Closed
Bug 411896
Opened 17 years ago
Closed 15 years ago
designMode + key events + print preview = virtual method or SEGV [@ nsIView::HasWidget]
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: guninski, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] 1.8 branch)
Crash Data
Attachments
(3 files)
putting a document in designMode, then sending some synthetic key events to
it, print preview (and possibly pressing a key) leads to "pure virtual
method called" or random crash.
macosx seems not affected.
2 testcases for the 2 cases attached.
Reporter | ||
Comment 1•17 years ago
|
||
Comment 2•17 years ago
|
||
These assertions I see prior to the crash:
###!!! ASSERTION: no frame, see bug #188946: 'frame', file c:/mozilla181/mozilla
/editor/libeditor/base/nsEditor.cpp, line 4425
###!!! ASSERTION: Must have view manager: '!isSafeToFlush || mViewManager', file
c:/mozilla181/mozilla/layout/base/nsPresShell.cpp, line 5382
###!!! ASSERTION: Must have view!: 'aView', file c:/mozilla181/mozilla/view/src/
nsViewManager.cpp, line 3222
And then it crashes here:
#0 0x04381c3a in nsIView::HasWidget (this=0x0)
at ../../../../../../dist/include/view/nsIView.h:345
#1 0x041a8713 in nsViewManager::UpdateWidgetsForView (this=0x13312600,
aView=0x0) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3224
#2 0x041a9898 in nsViewManager::ForceUpdate (this=0x13312600)
at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3663
#3 0x041a493e in nsViewManager::Composite (this=0x13312600)
at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:1631
#4 0x041a8e02 in nsViewManager::EnableRefresh (this=0x13312600,
aUpdateFlags=2) at c:/mozilla181/mozilla/view/src/nsViewManager.cpp:3445
Reporter | ||
Comment 3•17 years ago
|
||
print preview shows blank page and this doesn't seem correct.
trunk correctly shows generated content
Comment 4•17 years ago
|
||
I guess this might be related to bug 323740.
Updated•17 years ago
|
Reporter | ||
Comment 5•17 years ago
|
||
i suspect this may be race related - adding waste of memory between the events stops the crash. this doesn't seem just a null deref - the virtual method is strange.
Comment 6•17 years ago
|
||
This regressed on branch somehow between 2007-07-06 and 2007-07-07:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-07-06+04&maxdate=2007-07-07+09&cvsroot=%2Fcvsroot
So it seems to me a regression from bug 386561.
Blocks: 386561
Reporter | ||
Comment 7•17 years ago
|
||
hm, if component is really editor, js, xbl, document.open() and killing stuff in editor probably can cause other crashes.
Comment 8•17 years ago
|
||
The content not showing up on print preview was fixed between 2006-02-22 and 2006-02-25, which is when Cairo was turned on on windows.
Reporter | ||
Comment 9•17 years ago
|
||
do you do binary search for regression by hand?
probably a simple tool can do it automatically?
Comment 10•17 years ago
|
||
Yes, I do it by hand.
I think Mark Banner (db48x on IRC) has some kind of tool to automate regression ranges. Not sure how it works, but I have doubts it would work on windows (and doubts on how helpful it would be, in general).
There is also a fix range where the editor remained working after print preview. That was fixed between 2006-06-29 and 2006-06-30:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-06-29+04&maxdate=2006-06-30+09&cvsroot=%2Fcvsroot
No idea what fixed it.
Comment 11•17 years ago
|
||
(In reply to comment #10)
> There is also a fix range where the editor remained working after print
> preview. That was fixed between 2006-06-29 and 2006-06-30:
That turns out to be bug 377371.
Comment 12•17 years ago
|
||
I get the crash with or without the patch for bug 386561, so I don't think
that has caused this.
Comment 13•17 years ago
|
||
Martijn / georgi, does this happen on trunk?
"Pure virtual method called" usually indicates that you are trying to call a virtual method from a base class destructor. If that's what's happening here, it's not exploitable (just like null derefs are not exploitable).
Reporter | ||
Comment 14•17 years ago
|
||
trunk seems safe. this is on branch.
Updated•17 years ago
|
Whiteboard: 1.8 branch
Reporter | ||
Comment 15•17 years ago
|
||
hm, if this is editor bug, aren't editor interfaces expected to show up somewhere and be accessible from js?
Reporter | ||
Comment 16•17 years ago
|
||
jesse, this seems [sg:nse?], right?
Whiteboard: 1.8 branch → 1.8 branch [sg:nse?]
Comment 17•17 years ago
|
||
Yes, see comment 13.
Reporter | ||
Comment 18•17 years ago
|
||
[sg:nse] [sg:dos] per comment 13
Whiteboard: 1.8 branch [sg:nse?] → 1.8 branch [sg:nse] [sg:dos]
Comment 19•15 years ago
|
||
wontfix (unmaintained branch)
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Whiteboard: 1.8 branch [sg:nse] [sg:dos] → [sg:dos] 1.8 branch
Assignee | ||
Updated•14 years ago
|
Crash Signature: [@ nsIView::HasWidget]
You need to log in
before you can comment on or make changes to this bug.
Description
•