Trunk FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed [@ nsIFrame::Invalidate ]

RESOLVED DUPLICATE of bug 231830

Status

()

Core
Layout
--
critical
RESOLVED DUPLICATE of bug 231830
13 years ago
7 years ago

People

(Reporter: Tim, Unassigned)

Tracking

({crash, testcase})

Trunk
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Win98; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0

While clicking in the document to trigger an onchange-event on a dropdownmenu
after selecting an item from that dropdownmenu using the keyboard which has
javascript underneat will result in a crash. The onchange-event causing the
crash is a content change of the parent node, immediately followed by a document
redirect.
Selecting an item with the mouse only will perform the programmed actions and
wont crash FF.


Reproducible: Always

Steps to Reproduce:
1. Hit Tab to put focus on the dropdown
2. Use the keyboard to select a dropdown item by using the arrows or first
letter/numer of the desired item (testcase: enter 1-5)
3. click, after the item is displayed as active, into the document to trigger
the event


Actual Results:  
FF will crash once the click has been registered.

Expected Results:  
The parentnode will have changed (this.parentNode.innerHTML=this.value) and will
have overwritten the dropdown after which the browser will be directed to a new
URI. (document.location.href='http://google.com')
(Reporter)

Comment 1

13 years ago
Created attachment 172422 [details]
HTML file,will repro the problem when the steps from the report are followed.

Updated

13 years ago
Severity: normal → critical
Keywords: crash
Summary: FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed → FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed

Comment 2

13 years ago
The testcase gives a crash if you tab out of the dropdown once you've altered it
with the keyboard.  I guess that is an alternative way of triggering the event.

Comment 3

13 years ago
Crashed using FF 1.0 on WinXP: TB330079E.

nsIFrame::Invalidate 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrame.cpp,
line 2506]
nsComboboxControlFrame::SetFocus 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/forms/src/nsComboboxControlFrame.cpp,
line 539]
nsHTMLSelectElement::HandleDOMEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLSelectElement.cpp,
line 1891]
nsEventStateManager::SendFocusBlur 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 4256]
nsEventStateManager::SetContentState 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 4040]
nsEventStateManager::ShiftFocusInternal 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 3367]
nsEventStateManager::ShiftFocus 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 3103]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6111]
PresShell::HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2280]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchKeyEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 2978]
nsWindow::OnChar 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3162]
nsWindow::ProcessMessage 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3878]
nsWindow::WindowProc 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x86cb (0x77d486cb)
USER32.dll + 0x879f (0x77d4879f)
USER32.dll + 0x8a31 (0x77d48a31)
USER32.dll + 0x8ab4 (0x77d48ab4)
nsAppShellService::Run 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
main 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp,
line 58]
kernel32.dll + 0x2141a (0x77e8141a)
Keywords: testcase
Summary: FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed → FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed [@ nsIFrame::Invalidate ]

Updated

13 years ago
Version: unspecified → 1.0 Branch

Comment 4

13 years ago
Crash also on GNU/Linux with Mozilla 1.8a6 
TB3833182K

Comment 5

13 years ago
TB3833182K has same stack.

If crashing also Suite -> Core / Layout (or better Events?)
Assignee: firefox → nobody
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Summary: FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed [@ nsIFrame::Invalidate ] → Trunk FF crashes while using keyboard and click in document to trigger "onchange" to redirect after parentnode was changed [@ nsIFrame::Invalidate ]
Version: 1.0 Branch → Trunk
Depends on: 231830

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 6

11 years ago
This was fixed by bug 231830.

*** This bug has been marked as a duplicate of 231830 ***
Status: NEW → RESOLVED
Last Resolved: 11 years ago
No longer depends on: 231830
OS: Windows 98 → All
Hardware: PC → All
Resolution: --- → DUPLICATE
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsIFrame::Invalidate ]
You need to log in before you can comment on or make changes to this bug.