Closed Bug 315859 Opened 19 years ago Closed 18 years ago

Crash when using any arrow key on a radio input enclosed in a fieldset, and radio name is the same than fieldset id [@ nsHTMLFormElement::GetNextRadioButton]

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz, Assigned: alfred.peng)

References

Details

(5 keywords)

Crash Data

Attachments

(5 files, 2 obsolete files)

Test case to illustrate the crash
754 bytes, text/html
Details
backtrace from debug build
13.91 KB, text/plain
Details
Patch v2
3.56 KB, patch
MatsPalmgren_bugz
: review+
neil
: superreview+
Details | Diff | Splinter Review
Patch v4
3.58 KB, patch
neil
: superreview+
Details | Diff | Splinter Review
Patch v1 for mozilla 1.8.1
3.58 KB, patch
dveditz
: approval1.8.0.7+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; fr; rv:1.8) Gecko/20051025 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; fr; rv:1.8) Gecko/20051025 Firefox/1.5

Crash when pressing any arrow key on a radio input who is having the focus, and whose name is the same than the id of a fieldset enclosing that radio input.

Reproducible: Always

Steps to Reproduce:
1.Open the test page
2.Click on the radio with the mouse in order to give the focus to it
3.Push any of the four arrow key on your keyboard

Actual Results:  
Crash (null address)

Expected Results:  
No crash :)

    
    

    
  
Additional information to reproduce the crash :

The fieldset element must be enclosed in a form element, otherwise the crash does not occur.

Crashes Firefox 1.5 rc2, and also the latest nightly build of Deer Park :

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051109 Firefox/1.6a1

    
    

    
  
Confirmed, using: 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051109 Firefox/1.6a1

Talkback ID: TB11676318W
Assignee: nobody → events
Status: UNCONFIRMED → NEW
Component: General → Event Handling
Ever confirmed: true
Keywords: crash, 
          
            regression, 
          
            testcase
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → Trunk

    
    

    
  


  
This is a backtrace from the assertions I get before the crash and from the sigsegv itself.

Assertions:
###!!! ASSERTION: mRadioButtons holding a non-radio button: 'radio', file c:/moz
illa/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1647

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRa
wPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 849

Sigsegv:
Program received signal SIGSEGV, Segmentation fault.
0x0549ee23 in nsHTMLFormElement::GetNextRadioButton(nsAString_internal const&, i
nt, nsIDOMHTMLInputElement*, nsIDOMHTMLInputElement**) (this=0xfaef890,

    
  
Summary: Crash when using any arrow key on a radio input enclosed in a fieldset, and radio name is the same than fieldset id → Crash when using any arrow key on a radio input enclosed in a fieldset, and radio name is the same than fieldset id [@ nsHTMLFormElement::GetNextRadioButton]
Blocks: 17602
Flags: blocking1.9a1?

    
    

    
  
nsHTMLFormElement's idea of what a radio group is buggy - it includes all form controls with the same name, whether or not they are radio elements, and then GetNextRadioButton assumes that they're at least all <INPUT> elements.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1 (obsolete)
        — Splinter Review
      

    


  
aaron, is this a proper way to go?

        Attachment #226647 -
        Flags: review?(aaronleventhal)
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?

    
  

        Attachment #226647 -
        Flags: review?(aaronleventhal) → review?(mats.palmgren)

    
  
Flags: blocking1.8.1? → blocking1.8.1+

    
    

    
  
Comment on attachment 226647 [details] [diff] [review]
Patch v1

Since the GetDisabled() call is now conditional you also need this change:
-  PRBool disabled;
+  PRBool disabled = PR_TRUE;

With that, r=mats

The first comment line inside GetNextRadioButton() is wrong, I think you
should just remove that line while we're here...

        Attachment #226647 -
        Flags: review?(mats.palmgren) → review+
OS: Windows 2000 → All

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2Splinter Review
      

    


  
Update the patch to address the last comments.

mats, thanks for your review.
Assignee: events → alfred.peng
Status: NEW → ASSIGNED

        Attachment #226755 -
        Flags: superreview?(neil)

        Attachment #226755 -
        Flags: review?(mats.palmgren)

        Attachment #226755 -
        Flags: review?(mats.palmgren) → review+

    
    

    
  
Comment on attachment 226755 [details] [diff] [review]
Patch v2

>-  PRBool disabled;
>+  PRBool disabled = PR_TRUE;
Actually you shouldn't need this change because we only use disabled immediately after the call to GetDisabled.

>     radioGroup->Item(index, getter_AddRefs(radioDOMNode));
>     radio = do_QueryInterface(radioDOMNode);
>-    NS_ASSERTION(radio, "mRadioButtons holding a non-radio button");
>+    if (!radio)
>+      continue;
>+
>+    formControl = do_QueryInterface(radio);
>+    if (formControl->GetType() != NS_FORM_INPUT_RADIO)
>+      continue;
>+
>     radio->GetDisabled(&disabled);
>   } while (disabled && radio != currentRadio);
Should we do the check for a form control first?

        Attachment #226755 -
        Flags: superreview?(neil) → superreview+

    
    

    
  
(In reply to comment #10)
> (From update of attachment 226755 [details] [diff] [review] [edit])
> >-  PRBool disabled;
> >+  PRBool disabled = PR_TRUE;
> Actually you shouldn't need this change because we only use disabled
> immediately after the call to GetDisabled.
> 

If either of the "continue" is executed the first time through the loop
we do need it, otherwise we use an uninitialized "disabled".
Not that it matters much, but I was thinking that tools like Coverity
will probably complain about it...

    
    

    
  
(In reply to comment #11)
> If either of the "continue" is executed the first time through the loop
> we do need it, otherwise we use an uninitialized "disabled".
> Not that it matters much, but I was thinking that tools like Coverity
> will probably complain about it...
> 

I think neil's point is that the statement "radio->GetDisabled(&disabled);" will initialize "disabled" before the check.

    
    

    
  
But you won't reach that statement if you execute a "continue".
(A "continue" inside a do-while jumps to the "while", not the "do".)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v3 (obsolete)
        — Splinter Review
      

    


  
Updated patch to address neil's review.

> >+    formControl = do_QueryInterface(radio);
> >+    if (formControl->GetType() != NS_FORM_INPUT_RADIO)
> >+      continue;
> >+
> >     radio->GetDisabled(&disabled);
> >   } while (disabled && radio != currentRadio);
> Should we do the check for a form control first?

Since the radio has been checked, can we deem formControl to be not null? Or it's still a necessary sanity check?

        Attachment #226647 -
        Attachment is obsolete: true

        Attachment #227094 -
        Flags: superreview?(neil)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v4Splinter Review
      

    


  
(In reply to comment #13)
> But you won't reach that statement if you execute a "continue".
> (A "continue" inside a do-while jumps to the "while", not the "do".)
> 

oops, that's right. New patch for neil.

        Attachment #227094 -
        Attachment is obsolete: true

        Attachment #227101 -
        Flags: superreview?(neil)

        Attachment #227094 -
        Flags: superreview?(neil)

    
    

    
  
(In reply to comment #13)
>But you won't reach that statement if you execute a "continue".
Ah, so it's a badly written loop, or at least it's not obvious enough :-P
Maybe it should be written as a for (;;) loop:
for (;;) {
  // update index
  // get next item
  // continue if it's not an input
  // break if it's the starting radio
  // continue if it's not a radio
  // break if it's not disabled
}

    
  

        Attachment #227101 -
        Flags: superreview?(neil) → superreview+

    
    

    
  


  
Firefox 2.0 also crashes by the testcase. Make a corresponding patch for it.

        Attachment #227410 -
        Flags: approval1.8.1?

    
    

    
  
Please land on trunk and let it bake a day or so before we approve for 1.8.1
Whiteboard: [checkin needed]

        Attachment #227410 -
        Flags: approval1.8.1?

    
    

    
  
Checking in public/nsIRadioGroupContainer.h;
/cvsroot/mozilla/content/html/content/public/nsIRadioGroupContainer.h,v  <--  nsIRadioGroupContainer.h
new revision: 1.8; previous revision: 1.7
done
Checking in src/nsHTMLFormElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsHTMLFormElement.cpp,v  <--  nsHTMLFormElement.cpp
new revision: 1.203; previous revision: 1.202
done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking1.9a1?

    
    

    
  
=> Land to trunk

    
    

    
  
The crash is verified FIXED using https://bugzilla.mozilla.org/attachment.cgi?id=202507 as the testcase with trunk SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060630 SeaMonkey/1.5a
Status: RESOLVED → VERIFIED

    
  

        Attachment #227410 -
        Flags: approval1.8.1?

    
    

    
  
Comment on attachment 227410 [details] [diff] [review]
Patch v1 for mozilla 1.8.1

a=dbaron on behalf of drivers.  Please land on MOZILLA_1_8_BRANCH and mark fixed 1.8.1 when you have.

Also, please make sure there's a bug filed on comment 6.

        Attachment #227410 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
Checking in public/nsIRadioGroupContainer.h;
/cvsroot/mozilla/content/html/content/public/nsIRadioGroupContainer.h,v  <--  nsIRadioGroupContainer.h
new revision: 1.5.8.1; previous revision: 1.5
done
Checking in src/nsHTMLFormElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsHTMLFormElement.cpp,v  <--  nsHTMLFormElement.cpp
new revision: 1.186.4.2; previous revision: 1.186.4.1
done
Keywords: fixed1.8.1

    
    

    
  
=> Land on MOZILLA_1_8_BRANCH

New bug 343444 filed to address comment 6.
Whiteboard: [checkin needed]
Flags: blocking1.8.0.7? → blocking1.8.0.7+

    
    

    
  
Comment on attachment 227410 [details] [diff] [review]
Patch v1 for mozilla 1.8.1

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #227410 -
        Flags: approval1.8.0.7+

    
    

    
  
Checking in content/html/content/src/nsHTMLFormElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsHTMLFormElement.cpp,v  <--  nsHTMLFormElement.cpp
new revision: 1.186.10.1; previous revision: 1.186
done
Checking in content/html/content/public/nsIRadioGroupContainer.h;
/cvsroot/mozilla/content/html/content/public/nsIRadioGroupContainer.h,v  <--  nsIRadioGroupContainer.h
new revision: 1.5.16.1; previous revision: 1.5
done


=> Land on 1.8.0 branch.

    
  
Keywords: fixed1.8.0.7

    
    

    
  
Verified FIXED using 1.8 and 1.8.0 on Linux (X11; U; Linux i686; en-US;). I no longer crash using the testcase in attachment 202507 [details].
Keywords: fixed1.8.0.7, 
          
            fixed1.8.1verified1.8.0.7, 
          
            verified1.8.1
Crash Signature: [@ nsHTMLFormElement::GetNextRadioButton]

    
    

    
  
(In reply to Adam Guthrie from comment #27)
> Verified FIXED using 1.8 and 1.8.0 on Linux (X11; U; Linux i686; en-US;). I
> no longer crash using the testcase in attachment 202507 [details].

I encounter this bug with Firefox 31.3.0 (ESR) on Linux. The testcase crashes my browser. I am prepared to provide further details if given clear instructions.

    
    

    
  
(In reply to Erik Quaeghebeur from comment #28)
> I encounter this bug with Firefox 31.3.0 (ESR) on Linux. The testcase
> crashes my browser. I am prepared to provide further details if given clear
> instructions.

Erik, could you please file a new bug on this and mention the bug number here? Thanks.
Flags: needinfo?(mozillabugzilla)

    
    

    
  
(In reply to Martijn Wargers [:mwargers] (QA) from comment #29)
>
> Erik, could you please file a new bug on this and mention the bug number
> here? Thanks.

Bug 1115981 (But why make me do the seemlessly unnecessary extra administrative effort and not just reopen this bug?)
Flags: needinfo?(mozillabugzilla)

    
    

    
  
(In reply to Erik Quaeghebeur from comment #30)
> (In reply to Martijn Wargers [:mwargers] (QA) from comment #29)
> >
> > Erik, could you please file a new bug on this and mention the bug number
> > here? Thanks.
> 
> Bug 1115981 (But why make me do the seemlessly unnecessary extra
> administrative effort and not just reopen this bug?)

Because it's a different bug. This was fixed a long time ago, already.

    
    

    
      
  
Component: Event Handling → User events and focus handling

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: