Closed Bug 666225 Opened 14 years ago Closed 13 years ago

[@ nsFrame::HandlePress ] Browser crash on changing <input type=text> to type=file

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tomer, Assigned: smontagu)

References

(
URL
)

Details

Crash Data

Attachments

(2 files, 1 obsolete file)

nullcheck patch
1.12 KB, patch
roc
: review+
Details | Diff | Splinter Review
mochitest
2.22 KB, patch
roc
: review+
Details | Diff | Splinter Review
Reported on a forum we are monitoring, and affects stable and development branches. Steps to reproduce: Type the following into Firefox location bar and hit enter: data:text/html,<input type="text" onmousedown="this.type='file';" /> Click on the input field. Current result: Browser crash. https://crash-stats.mozilla.com/report/index/bp-784a0be1-69ad-43c9-be27-d64142110622 https://crash-stats.mozilla.com/report/index/bp-5b778da6-e8d8-435d-8bbd-0f9832110622 http://crash-stats.mozilla.com/report/index/dab2cd06-c5e2-4d9d-b035-5bb992110622 http://crash-stats.mozilla.com/report/index/0afb8160-0df3-4f6c-a702-465992110622
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Attached patch nullcheck patch (obsolete) — Splinter Review
With this there is no crash, but there is an assertion: ###!!! ASSERTION: Unexpected document: 'capturingContent->GetCurrentDoc() == GetDocument()', ... layout/base/nsPresShell.cpp, line 6656 That looks the same as bug 560764.
Assignee: nobody → smontagu
Attachment #541034 - Flags: review?(roc)
Attached patch nullcheck patchSplinter Review
Attachment #541034 - Attachment is obsolete: true
Attachment #541035 - Flags: review?(roc)
Attachment #541034 - Flags: review?(roc)
Comment on attachment 541035 [details] [diff] [review] nullcheck patch Review of attachment 541035 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #541035 - Flags: review?(roc) → review+
Is there a way to synthesize a mousepress in a crashtest? I was thinking it would have to be a mochitest.
Crash Signature: [@ nsFrame::HandlePress ]
Attached patch mochitestSplinter Review
Attachment #541660 - Flags: review?(roc)
http://hg.mozilla.org/mozilla-central/rev/b93c0c4cb84a http://hg.mozilla.org/mozilla-central/rev/cfd2af15e1c3 Checked in with a tweak to the test: for some reason on OSX synthesizeMouseAtCenter($("i"), { }); never triggers the mouseup event listener, but synthesizeMouseAtCenter($("i"), { type: "mousedown" }); synthesizeMouseAtCenter($("i"), { type: "mouseup" }); does.
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: