Closed Bug 1386418 Opened 7 years ago Closed 4 years ago

Removing an element in a callback for said element crashes the tab

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Version:
55 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- fixed

People

(Reporter: dogescript, Assigned: emilio)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

testcase 1
330 bytes, text/html
Details
Bug 1386418 - Fix two issues in nsIFrame::HandleRelease. r=dholbert
47 bytes, text/x-phabricator-request
Details | Review 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170727114534

Steps to reproduce:

Create an `<input type="text">` element
Register an event handler for the `select` event
In the event handler, remove the input element from the DOM

JSFiddle Example: https://jsfiddle.net/13kpvogc/2/


Actual results:

The tab crashes


Expected results:

The input element gets removed, nothing else happens
Oops forgot to add to the reproduction steps that the tab crashes when you highlight text entered in the input box
Component: Untriaged → DOM: Events
Keywords: crash
Product: Firefox → Core
Based on crashing frame, moving to Layout.
Component: DOM: Events → Layout
Crash Signature: [@ nsLayoutUtils::GetNearestScrollableFrame ]
This crashed for me, too. It looks like a null deref.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Sample crash report (from me, with today's nightly): bp-575b9079-014e-4b13-9145-616d00171023
Attached file testcase 1 β€” 
Here's a standalone testcase, based on the jsfiddle.

This is still crashing for me as of today's nightly :)

Flags: needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Regressed by: 945584

The frame selection changes can run script, so we need to check for the
frame itself getting destroyed. This fixes the crash as reported.

Additionally, the document check it does for pointer capture is
incorrect, it should use the composed, not uncomposed doc, so that it
works in shadow dom.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e140c6cd2eb9
Fix two issues in nsIFrame::HandleRelease. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/25019 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/e140c6cd2eb9

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Upstream PR merged by moz-wptsync-bot
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: