If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[FIXr]Crashes when extending html:textarea

VERIFIED FIXED in mozilla1.8alpha5

Status

()

Core
XBL
P1
critical
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: Wladimir Palant, Assigned: bz)

Tracking

({crash})

Trunk
mozilla1.8alpha5
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

(Reporter)

Description

13 years ago
nsFormControlHelper seems to assume that any text field element will always
implement the nsIFormControl interface. However, this is not the case if you
bind XBL extending html:textarea to a custom HTML tag. The result is a crash,
stack trace:

gklayout!nsFormControlHelper__GetType+0x40
gklayout!nsTextControlFrame__GetFormControlType+0xc (FPO: [1,0,0])
gklayout!nsTextControlFrame__IsSingleLineTextControl+0xc (FPO: [0,0,0])
gklayout!nsTextControlFrame__CreateAnonymousContent+0x195
gklayout!nsCSSFrameConstructor__CreateAnonymousFrames+0x95
gklayout!nsCSSFrameConstructor__CreateAnonymousFrames+0x55
gklayout!nsCSSFrameConstructor__ConstructHTMLFrame+0x7a2
gklayout!nsCSSFrameConstructor__ConstructFrameInternal+0x23e
gklayout!nsCSSFrameConstructor__ConstructFrameInternal+0x19b
gklayout!nsCSSFrameConstructor__ConstructFrame+0xce
gklayout!nsCSSFrameConstructor__ContentInserted+0x4a9
gklayout!PresShell__ContentInserted+0x31 (FPO: [4,0,2])
xpcom!nsDebug__Assertion
gklayout!nsXBLStreamListener__Load+0x268
gklayout!DispatchToInterface+0x30
gklayout!nsEventListenerManager__HandleEvent+0x1d9
gklayout!nsDocument__HandleDOMEvent+0xcd
gklayout!nsXMLDocument__EndLoad+0x97
gklayout!nsXMLContentSink__DidBuildModel+0x1fe (FPO: [EBP 0x00000000] [1,2,4])
gkparser!nsExpatDriver__DidBuildModel+0x19 (FPO: [5,0,2])
gkparser!nsParser__DidBuildModel+0x34 (FPO: [1,0,2])
gkparser!nsParser__ResumeParse+0x168
gkparser!nsParser__OnStopRequest+0x66 (FPO: [EBP 0x02820978] [4,0,4])
xpcom!nsDebug__Assertion
gklayout!nsXBLStreamListener__`vftable'
gklayout!getter_AddRefs+0xa (FPO: [2,0,0])
gklayout!nsXBLStreamListener__~nsXBLStreamListener+0x5f (FPO: [0,0,1])
gklayout!nsXBLService__Release

I'm not sure whether nsFormControlHelper is wrong here or XBL-extended tags
should implement the necessary interfaces instead.
(Reporter)

Comment 1

13 years ago
Created attachment 159706 [details]
XBL for the testcase
(Reporter)

Comment 2

13 years ago
Created attachment 159707 [details]
Testcase

Talkback ID is TB928016Q.
Keywords: crash
> I'm not sure whether nsFormControlHelper is wrong here

Yes, it's wrong.  It should null-check (and probably assert and return
NS_FORM_INPUT_TEXT when nsIFormControl is not implemented).

> or XBL-extended tags should implement the necessary interfaces instead.

They need to do that if they want to work anything resembling right, yes.
Created attachment 160521 [details] [diff] [review]
Patch
Attachment #160521 - Flags: superreview?(jst)
Attachment #160521 - Flags: review?(jst)
Comment on attachment 160521 [details] [diff] [review]
Patch

r+sr=jst

Note though that an XBL binding can not implement the nsIFormControl interface
to get this to work right, as that interface is not scriptable.
Attachment #160521 - Flags: superreview?(jst)
Attachment #160521 - Flags: superreview+
Attachment #160521 - Flags: review?(jst)
Attachment #160521 - Flags: review+
True.  So you simply can't synthesize HTML form controls in XBL like this in a
reasonable way.  nsIFormControl is used all over the place in the form control
code...
Assignee: hyatt → bzbarsky
Priority: -- → P1
Summary: Crashes when extending html:textarea → [FIX]Crashes when extending html:textarea
Target Milestone: --- → mozilla1.8alpha5
Summary: [FIX]Crashes when extending html:textarea → [FIXr]Crashes when extending html:textarea
(Reporter)

Comment 7

13 years ago
I actually meant that extended HTML controls should inherit the necessary
interfaces - at least in theory. But at least the crash is fixed now...
Fix checked in for 1.8a5.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Created attachment 160761 [details] [diff] [review]
Actually, we crash on closing that page too...
Attachment #160761 - Flags: superreview?(jst)
Attachment #160761 - Flags: review?(jst)
Comment on attachment 160761 [details] [diff] [review]
Actually, we crash on closing that page too...

r+sr=jst
Attachment #160761 - Flags: superreview?(jst)
Attachment #160761 - Flags: superreview+
Attachment #160761 - Flags: review?(jst)
Attachment #160761 - Flags: review+
Checked in the second patch too.
Verified FIXED using the 2004-10-04-06 build on Windows XP (Seamonkey trunk).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.