Closed Bug 330367 Opened 14 years ago Closed 13 years ago

Firefox 1.5/2.0 crashes for onblur focusing an "overflow" div that also gets "diplay:none" set at the same time while checking other data [@ PresShell::ScrollFrameIntoView]

Categories

(Core :: DOM: UI Events & Focus Handling, defect, critical)

1.8 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: mozilla, Assigned: mats)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

If I tab out of an input field, and the next element to be focused is a focusable div (as caused by "overflow:auto" in this case), and the onblur handle hides that div with "display:none", and I also check certain data or call certain functions (such as alert), then Firefox 1.5 crashes.

It doesn't affect Firefox 1.0 for me.

I've tested on multiple computers, but I frequently use similar extensions. Could be that there's an influence from the extensions.


Reproducible: Always

Steps to Reproduce:
Here's a sample HTML page. I don't see how to make an attachment on this form, but you may want to make it an attachment later. Anyway, just follow the instructions in the page after you load it up:

<html>
	<head>
		<title>Crashing Firefox 1.5</title>
		<script type="text/javascript">

			function buildCrasher() {
				var div = document.getElementById('crasherDiv');

				// The tabIndex fixes it, but I have another case where this causes clicking in the div to crash it.
				// I haven't isolated that case, though.
				// div.tabIndex = -1;

				var input = document.getElementById('crasherInput');
				input.onblur = function() {
					// Needed:
					div.style.display = 'none';

					// Non crashers:
					// this.offsetLeft;
					// input.id;

					// Crashers:
					input.offsetLeft;
					// alert('Hello, world!');
				};

				// Just for convenience. Not required:
				input.onfocus = function() {div.style.display = 'block'};
				input.focus();
			}

		</script>
	</head>

	<body onload="buildCrasher()">
		Tab out of here to crash Firefox 1.5: <input id="crasherInput"/>
		<div id="crasherDiv" style="margin-top: 1em; overflow: auto">
			This is a separate div that will get "display: none"'d when you tab out of the above input.
			This div has "overflow: auto" on it. This seems to cause it to be focusable by Firefox 1.5.
		</div>
	</body>
</html>

Actual Results:  
Firefox crashes.

Expected Results:  
The browser shouldn't crash. (It should also respond correctly to the other updates and function calls, such as un-displaying the div in question. This is probably already being done. I'm just mentioning this here to be detailed in my expectations.)
I originally put the crashing sample inline, but looks like I can add an attachment after all.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060313 Firefox/1.6a1 ID:2006031306
These are crashes in 1.5.0.1 and branch, but not in trunk.
In trunk it was repaired between 1.9a1_2005082407 and 1.9a1_2005082507.
Can't send talkbacks at the moment.
Keywords: crash
It looks like this got fixed on trunk by bug 303620.  Do we want to try to put part of that (presumably something that regets a frame ptr) on the branches?
Assignee: nobody → aaronleventhal
Status: UNCONFIRMED → NEW
Component: Keyboard Navigation → Keyboard: Navigation
Ever confirmed: true
Keywords: crash
OS: Windows XP → All
Product: Firefox → Core
QA Contact: keyboard.navigation → keyboard.navigation
Hardware: PC → All
Version: unspecified → 1.8 Branch
Talkback Records:
TB16345076E, TB16340823, TB16340819 PresShell::ScrollFrameIntoView
Keywords: testcase
Summary: Firefox 1.5 crashes for onblur focusing an "overflow" div that also gets "diplay:none" set at the same time while checking other data. → Firefox 1.5 crashes for onblur focusing an "overflow" div that also gets "diplay:none" set at the same time while checking other data [@ PresShell::ScrollFrameIntoView]
*** Bug 362124 has been marked as a duplicate of this bug. ***
Assignee: aaronleventhal → mats.palmgren
Summary: Firefox 1.5 crashes for onblur focusing an "overflow" div that also gets "diplay:none" set at the same time while checking other data [@ PresShell::ScrollFrameIntoView] → Firefox 1.5/2.0 crashes for onblur focusing an "overflow" div that also gets "diplay:none" set at the same time while checking other data [@ PresShell::ScrollFrameIntoView]
Attached patch Patch rev. 1Splinter Review
Risk free crash fix. Also fixes bug 362124.
Attachment #246874 - Flags: superreview?(bzbarsky)
Attachment #246874 - Flags: review?(bzbarsky)
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Comment on attachment 246874 [details] [diff] [review]
Patch rev. 1

Looks good.  r+sr=bzbarsky
Attachment #246874 - Flags: superreview?(bzbarsky)
Attachment #246874 - Flags: superreview+
Attachment #246874 - Flags: review?(bzbarsky)
Attachment #246874 - Flags: review+
Attachment #246874 - Flags: approval1.8.1.1?
Attachment #246874 - Flags: approval1.8.0.9?
Comment on attachment 246874 [details] [diff] [review]
Patch rev. 1

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #246874 - Flags: approval1.8.1.1?
Attachment #246874 - Flags: approval1.8.1.1+
Attachment #246874 - Flags: approval1.8.0.9?
Attachment #246874 - Flags: approval1.8.0.9+
Won't hold the release for this, but if you get it in this week we'll take the patch.
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1-
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9-
Checked in to MOZILLA_1_8_BRANCH at 2006-11-30 05:19 PST
Checked in to MOZILLA_1_8_0_BRANCH at 2006-11-30 05:22 PST

-> FIXED
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Verified fixed for 1.8.0.9 and 1.8.1.1. with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.1pre) Gecko/20061129 BonEcho/2.0.0.1pre
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.9pre) Gecko/20061130 Firefox/1.5.0.9pre

Also tested with Fedora FC 6
Status: RESOLVED → VERIFIED
Crash Signature: [@ PresShell::ScrollFrameIntoView]
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.