Closed
Bug 17852
Opened 25 years ago
Closed 25 years ago
Previous crasher in nsListControlFrame::GetSelect
Categories
(Core :: Layout: Form Controls, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: jim_nance, Assigned: rods)
References
()
Details
Using a 7:00 PM EST Nov 2 pull running under Red Hat Linux 6.1, I get a reproducable crash when visiting the URL: http://www.newsalert.com/bin/story?StoryId=Cob0EubKbytaWmte&FQ=Linux&Nav=na-search-&StoryTitle=Linux The crash occurs on line 1061 of nsListControlFrame.cpp. Here is the gdb output: (gdb) frame 0 #0 0x40f2203a in nsListControlFrame::GetSelect (aContent=0x0) at /home/jlnance/src/19980429/mozilla/layout/html/forms/src/nsListControlFrame.cpp:1061 1061 nsresult result = aContent->QueryInterface(nsCOMTypeInfo<nsIDOMHTMLSelectElement>::GetIID(), (gdb) list 1056 //--------------------------------------------------------- 1057 nsIDOMHTMLSelectElement* 1058 nsListControlFrame::GetSelect(nsIContent * aContent) 1059 { 1060 nsIDOMHTMLSelectElement* selectElement = nsnull; 1061 nsresult result = aContent->QueryInterface(nsCOMTypeInfo<nsIDOMHTMLSelectElement>::GetIID(), 1062 (void**)&selectElement); 1063 if (NS_SUCCEEDED(result) && selectElement) { 1064 return selectElement; 1065 } else { (gdb) quit
Updated•25 years ago
|
Assignee: leger → rods
Severity: normal → critical
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
Updated•25 years ago
|
Status: RESOLVED → REOPENED
Target Milestone: M11
Updated•25 years ago
|
Resolution: DUPLICATE → ---
Comment 2•25 years ago
|
||
Bug 17315 is fixed but this one is not using Nov. 4 build, re-opening and putting on M11 radar. Looks similar to bug 17995
Comment 3•25 years ago
|
||
bug 17817 and bug 17900 are duplicates (I think) of this, the bugzilla query crashers
Updated•25 years ago
|
Summary: browser crash → browser crash in nsListControlFrame::GetSelect
Comment 6•25 years ago
|
||
updating summary a bit
Comment 7•25 years ago
|
||
OK, here's a very simply test case to demonstrate this crash: <html> <head> <script> function loadFrames(){ top.frames[1].document.open(); top.frames[1].document.write( "<form>" + "<table>" + "<tr>" + "<td>" + "<tr>" + "<td>" + "<select>" ) alert("program gets here successfully"); top.frames[1].document.write( "<option VALUE='first'>steve</option>" ) alert("but it never gets here"); }; </script> </head> <frameset rows = "15,25" onload="loadFrames();"> <frame src="about:blank"> <frame src="about:blank"> </frameset> <noframes> <body> <br/> </body> </noframes> </html> Furthermore, the crash that I am seeing is at line 1915 instead of 1061 as reported above.
Comment 8•25 years ago
|
||
Looking over the stack trace of bug 17817 (which shows the crash on line 1061) and of bug 17995 (which is the one I was tracking down when it got marked as a duplicate of this bug), they definitely are different. So we might have two different bugs here. The simplified example that I included above crashes with the stack trace of bug 17995.
Comment 9•25 years ago
|
||
I agree, they are probably two separate bugs. Here's a further reduction of the above testcase, to eliminate framesets and document.writing from the picture: <html> <body> <select> <script>dump('block parser to cause crash\n');</script> <option VALUE='first'>steve</option> </select> </body> </html>
Comment 10•25 years ago
|
||
Rod, I pulled and rebuilt with your fix for this bug (17852) and bug 17995 still exists, therefore implying it is not a dup. Bug 17900 and 17995 have the same stack trace and are probably a separate bug. I marked 17995 a dup of this bug so I'm going to undo my evil. :)
Comment 11•25 years ago
|
||
Oh, I see. The problem is that the html parser was interrupted in the middle of a select statement. That's obvious from Eric's example. From my example I couldn't figure out what it was about the second document.write that was causing the problem.
Assignee | ||
Comment 12•25 years ago
|
||
The problem here is that the combobox is calling "MakeSureSomethingIsSelected" something is selected and that is calling "UpdateSelection" which causes all the same baddness to happen that the Reset was doing. You can't initialize the list until all frames have been created for a final time. I can fix this by commenting out the UpdateSelection in MakeSureSomethingIsSelected
Assignee | ||
Comment 13•25 years ago
|
||
And I comment out the line (in nsListControlFrame) mComboboxFrame->UpdateSelection(PR_FALSE, PR_TRUE, selectedIndex);
Comment 14•25 years ago
|
||
This page is not crashing anymore, and neither is bugzilla. Was a fix checked in? I don't get a scrollbar on this page, though.
Comment 15•25 years ago
|
||
I take back the above comments. Both this page and bugzilla are still crashing, though somewhat intermittently. For example, bug 8673 seems to crash consistently, while some other bugs do not.
Assignee | ||
Updated•25 years ago
|
Depends on: 18183
Summary: browser crash in nsListControlFrame::GetSelect → Previous crasher in nsListControlFrame::GetSelect
Target Milestone: M11 → M12
Assignee | ||
Comment 16•25 years ago
|
||
Added bug dependency, moved to M12 because it no longer crashes, leaving as critical, changing Summary
Comment 17•25 years ago
|
||
Yes, based on Rods fix for the original bug here, I checked in a workaround for bug 17995 / bug 17900 / Steve Morse's test case. I commented out MakeSureSomethingIsSelected in nsComboboxControlFrame::AddOption. As a result, comboboxes will initialize correctly, but selection will not be updated if options are dynamically added to a combobox after init. Sounds like Rod has the right plan. Once bug 18183 is fixed, Reset can be called from nsListControlFrame::AddOption after the notification is received, and MSSIS can be called from nsComboboxControlFrame::AddOption after the notification is received. I'm not sure how bug 8673 is related?
*** Bug 18086 has been marked as a duplicate of this bug. ***
Component: Browser-General → HTML Form Controls
QA Contact: leger → cpratt
Comment 19•25 years ago
|
||
Updating component and QA contact.
Comment 20•25 years ago
|
||
It looks like this workaround didn't get checked into the M11 branch. Eric, can you get it into Seamonkey_M11_Branch? Bugzilla is still crashing on 111017 M11 branch build we got last night.
Assignee | ||
Updated•25 years ago
|
Status: REOPENED → RESOLVED
Closed: 25 years ago → 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 21•25 years ago
|
||
No longer crashes with new code - Fixed
Updated•25 years ago
|
QA Contact: cpratt → elig
Comment 22•25 years ago
|
||
cpratt is out of town; QA Assigning to self.
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
Comment 23•25 years ago
|
||
Using the 1999111612 (Mac OS M11), 1999111218 (Win32) and 1999111208 (Linux) builds, confirmed that viewing all of the following: * the URL cited in bug report * the simplified test case provided by pollman on 11.04.99 at 15:44 PM * the test case from duplicate bug 18086 ...do not trigger a crash. If I've missed anything, please add your $.02 and re-open. Thanks!
Comment hidden (collapsed) |
You need to log in
before you can comment on or make changes to this bug.
Description
•