removeChild(): unexpected title tooltip after removing SVG element at mouse position

RESOLVED FIXED in Firefox 11

Status

()

Firefox
General
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: yvoschu, Assigned: Robert Longson)

Tracking

({regression})

Trunk
Firefox 11
regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox10-)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
Created attachment 566159 [details]
testcase

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Build ID: 20110928134238

Steps to reproduce:

Tested with Firefox 7.0.1 and current Nightly 10.0a1 on Windows:
1.) open a file (e.g. the attached one) containing code like this
<circle cx="100" cy="100" r="50" onclick="this.parentNode.removeChild(this);" />
2.) move mouse over circle and click left mouse button (don't stop moving before clicking!)


Actual results:

A title tooltip is shown that contains the text of the last tooltip, even from an other browser tab. If it is the first title tooltip after startup, the tooltip is shown without text.

AFAICS this doesn't happen with HTML elements or if the mouse was not moved right before clicking.

Comment 1

6 years ago
Confirmed on 
http://hg.mozilla.org/mozilla-central/rev/e9c620a5c85f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a1) Gecko/20111010 Firefox/10.0a1 ID:20111010031016

Regression window(cached m-c hourly),
Works:
http://hg.mozilla.org/mozilla-central/rev/7898841a922a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110702004346
Fails:
http://hg.mozilla.org/mozilla-central/rev/7b44ed36faf3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110702 Firefox/7.0a1 ID:20110702022656
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7898841a922a&tochange=7b44ed36faf3

Regression window(cached m-i hourly),
Works:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4a7f8e181dd0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110701101456
Fails:
http://hg.mozilla.org/integration/mozilla-inbound/rev/eb5866601f88
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110701 Firefox/7.0a1 ID:20110701132816
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4a7f8e181dd0&tochange=eb5866601f88

Triggered by:
74635b831e9e	Robert Longson — Bug 639945 - tooltips are not displayed on inline svg elements. r=dao,bzbarsky
Blocks: 639945
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
tracking-firefox10: --- → ?

Comment 2

5 years ago
I came across this bug using FF8 in the wild when viewing a svg chart in one tab -- the tooltip showed data from another tab, which looks a little scary from a security perspective.
Updating platform, as I can reproduce in current nightly on linux:
  Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111212 Firefox/11.0a1
though I needed this additional step in comment 0's STR:
 0. Hover over any link with a tooltip (e.g. this one: attachment 566159 [details] )
OS: Windows 7 → All
Version: 10 Branch → Trunk
(Assignee)

Comment 4

5 years ago
(In reply to Adam Moore from comment #2)
> I came across this bug using FF8 in the wild when viewing a svg chart in one
> tab -- the tooltip showed data from another tab, which looks a little scary
> from a security perspective.

Not really, the page itself can't read the tooltip data.

Comment 5

5 years ago
But how does the typical user know this?
> which looks a little scary from a security perspective.

Agreed that it could look scary to a typical user, even if it's not actually dangerous.  (The appearance of insecurity is worth avoiding. :) )
(Assignee)

Comment 7

5 years ago
Created attachment 581618 [details] [diff] [review]
patch

I don't know how to write a testcase as the existing case relies on the content being removed as the tooltip appears. The c++ embedding tooltip code already has a null check so it doesn't need to change.
Attachment #581618 - Flags: review?(dao)
(Assignee)

Comment 8

5 years ago
Note the simplification in the first part of the patch is covered by the existing testcase.
Comment on attachment 581618 [details] [diff] [review]
patch

How about adding document.compareDocumentPosition(tipElement) == document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of FillInHTMLTooltip? Could !tipElement.ownerDocument already be an (unsuccessful) attempt to do this?

Updated

5 years ago
Component: SVG → General
Product: Core → Firefox
QA Contact: general → general

Updated

5 years ago
Hardware: x86_64 → All
(Assignee)

Comment 10

5 years ago
(In reply to Dão Gottwald [:dao] from comment #9)
> 
> How about adding document.compareDocumentPosition(tipElement) ==
> document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of
> FillInHTMLTooltip? Could !tipElement.ownerDocument already be an
> (unsuccessful) attempt to do this?

That comes from bug 520729
Ok, so that isn't broken. It would have helped if Ehsan had followed the "Maybe add a comment here that explains what cases this is handling (tipElement is a document)" suggestion.

My example code however is broken... document needs to be tipElement.ownerDocument.
(Assignee)

Comment 12

5 years ago
Ehsan did do that on the comment line above the code.
(Assignee)

Comment 13

5 years ago
Created attachment 581959 [details] [diff] [review]
address review comment
Attachment #581618 - Attachment is obsolete: true
Attachment #581618 - Flags: review?(dao)
Attachment #581959 - Flags: review?(dao)

Updated

5 years ago
Attachment #581959 - Flags: review?(dao) → review+
(Assignee)

Updated

5 years ago
Assignee: nobody → longsonr
(Assignee)

Comment 14

5 years ago
pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/d9e8512aa9d4
Target Milestone: --- → Firefox 11
https://hg.mozilla.org/mozilla-central/rev/d9e8512aa9d4
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
This isn't a regression from 9, so unless we know of significant fallout, no need to uplift to FF10.
tracking-firefox10: ? → -
(Reporter)

Comment 17

5 years ago
(In reply to Matt Brubeck (:mbrubeck) from comment #15)
> https://hg.mozilla.org/mozilla-central/rev/d9e8512aa9d4

When does the fix show up in the nightly builds? The issue is not fixed in 12.0a1 (2012-01-05).

Comment 18

5 years ago
Confirmed, this does not fixed on 
http://hg.mozilla.org/mozilla-central/rev/5413ba3ed406
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120105 Firefox/12.0a1 ID:20120105083933
and
http://hg.mozilla.org/releases/mozilla-aurora/rev/e03d758c3c08
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a2) Gecko/20120105 Firefox/11.0a2 ID:20120105042010

REOPENED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 19

5 years ago
I think this is related Bug 715882
Blocks: 664058

Comment 20

5 years ago
Sorry
s/I think this is related Bug 715882/I think this is related Bug 664058/
(Assignee)

Comment 21

5 years ago
Testcase in the bug works for me and the patch has not been backed out so the correct resolution is still fixed. If you still have issues raise another bug, this one is done.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED

Comment 22

5 years ago
(In reply to Robert Longson from comment #21)
> Testcase in the bug works for me and the patch has not been backed out so
> the correct resolution is still fixed. If you still have issues raise
> another bug, this one is done.

filed Bug 715999
Blocks: 601091
You need to log in before you can comment on or make changes to this bug.