Closed
Bug 175896
Opened 22 years ago
Closed 21 years ago
crash when selecting data overflowing vertically in a textarea having the overflow = hidden property [@ nsSelection::GetFrameForNodeOffset ]
Categories
(Core :: Layout: Form Controls, defect, P1)
Core
Layout: Form Controls
Tracking
()
VERIFIED
FIXED
mozilla1.5beta
People
(Reporter: edouardh, Assigned: darin.moz)
References
Details
(5 keywords)
Crash Data
Attachments
(4 files, 2 obsolete files)
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
dbaron
:
review+
dbaron
:
superreview+
brendan
:
approval1.4.1+
dbaron
:
approval1.5b+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021021
Take a textarea having the css property "overflow: hidden;". When you enter
lines so that a vertical overflow happens, the cursor comes back on top of the
element and writes on top of in place data. When trying to select this data, the
browser will crash. Happens in standard compliance mode and in quirks mode.
Reproducible: Always
Steps to Reproduce:
1. Give the overflow: hidden property (stylesheet, in line, has you want) to a
textarea
2. fill in enough lines of data for it to overflow vertically
3. try to select the data
Actual Results:
Browser crashed
Expected Results:
Should have overlined the selected data viewable in the textarea element.
Crashes with Modern and Classic themes
Reporter | ||
Comment 1•22 years ago
|
||
Error signature (provided by WinXP) :
AppName: mozilla.exe
AppVer: 1.2.0.0
ModName: gkcontent.dll
ModVer: 1.2.0.0
Offset: 000cbfe4
Reporter | ||
Comment 2•22 years ago
|
||
Reporter | ||
Updated•22 years ago
|
Comment 3•22 years ago
|
||
Wow, fun.
First I see:
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) ||
entry->frame != aFrame', file
/builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1049
Break: at file /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1049
And then I see:
###!!! ASSERTION: existing overflow list: 'rv !=
NS_IFRAME_MGR_PROP_OVERWRITTEN', file
/builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4725
Break: at file /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp, line
4725
And then I crash at:
#6 <signal handler called>
#7 0x41651d6b in nsSelection::GetFrameForNodeOffset(nsIContent*, int,
nsIFrameSelection::HINT, nsIFrame**, int*) (this=0x88f3560, aNode=0x8200930,
aOffset=-1073752032, aHint=1124675407, aReturnFrame=0x1,
aReturnOffset=0x8200930)
at /builds/trunk/mozilla/content/base/src/nsSelection.cpp:3166
#8 0x43091a75 in nsCaret::SetupDrawingFrameAndOffset() (this=0x88f3560)
at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:558
#9 0x43092f81 in nsCaret::DrawCaret() (this=0x88f3560)
at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:948
#10 0x430914be in nsCaret::StartBlinking() (this=0x88f3560)
at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:492
#11 0x43090397 in nsCaret::SetCaretVisible(int) (this=0x88f3560,
inMakeVisible=1) at /builds/trunk/mozilla/layout/base/src/nsCaret.cpp:233
#12 0x42f3f730 in PresShell::SetCaretEnabled(int) (this=0x8907948, aInEnable=1)
at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:3196
#13 0x42f4da10 in PresShellViewEventListener::RestoreCaretVisibility() (
this=0x8957db8)
at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7332
#14 0x42f4dabe in PresShellViewEventListener::DidRefreshRegion(nsIViewManager*,
nsIView*, nsIRenderingContext*, nsIRegion*, unsigned) (this=0x8957db8,
aViewManager=0x88dbb30, aView=0x8956470, aContext=0x85e97c8,
aRegion=0x86ce728, aUpdateFlags=1)
at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:7367
#15 0x431e3ab0 in nsViewManager::Refresh(nsView*, nsIRenderingContext*,
nsIRegion*, unsigned) (this=0x88dbb30, aView=0x8956470, aContext=0x85e97c8,
aRegion=0x86ce728, aUpdateFlags=1)
at /builds/trunk/mozilla/view/src/nsViewManager.cpp:797
#16 0x431e66f4 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) (
this=0x88dbb30, aEvent=0xbfffddc0, aStatus=0xbfffdc50)
at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1784
#17 0x431d66fe in HandleEvent (aEvent=0xbfffddc0)
at /builds/trunk/mozilla/view/src/nsView.cpp:80
#18 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) (
this=0x89564f8, aEvent=0xbfffddc0, aStatus=@0xbfffdd00)
at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448
#19 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89564f8,
event=0xbfffddc0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336
#20 0x419dca9e in nsWindow::DoPaint(int, int, int, int, nsIRegion*) (
this=0x89564f8, aX=9, aY=10, aWidth=74, aHeight=17, aClipRegion=0x891feb8)
at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:821
#21 0x419dcc1f in nsWindow::Update() (this=0x89564f8)
at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:857
#22 0x419dce89 in nsWindow::Update() (this=0x89293d8)
at /builds/trunk/mozilla/widget/src/gtk/nsWindow.cpp:891
#23 0x431e5a53 in nsViewManager::Composite() (this=0x88dbb30)
at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1462
#24 0x431e9d50 in nsViewManager::EnableRefresh(unsigned) (this=0x88dbb30,
aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3204
#25 0x431e9e2d in nsViewManager::EndUpdateViewBatch(unsigned) (this=0x88dbb30,
aUpdateFlags=2) at /builds/trunk/mozilla/view/src/nsViewManager.cpp:3238
#26 0x43a1c607 in nsEditor::EndUpdateViewBatch() (this=0x8958f48)
at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:4308
#27 0x43a0eb27 in nsEditor::EndPlaceHolderTransaction() (this=0x8958f48)
at /builds/trunk/mozilla/editor/libeditor/base/nsEditor.cpp:746
#28 0x43974458 in ~nsAutoPlaceHolderBatch (this=0xbfffe1d0)
at /builds/trunk/mozilla/editor/libeditor/base/nsEditorUtils.h:66
#29 0x439f371f in nsPlaintextEditor::TypedText(nsAString const&, int) (
this=0x8958f48, aString=@0xbfffe2a0, aAction=2)
at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:568
#30 0x439f3577 in nsPlaintextEditor::HandleKeyPress(nsIDOMKeyEvent*) (
this=0x8958f48, aKeyEvent=0x86ce6c8)
at /builds/trunk/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:530
#31 0x43a03f6e in nsTextEditorKeyListener::KeyPress(nsIDOMEvent*) (
this=0x88e9560, aKeyEvent=0x86ce6d0)
at /builds/trunk/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:280
#32 0x412f57b7 in nsEventListenerManager::HandleEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x885e888,
aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c,
aCurrentTarget=0x8876610, aFlags=7, aEventStatus=0xbfffed6c)
at /builds/trunk/mozilla/content/events/src/nsEventListenerManager.cpp:1621
#33 0x4161d57d in nsGenericElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360,
aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0xbfffe94c, aFlags=1,
aEventStatus=0xbfffed6c)
at /builds/trunk/mozilla/content/base/src/nsGenericElement.cpp:2023
#34 0x413dddc7 in nsHTMLTextAreaElement::HandleDOMEvent(nsIPresContext*,
nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x8958360,
aPresContext=0x860c588, aEvent=0xbfffeff0, aDOMEvent=0x0, aFlags=1,
aEventStatus=0xbfffed6c)
at /builds/trunk/mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp:729
#35 0x42f49b2f in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned, n
sEventStatus*) (this=0x8907948, aEvent=0xbfffeff0, aView=0x88ba390, aFlags=1,
aStatus=0xbfffed6c)
at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6233
#36 0x42f496bd in PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus*,
int, int&) (this=0x8907948, aView=0x88ba390, aEvent=0xbfffeff0,
aEventStatus=0xbfffed6c, aForceHandle=1, aHandled=@0xbfffed68)
at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6155
#37 0x431e763a in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int) (
this=0x88dbb30, aView=0x88ba390, aEvent=0xbfffeff0, aCaptured=0)
at /builds/trunk/mozilla/view/src/nsViewManager.cpp:2161
#38 0x431d73f2 in nsView::HandleEvent(nsViewManager*, nsGUIEvent*, int) (
this=0x88ba390, aVM=0x88dbb30, aEvent=0xbfffeff0, aCaptured=0)
at /builds/trunk/mozilla/view/src/nsView.cpp:303
#39 0x431e6e46 in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) (
this=0x88dbb30, aEvent=0xbfffeff0, aStatus=0xbfffee90)
at /builds/trunk/mozilla/view/src/nsViewManager.cpp:1943
#40 0x431d66fe in HandleEvent (aEvent=0xbfffeff0)
at /builds/trunk/mozilla/view/src/nsView.cpp:80
#41 0x419d6d2b in nsWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&) (
this=0x89293d8, aEvent=0xbfffeff0, aStatus=@0xbfffef40)
at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1448
#42 0x419d697f in nsWidget::DispatchWindowEvent(nsGUIEvent*) (this=0x89293d8,
event=0xbfffeff0) at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:1336
#43 0x419d3dcd in nsWidget::OnKey(nsKeyEvent&) (this=0x89293d8,
aEvent=@0xbfffeff0)
at /builds/trunk/mozilla/widget/src/gtk/nsWidget.cpp:104
#44 0x419cacd5 in handle_key_press_event(_GtkObject*, _GdkEventKey*, void*) (
w=0x0, event=0x8240988, p=0x89564f8)
at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:637
#45 0x419cb641 in dispatch_superwin_event (event=0x8240988, window=0x89564f8)
at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:955
#46 0x419cb24d in handle_gdk_event(_GdkEvent*, void*) (event=0x8240988,
data=0x0) at /builds/trunk/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:819
#47 0x407be2d5 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#48 0x407f397e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#49 0x407f3e59 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#50 0x407f40f4 in g_main_run () from /usr/lib/libglib-1.2.so.0
#51 0x406f36df in ?? () from /usr/lib/libgtk-1.2.so.0
#52 0x419bbb04 in nsAppShell::Run() (this=0x8137490)
at /builds/trunk/mozilla/widget/src/gtk/nsAppShell.cpp:332
#53 0x4196a7a3 in nsAppShellService::Run() (this=0x815e4e8)
at /builds/trunk/mozilla/xpfe/appshell/src/nsAppShellService.cpp:471
#54 0x08060094 in main1 (argc=3, argv=0xbffff594, nativeApp=0x80b89f8)
at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1522
#55 0x08060d22 in main (argc=3, argv=0xbffff594)
at /builds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1883
Updated•22 years ago
|
Comment 4•22 years ago
|
||
==> all platforms
tested on win2k, linux 7.2, macOS 10.1 -- today's trunk build
Incident ID :- 12922931
Stack Signature :- nsTypedSelection::selectFrames
bugs with the same stack signature :-
1. bug 129945 [verified - WFM]
2. bug 161444 [verified - Fixed]
3. bug 161517 [resolved - DDP of bug 161444]
4. bug 161538 [Reopened]
There are 2 distinct bugs over here :
1. Actual : When u keep typing in the same line, the cursor moves out of the
textarea. [in macOS 10.1 , this leaves a trail of vertical lines]
Expected: The text should wrap automatically
2. Actual : Keep entering lines so that the vertical overflow happens, the
cursor comes back on top of the element and starts entering text from the first
line. If u hit enter key to go to the next line, the cursor goes back to the
start of the first line, but the text is entered after the previous line.
Expected: hmmmm........
3. Actual : selecting text at this point results in a crash.
Good bug, Edouard :-)
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Comment 5•22 years ago
|
||
Comment 6•22 years ago
|
||
->HTML Form Controls.
Assignee: dbaron → jkeiser
Component: Style System → HTML Form Controls
QA Contact: ian → tpreston
Comment 8•22 years ago
|
||
still crashing using build 20030112 on Win2k.
Keywords: assertion
Summary: crash when selecting data overflowing vertically in a textarea having the overflow = hidden property → crash when selecting data overflowing vertically in a textarea having the overflow = hidden property [@ nsSelection::GetFrameForNodeOffset ]
Comment 9•22 years ago
|
||
nsbeta1-. John is overloaded with higher priority issues.
Comment 10•22 years ago
|
||
*** Bug 202726 has been marked as a duplicate of this bug. ***
Comment 11•22 years ago
|
||
Comment 12•22 years ago
|
||
Comment 14•21 years ago
|
||
*** Bug 215238 has been marked as a duplicate of this bug. ***
Comment 15•21 years ago
|
||
*** Bug 215420 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 16•21 years ago
|
||
-> me
Assignee: mjudge → darin
Priority: P3 → P1
Target Milestone: Future → mozilla1.5beta
Assignee | ||
Comment 17•21 years ago
|
||
this patch prevents the crash, with no bad side-effects, but i really doubt it
is the right fix. it could perhaps be used in a pinch if need be.
the problem here is that we are blowing out the stack while recursively calling
GetChildFrameContainingOffset. the first frame realizes that it does not
contain the offset (the offset is greater than its rightmost edge), so it asks
its "next frame in flow" to GetChildFrameContainingOffset. the next frame,
however, realizes that it does not contain the given offset either (the offset
is less than its leftmost edge). as a result, the frame asks its "prev frame
in flow" to GetChildFrameContainingOffset, and that continues until the stack
blows out. my hackish patch just sets a member variable to indicate that
GetChildFrameContainingOffset was already called. in which case we just give
up and return an error indicating that no such child frame exists. this seems
to result in sane behavior, and it eliminates the crash.
however, i strongly suspect that this situation should simply never occur. it
is likely that something is incorrectly dropping a frame that should have
appeared "in-flow" between the two previously mentioned frames. finding that
frame is my next task.
Assignee | ||
Comment 18•21 years ago
|
||
nevermind, this patch only fixes one particular crash instance. i found two
others...
Assignee | ||
Comment 19•21 years ago
|
||
this patch is more of the same... it blocks another crash, probably not in the
best way. i'm just posting it here in case we need something in a pinch.
Attachment #130036 -
Attachment is obsolete: true
Assignee | ||
Comment 20•21 years ago
|
||
ok, though this patch prevents the crash, it seems that lines of text can get lost.
Assignee | ||
Comment 21•21 years ago
|
||
i moved part of this patch into bug 216736 since it is not related to the crash.
Depends on: 216736
Assignee | ||
Comment 22•21 years ago
|
||
thanks to dbaron for suggesting this patch! with the way overflow:hidden on a
textarea was implemented, the text frame was getting a block frame as its
parent. that is apparently not supposed to happen. the solution here is to
replace overflow:hidden with overflow:-moz-scrollbars-none. as a result, we
end up with the same frame heirarchy only the textarea has no scrollbars. in
addition, our behavior ends up being consistent with the behavior of IE, which
is probably not a bad thing. thanks dbaron!
Attachment #130072 -
Attachment is obsolete: true
Updated•21 years ago
|
Attachment #130109 -
Flags: superreview+
Attachment #130109 -
Flags: review+
Updated•21 years ago
|
Attachment #130109 -
Flags: approval1.4.x?
Comment 23•21 years ago
|
||
Comment on attachment 130109 [details] [diff] [review]
v1 patch
approved for 1.4.x.
/be
Attachment #130109 -
Flags: approval1.4.x? → approval1.4.x+
Comment 24•21 years ago
|
||
Need this in the 1.5b trunk too, right? If so, please nominate.
/be
Updated•21 years ago
|
Attachment #130109 -
Flags: approval1.5b?
Comment 25•21 years ago
|
||
Yeah, would be great to have this in 1.5
Updated•21 years ago
|
Attachment #130109 -
Flags: approval1.5b? → approval1.5b+
Comment 26•21 years ago
|
||
darin, can you land today? trying to get 1.5b builds thursday or friday morning.
Assignee | ||
Comment 27•21 years ago
|
||
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 30•21 years ago
|
||
*** Bug 140256 has been marked as a duplicate of this bug. ***
Updated•14 years ago
|
Crash Signature: [@ nsSelection::GetFrameForNodeOffset ]
You need to log in
before you can comment on or make changes to this bug.
Description
•