that it does not contain the given offset either (the offset is less than its leftmost edge). as a result, the frame asks its "prev frame in flow" to GetChildFrameContainingOffset, and that continues until the stack blows out. my hackish patch just sets a member variable to indicate that GetChildFrameContainingOffset was already called. in which case we just give up and return an error indicating that no such child frame exists. this seems to result in sane behavior, and it eliminates the crash. however, i strongly suspect that this situation should simply never occur. it is likely that something is incorrectly dropping a frame that should have appeared "in-flow" between the two previously mentioned frames. finding that frame is my next task.
nevermind, this patch only fixes one particular crash instance. i found two others...
Attached patch v0.1 patch : more workarounds... (obsolete) (deleted) — Splinter Review
this patch is more of the same... it blocks another crash, probably not in the best way. i'm just posting it here in case we need something in a pinch.
Attachment #130036 - Attachment is obsolete: true
ok, though this patch prevents the crash, it seems that lines of text can get lost.
i moved part of this patch into bug 216736 since it is not related to the crash.
Depends on: 216736
Attached patch v1 patch (deleted) — Splinter Review
thanks to dbaron for suggesting this patch! with the way overflow:hidden on a textarea was implemented, the text frame was getting a block frame as its parent. that is apparently not supposed to happen. the solution here is to replace overflow:hidden with overflow:-moz-scrollbars-none. as a result, we end up with the same frame heirarchy only the textarea has no scrollbars. in addition, our behavior ends up being consistent with the behavior of IE, which is probably not a bad thing. thanks dbaron!
Attachment #130072 - Attachment is obsolete: true
Attachment #130109 - Flags: superreview+
Attachment #130109 - Flags: review+
Attachment #130109 - Flags: approval1.4.x?
Comment on attachment 130109 [details] [diff] [review] v1 patch approved for 1.4.x. /be
Attachment #130109 - Flags: approval1.4.x? → approval1.4.x+
Need this in the 1.5b trunk too, right? If so, please nominate. /be
Attachment #130109 - Flags: approval1.5b?
Yeah, would be great to have this in 1.5
Attachment #130109 - Flags: approval1.5b? → approval1.5b+
darin, can you land today? trying to get 1.5b builds thursday or friday morning.
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
fixed1.4.1
Keywords: fixed1.4.1
verified on trunk
Status: RESOLVED → VERIFIED
Blocks: 224532
*** Bug 140256 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsSelection::GetFrameForNodeOffset ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: