Closed Bug 258101 Opened 20 years ago Closed 20 years ago

Crash in 1.8a3 on changing form element type to "file"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: wasti.redl, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Testcase
459 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040817 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040817 I discovered this when probing for a possible security hole. When I have an <input type="text"> and change its type to "file" via JS, the browser crashes (and interestingly enough, doesn't launch the Feedback Agent). Reproducible: Always Steps to Reproduce: 1. Open testcase. 2. Hit the "Hit Me" button. Actual Results: Browser crashes Expected Results: Considering what I tried to do, it should probably throw a security exception.
Attached file Testcase
There is a circular loop of: nsHTMLDocument::FlushPendingNotifications nsGenericHTMLElement::GetPrimaryFrameFor stack nsGenericHTMLElement::GetFormControlFrameFor ^ nsGenericHTMLElement::GetFormControlFrame | nsHTMLInputElement::GetValue | nsFileControlFrame::CreateAnonymousContent nsCSSFrameConstructor::CreateAnonymousFrames nsCSSFrameConstructor::CreateAnonymousFrames nsCSSFrameConstructor::ConstructHTMLFrame nsCSSFrameConstructor::ConstructFrame nsCSSFrameConstructor::ContentInserted nsCSSFrameConstructor::RecreateFramesForContent nsCSSFrameConstructor::RestyleElement ProcessRestyle nsCSSFrameConstructor::ProcessPendingRestyles PresShell::FlushPendingNotifications until we run out of stack space...
Severity: normal → critical
Status: UNCONFIRMED → NEW
Depends on: 256242
Ever confirmed: true
Keywords: crash
OS: Windows XP → All
Keywords: testcase
This launched Talkback for me on crash, Sebastian. Perhaps you need to delete compreg.dat and have it regenerate. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB743798G
(In reply to comment #3) > This launched Talkback for me on crash, Sebastian. Perhaps you need to delete > compreg.dat and have it regenerate. > Still no Talkback after regenerating. I doubt it would be a different trace than the existing one, though.
Note: patch in bug 257694 fixes this.
Fixed by patch in bug 257694
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED using the testcase at http://bugzilla.mozilla.org/attachment.cgi?id=157946&action=view on Seamonkey trunk builds of 2004-09-15-12 on Windows XP.
Status: RESOLVED → VERIFIED
Component: DOM: HTML → DOM: Core & HTML
QA Contact: ian → general
layout/forms/crashtests/258101-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: