Closed
Bug 368627
Opened 18 years ago
Closed 18 years ago
Problem with XForms using itemsets across models
Categories
(Core Graveyard :: XForms, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: alexbleasdale, Assigned: smaug)
References
Details
(Keywords: fixed1.8.0.12, fixed1.8.1.4)
Attachments
(2 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 The code below - on adding an item to an XForms itemset - causes firefox to exit. Can be reproduced on both FF1.5 and FF2.0 using the latest versions of the XForms addon (0.7x). We suspect this is because the referent and the itemset appear in different models. Error offset: 000059d2 Example code pasted below: -------------------------------- <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xf="http://www.w3.org/2002/xforms" xmlns:ev="http://www.w3.org/2001/xml-events" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <head> <xf:model id="default"> <xf:instance xmlns="" id="CRV-data"> <data> <items> <item>item 1</item> <item>item 2</item> <item>item 3</item> </items> </data> </xf:instance> </xf:model> <xf:model id="code-tables"> <xf:instance xmlns="" id="ColorCode"> <CodeTable> <DataElementName>ColorCode</DataElementName> <EnumeratedValues> <Item> <Label>Red</Label> <Value>red</Value> </Item> <Item> <Label>Green</Label> <Value>green</Value> </Item> <Item> <Label>Blue</Label> <Value>blue</Value> </Item> </EnumeratedValues> </CodeTable> </xf:instance> </xf:model> </head> <body> <xf:group model="default" ref="/data/items"> <xf:label>Group Label for item: </xf:label> <xf:repeat model="default" nodeset="/data/items"> <xf:input ref="item"> <xf:label>Item:</xf:label> </xf:input> <xf:select1 ref="item"> <xf:label>Item Code:</xf:label> <xf:itemset model="code-tables" nodeset="instance('ColorCode')/EnumeratedValues/Item"> <xf:label ref="Label" /> <xf:value ref="Value" /> </xf:itemset> </xf:select1> </xf:repeat> <xf:trigger> <xf:label>Add Item</xf:label> <xf:action ev:event="DOMActivate"> <xf:insert nodeset="/data/items[last()]" position="after" at="last()" /> </xf:action> </xf:trigger> </xf:group> </body> </html> Reproducible: Always Steps to Reproduce: 1. Paste code into xml document and run locally 2. Click "Add Item" 3. Firefox xforms.dll should crash Actual Results: Firefox exits. Expected Results: Another item should have been added to the itemlist. <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xf="http://www.w3.org/2002/xforms" xmlns:ev="http://www.w3.org/2001/xml-events" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <head> <xf:model id="default"> <xf:instance xmlns="" id="CRV-data"> <data> <items> <item>item 1</item> <item>item 2</item> <item>item 3</item> </items> </data> </xf:instance> </xf:model> <xf:model id="code-tables"> <xf:instance xmlns="" id="ColorCode"> <CodeTable> <DataElementName>ColorCode</DataElementName> <EnumeratedValues> <Item> <Label>Red</Label> <Value>red</Value> </Item> <Item> <Label>Green</Label> <Value>green</Value> </Item> <Item> <Label>Blue</Label> <Value>blue</Value> </Item> </EnumeratedValues> </CodeTable> </xf:instance> </xf:model> </head> <body> <xf:group model="default" ref="/data/items"> <xf:label>Group Label for item: </xf:label> <xf:repeat model="default" nodeset="/data/items"> <xf:input ref="item"> <xf:label>Item:</xf:label> </xf:input> <xf:select1 ref="item"> <xf:label>Item Code:</xf:label> <xf:itemset model="code-tables" nodeset="instance('ColorCode')/EnumeratedValues/Item"> <xf:label ref="Label" /> <xf:value ref="Value" /> </xf:itemset> </xf:select1> </xf:repeat> <xf:trigger> <xf:label>Add Item</xf:label> <xf:action ev:event="DOMActivate"> <xf:insert nodeset="/data/items[last()]" position="after" at="last()" /> </xf:action> </xf:trigger> </xf:group> </body> </html>
|
||
Updated•18 years ago
|
Assignee: nobody → xforms
Component: General → XForms
Product: Firefox → Core
QA Contact: general → spride
Version: unspecified → 1.8 Branch
|
||
Comment 1•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 1.8 Branch → Trunk
well, we shouldn't crash, that is for sure :-). Looks like we are finding some 'bad' nodes (probably already freed nodes) on the model's control list. We are going through the model refreshing the controls (post rebuild since this was due to an insert) and we reach a controlListItem whose mNode is bad. The whole controlListItem looks questionable for that matter. Lots of junk data in it.
|
Assignee | |
Comment 3•18 years ago
|
||
Couldn't reproduce using Linux/Trunk and the testcase.
|
|
Assignee | |
Comment 4•18 years ago
|
||
Using 1.8 does crash.
|
|
Assignee | |
Comment 5•18 years ago
|
||
So my guess is that nsXFormsControlListItem object gets deleted while it is used in nsXFormsModelElement::RefreshSubTree. We could probably use refcounting for nsXFormsControlListItems.
|
|
Assignee | |
Comment 6•18 years ago
|
||
Aaron, what do you think about this approach. I don't quite like manually AddReffing/Releasing, but that was the easiest way to do it, or at least to test that it fixes the crash.
Attachment #253327 -
Flags: review?(aaronr)
|
Reporter | |
Comment 7•18 years ago
|
||
For a workaround (and for anyone who has a similar problem) - if you merge the referent and the itemset into the same model, the xform will work without crashing.
|
|
Assignee | |
Comment 8•18 years ago
|
||
Comment on attachment 253327 [details] [diff] [review] refcounting (for 1.8) I'll use this approach but just clean up the patch a bit.
Attachment #253327 -
Attachment is obsolete: true
Attachment #253327 -
Flags: review?(aaronr)
|
|
Assignee | |
Comment 9•18 years ago
|
||
Can you test whether this fixes the bug in Windows too, just to make sure.
|
|
Assignee | |
Comment 10•18 years ago
|
||
Comment on attachment 253359 [details] [diff] [review] proposed patch The patch was made using 1.8, but should apply to trunk too (with some fuzz)
|
||
Comment 11•18 years ago
|
||
(In reply to comment #9) > Created an attachment (id=253359) [details] > proposed patch > > Can you test whether this fixes the bug in Windows too, just to make sure. > This patch fixes my Windows trunk crash.
|
|
||
Comment 12•18 years ago
|
||
Comment on attachment 253359 [details] [diff] [review] proposed patch not a huge fan of the addref stuff myself, but I think in this case this approach will save us from having to debug other control list management problems in the future.
Attachment #253359 -
Flags: review?(aaronr) → review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #253359 -
Flags: review?(surkov.alexander)
|
|
||
Comment 13•18 years ago
|
||
Comment on attachment 253359 [details] [diff] [review] proposed patch Looks ok
Attachment #253359 -
Flags: review?(surkov.alexander) → review+
|
|
Assignee | |
Updated•18 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: xf-to-branch
|
|
||
Comment 14•17 years ago
|
||
checked into 1.8 branch on 2007-04-12 checked into 1.8.0 branch on 2007-04-16
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Whiteboard: xf-to-branch
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•