crash when select has onChange that removes that select element from the parent form [@ nsIFrame::Invalidate]

RESOLVED DUPLICATE of bug 231830

Status

()

Core
DOM: Events
--
critical
RESOLVED DUPLICATE of bug 231830
14 years ago
14 years ago

People

(Reporter: nick eby, Unassigned)

Tracking

({crash})

Trunk
x86
All
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

will paste example HTML/javascript page below.  the crash occurs when you tab
into the select element, pick the "Redirect" option, then mouse-click outside
the select element.  the crash does not occur if you use the mouse to select the
"Redirect" option.  the crash does not occur if the string assigned to the
form's innerHTML contains a select element with the same name as the original
select element.

sorry if the formatting gets all fouled up.

<html>
<head>
	<script language="Javascript">
	function maybe_redirect(selectEl)
	{
		if (selectEl.options[selectEl.selectedIndex].value == '1')
		{
			var theForm = selectEl.form;
			
			theForm.innerHTML = 
			'<p align="center">' + 
			'Please wait while we redirect you.' + 
			'</p><input type="hidden" name="redirected" value="1">';
			
			//theForm.action = 'test.html';
			//theForm.onsubmit = '';
			
			
			window.setTimeout("document.forms[0].submit()", 2000);
			
			//selectEl.form.submit();
			
			//window.setTimeout("document.location =
'/account/orderstatus/disco.xea?layout=fullscreen&oms_id="+oms+"'", 2000);
		}
	}
	</script>
</head>
<body>
<form name="myForm" action="test.html" method="get">
<select name="mySelect" onChange="maybe_redirect(this)">
<option value=""></option>
<option value="0">Don't Redirect</option>
<option value="1">Redirect</option>
</select>
</form>
</body>
</html>

Reproducible: Always

Steps to Reproduce:
1. tab into the dropdown list
2. arrow-down to the option "Redirect"
3. mouse-click outside or do something to lose focus on the dropdown.

Actual Results:  
mozilla crash, reproduced in Firebird and in Mozilla 1.4.

Expected Results:  
for expected results, don't tab into the dropdown; instead use the mouse to pick
the Redirect option from the dropdown.
Depends on: 231830

Comment 1

14 years ago
WFM, Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316

Reporter, can you still duplicate this with a recent build?
(Reporter)

Comment 2

14 years ago
Just duplicated with Firefox 0.8 on win2k; and mozilla 1.6 on debian-unstable.

Comment 3

14 years ago
Created attachment 145105 [details]
Reporter's testcase

WFM, Mozilla 1.7b WinXP.
(Reporter)

Comment 4

14 years ago
Created attachment 145110 [details]
Test case with correct JavaScript

Removed commented lines from javascript that became wrapped when I pasted the
source in my original comment.

Comment 5

14 years ago
OK, I can now crash it with this testcase, using the steps of the reporter.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316.

I've got a talkback ID: TB8922X

Comment 6

14 years ago
from talkback:

nsIFrame::Invalidate [/mozilla/layout/html/base/src/nsFrame.cpp, line 2498]
nsComboboxControlFrame::SetFocus
[/mozilla/layout/html/forms/src/nsComboboxControlFrame.cpp, line 539]
nsHTMLSelectElement::HandleDOMEvent
[/mozilla/content/html/content/src/nsHTMLSelectElement.cpp, line 1888]
nsEventStateManager::SendFocusBlur
[/mozilla/content/events/src/nsEventStateManager.cpp, line 4111]
nsEventStateManager::SetContentState
[/mozilla/content/events/src/nsEventStateManager.cpp, line 3894]
nsEventStateManager::PostHandleEvent
[/mozilla/content/events/src/nsEventStateManager.cpp, line 1835]
PresShell::HandleEventInternal [/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6072]
PresShell::HandleEvent [/mozilla/layout/html/base/src/nsPresShell.cpp, line 5942]
nsViewManager::HandleEvent [/mozilla/view/src/nsViewManager.cpp, line 2281]
nsViewManager::DispatchEvent [/mozilla/view/src/nsViewManager.cpp, line 2025]
HandleEvent [/mozilla/view/src/nsView.cpp, line 79]
nsWindow::DispatchEvent [/mozilla/widget/src/windows/nsWindow.cpp, line 1068]
nsWindow::DispatchWindowEvent [/mozilla/widget/src/windows/nsWindow.cpp, line 1085]
nsWindow::DispatchMouseEvent [/mozilla/widget/src/windows/nsWindow.cpp, line 5225]
ChildWindow::DispatchMouseEvent [/mozilla/widget/src/windows/nsWindow.cpp, line
5478]
nsWindow::ProcessMessage [/mozilla/widget/src/windows/nsWindow.cpp, line 4063]
nsWindow::WindowProc [/mozilla/widget/src/windows/nsWindow.cpp, line 1347]
USER32.dll + 0x2a2d0 (0x77e3a2d0)
USER32.dll + 0x45e5 (0x77e145e5)
USER32.dll + 0xa816 (0x77e1a816)
nsAppShellService::Run [/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 524]
main1 [/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1308]
main [/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1712]
WinMain [/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1734]
WinMainCRTStartup()
KERNEL32.DLL + 0x287e7 (0x7c5987e7)

impacted by bug 235264?
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 7

14 years ago
> impacted by bug 235264?

no, the testcase here crashes with linux Mozilla 1.0

stack from my debug build is the same as comment 6, except at the top, where I see:

(gdb) frame 8
#8  0x0776c50b in nsComboboxControlFrame::SetFocus (this=0x94f1f60, aOn=0,
aRepaint=1)
    at nsComboboxControlFrame.cpp:539
(gdb) p *this
[lots of 0xdddddddd pointers]

resolving as dupe.

*** This bug has been marked as a duplicate of 231830 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
No longer depends on: 231830
Keywords: crash
OS: Windows 2000 → All
Resolution: --- → DUPLICATE
Summary: crash when select has onChange that removes that select element from the parent form → crash when select has onChange that removes that select element from the parent form [@ nsIFrame::Invalidate]
Crash Signature: [@ nsIFrame::Invalidate]
You need to log in before you can comment on or make changes to this bug.