Closed Bug 403148 Opened 17 years ago Closed 15 years ago

Crash [@ nsTextControlFrame::SetValue] with <input type=file> and contentEditable

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
329 bytes, text/html
Details 
Loading the testcase crashes Firefox.

Setting contentEditable on the span causes the file upload control to disappear (!).  Then, turning the file upload control into a normal input crashes:

Thread 0 Crashed:
0   nsTextControlFrame::SetValue (nsTextControlFrame.cpp:2675)
1   nsFileControlFrame::SetFormProperty (nsFileControlFrame.cpp:546)
2   nsHTMLInputElement::SetFileName (nsHTMLInputElement.cpp:849)
3   nsHTMLInputElement::ParseAttribute (nsHTMLInputElement.cpp:2009)
4   nsGenericElement::SetAttr (nsGenericElement.cpp:3569)
5   nsGenericHTMLElement::SetAttr (nsGenericHTMLElement.cpp:1400)
6   nsGenericHTMLElement::SetAttribute (nsGenericHTMLElement.cpp:330)
7   nsHTMLInputElement::SetAttribute (nsHTMLInputElement.cpp:167)
8   NS_InvokeByIndex_P + 98 (xptcinvoke_unixish_x86.cpp:179)
...
So the problem here is that setting that contentEditable=true loads contenteditable.css, and one of the rules in there changes the style on the anonymous inputs inside the file input from "-moz-user-modify: disabled" to "-moz-user-modify: none".  Which triggers a reframe, so we try to reframe anonymous content. Not only does that fail miserably, but we end up with a dangling pointer to the (now dead) text control frame in the file control frame, so we crash when we try to use that pointer (as here).

Is contenteditable.css really supposed to apply to native anonymous content?
Flags: blocking1.9?
Keywords: regression
Marking blocking and setting p2 (since it is a crash).  Bz if you think differently please adjust...
Assignee: nobody → peterv
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
My patch for Bug 389324 – "[contenteditable="true"] does a bad job in contenteditable.css" prevents this crash, so I'm marking Bug 389324 as blocking this one, and raising it to P2.
Depends on: 389324
We should not be relying on !important rules in "extra" UA stylesheets such as contenteditable.css to prevent crashes.  See bug 347355 comment 15 for some reasons.
(In reply to comment #3)
> My patch for Bug 389324 – "[contenteditable="true"] does a bad job in
> contenteditable.css" prevents this crash, so I'm marking Bug 389324 as blocking
> this one, and raising it to P2.
> 

Ok, removing dependency and returning priority of bug 389324 to its previous P4 value.
No longer depends on: 389324
The patch in bug 389324 still affects the testcase in this bug, so I think the dependancy is justified, fwiw.
Flags: tracking1.9+ → blocking1.9+
Not going to block on this, but we're likely to take a fix if one shows up (before or after release).
Flags: wanted1.9.0.x+
Flags: blocking1.9-
Flags: blocking1.9+
The testcase no longer causes a crash for me.  Boris, do the problems you explained in comment 1 still exist?
I would think so, yes.  I don't have time to dig to make sure right now.
ok, well, i filed bug 505619 for that.

*this* bug is WFM and will soon be in-testsuite+
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Test added: http://hg.mozilla.org/mozilla-central/rev/91cb26be77bc
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsTextControlFrame::SetValue]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: