Closed Bug 51772 Opened 25 years ago Closed 25 years ago

Crash in nsTextInputListener::Blur if an onchange handler does document.writeln

Categories

(Core :: Layout: Form Controls, defect, P1)

Product:
Core
Component:
Layout: Form Controls
Platform:
All
Mac System 8.5
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 48064

People

(Reporter: sfraser_bugs, Assigned: mjudge)

Details

(Keywords: crash, Whiteboard: [nsbeta3-][rtm need info])

Attachments

(2 files)

Test case that shows the crasher
552 bytes, text/html
Details
patch to make sure the frame hasnt been removed
1.24 KB, patch
Details | Diff | Splinter Review
We crash in nsTextInputListener::Blur in the following situation: 1. Page has a form with an onchange handler that: a) does a document.writeln b) tries to set the value of another text input See attached test case.
The problem here is that the onchange handler does a document.writeln, which blows away all frames. Thus the nsTextInputListener's mFrame member points to garbage when it tries to get the editor.
Keywords: crash
Severity: normal → critical
Keywords: nsbeta3
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M19
Updating QA contact.
QA Contact: ckritzer → bsharma
What sort of sites would have this problem? I'm marking this nsbeta3- as we are due to complete engineering in two days. Nominating for rtm
Keywords: rtm
Whiteboard: [nsbeta3+] → [nsbeta3-]
Mike, please include the required information per the rtm checkin rules
Whiteboard: [nsbeta3-] → [nsbeta3-][rtm+ NEED INFO]
got fix in tree will add patch soon. simple null check after updating nsTextListener's frame member variable.
Status: NEW → ASSIGNED
need to find module owner for layout i guess. getting super review from layout too.
adding buster to CC for super-review.
a=buster, looks good mike
removing + per pdt sw rules
Whiteboard: [nsbeta3-][rtm+ NEED INFO] → [nsbeta3-][rtm NEED INFO]
r=kin@netscape.com with one change ... > if (mFrame) > mFrame->CallOnChange(); > if (mFrame) > mFrame->SubmitAttempt(); changed to if (mFrame) { mFrame->CallOnChange(); mFrame->SubmitAttempt(); }
kin: you miss the point ;) The issue is that mFrame->CallOnChange(); can null out mFrame, so the two tests are required.
ah ok, my appologies. :-)
ok r=kin then a= buster please rtm++
low risk low risk. please rtm++ removing NEED INFO. i think thats what i do now.
Whiteboard: [nsbeta3-][rtm NEED INFO] → [nsbeta3-][rtm]
Mike, actually PDT turns [rtm+] into [rtm++]. Making it [rtm+] so PDT will get to it on our next sweep.
Whiteboard: [nsbeta3-][rtm] → [nsbeta3-][rtm+]
Cool comment by frazer, explaining why Kin's suggestion wouldn't cut it. This had me fooled too... Clearly a comment is called for (before someone else is tricked, and "fixes" the code!). The patch is also really hard to read in this form (I had a terrible time with the rest of it). Please use a diff -u patch, and add the comment that there is a possible side-effect that mframe can be modified to null during the call. (...yes... pdt folks often review this stuff too at this late point! ;-) ).
Whiteboard: [nsbeta3-][rtm+] → [nsbeta3-][rtm need info]
ok then could we make this rtm++ with the caveat that i will add a comment to those lines? I will make a new patch with -u.
*** This bug has been marked as a duplicate of 48064 ***
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
Verifyed dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: