Closed
Bug 806364
Opened 13 years ago
Closed 13 years ago
Setting SELECT's innerHTML with empty OPTGROUPs with @label will cause Firefox hangs
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
RESOLVED
FIXED
mozilla19
People
(Reporter: borisov.gleb, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: regression, Whiteboard: Regressed by Bug 575294)
Attachments
(2 files, 1 obsolete file)
|
175 bytes,
text/html
|
Details | |
|
4.50 KB,
patch
|
roc
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
someSelect.innerHTML = '<select><optgroup label="124"></optgroup><optgroup label="123"></optgroup></select>';
will cause firefox hang. Tested on Mac OS X 10.8 with Firefox 16.0.1. Activity Monitor shows 100% cpu load.
If we remove label attribute from optgroup all seems good.
I've attached minimal test case.
|
||
Comment 1•13 years ago
|
||
Does this issue reproduce with a clean profile or in safe mode?
http://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile
http://support.mozilla.com/kb/Safe+Mode
Flags: needinfo?(borisov.gleb)
|
|
||
Comment 2•13 years ago
|
||
I can reproduce in windows7.
God build: Optgrpup labels are drawn in pull down list.
Bad build: 100% CPU core usage. And no upll down list pops up
Regresseion window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/bf37951c1104
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120623031143
Bad:
http://hg.mozilla.org/mozilla-central/rev/e21173ed2c38
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0 ID:20120623053647
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bf37951c1104&tochange=e21173ed2c38
Regresseion window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/80b8680bda1c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0 ID:20120622175046
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/c35d2d3071ac
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0 ID:20120622182843
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=80b8680bda1c&tochange=c35d2d3071ac
In local build
Last Good: 23f5c88adb8f
First Bad: 612ee5c6300d
Triggered by
612ee5c6300d Mats Palmgren — Bug 575294. part=3/5 r=roc
Status: UNCONFIRMED → NEW
Component: General → Layout: Form Controls
Ever confirmed: true
Keywords: regression
OS: Mac OS X → All
Product: Firefox → Core
Whiteboard: Regressed by Bug 575294
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
Attachment #676152 -
Attachment mime type: text/plain → text/html
|
|
Reporter | |
Comment 3•13 years ago
|
||
This issue reproduces in clean profile and in safe mode too.
Do you need more technical information or bug is confirmed?
(In reply to Ioana Budnar [QA] from comment #1)
> Does this issue reproduce with a clean profile or in safe mode?
> http://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile
> http://support.mozilla.com/kb/Safe+Mode
Flags: needinfo?(borisov.gleb)
|
|
||
Updated•13 years ago
|
Blocks: CVE-2012-3984
|
Assignee | |
Comment 4•13 years ago
|
||
Oops, sorry about that. I guess you can work around the problem by adding
a <option style='display:none'> to innerHTML.
Assignee: nobody → matspal
|
|
Reporter | |
Comment 5•13 years ago
|
||
Thanks for prompt investigation!
|
|
Assignee | |
Comment 6•13 years ago
|
||
Attachment #676271 -
Flags: review?(roc)
|
|
||
Comment 7•13 years ago
|
||
We'll try to get this fixed for FF17, but if it carries any risk, it'd likely need to land tomorrow on mozilla-beta to skip up the trains (we'd uplift to FF18 instead).
status-firefox16:
--- → affected
status-firefox17:
--- → affected
Doesn't PrincipalChildList potentially include text nodes between <option>s? We don't want to count those, do we?
|
|
Assignee | |
Comment 9•13 years ago
|
||
We only create frames for <option> and <optgroup> in <select>:
http://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#5209
Comment on attachment 676271 [details] [diff] [review]
Calculate dropdown height based on number of principal child frames instead of GetNumberOfOptions() which only included <option> nodes, not <optgroup>s.
Review of attachment 676271 [details] [diff] [review]:
-----------------------------------------------------------------
I'm not totally comfortable with hard-coding the requirement that there's exactly one frame per row. How about creating a helper method GetNumberOfRows(), which calls PrincipalChildList().Length(), and calling that, so that requirement is at least confined to one place. r+ with that.
Attachment #676271 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 11•13 years ago
|
||
Comment on attachment 676271 [details] [diff] [review]
Calculate dropdown height based on number of principal child frames instead of GetNumberOfOptions() which only included <option> nodes, not <optgroup>s.
Yeah, this is pretty wrong actually, since we should use the
GetOptionsContainer() frame. I'll write up something better...
Attachment #676271 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 12•13 years ago
|
||
Attachment #677015 -
Flags: review?(roc)
Attachment #677015 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 13•13 years ago
|
||
|
|
||
Comment 14•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox19:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
|
Assignee | |
Updated•13 years ago
|
status-firefox18:
--- → affected
|
|
Assignee | |
Comment 15•13 years ago
|
||
Comment on attachment 677015 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
User impact if declined: hang with 100% CPU load when clicking on a combobox with no <option> but at least one <optgroup> in it
Testing completed (on m-c, etc.): on m-c since 2012-11-01
Risk to taking this patch (and alternatives if risky): low risk
String or UUID changes made by this patch: none
Attachment #677015 -
Flags: approval-mozilla-beta?
Attachment #677015 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 16•13 years ago
|
||
Although the fix is low risk, the user scenario described in comment 15 is so uncommon that we'll get this first fixed in FF18.
|
|
||
Updated•13 years ago
|
Attachment #677015 -
Flags: approval-mozilla-beta?
Attachment #677015 -
Flags: approval-mozilla-beta-
Attachment #677015 -
Flags: approval-mozilla-aurora?
Attachment #677015 -
Flags: approval-mozilla-aurora+
|
||
Comment 17•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7a5944fe8a0e
Should this have a test?
Flags: in-testsuite?
|
||
Comment 19•12 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #15)
> Comment on attachment 677015 [details] [diff] [review]
> User impact if declined: hang with 100% CPU load when clicking on a combobox
> with no <option> but at least one <optgroup> in it
This is actually wrong. It hangs as soon as the page loads. User doesn't need to click on the combobox and it doesn't happen when there is only one <optgroup>. This is a serious problem and I'm really surprised this wasn't fixed ASAP in Fx 16 and even 17.
|
|
||
Comment 20•12 years ago
|
||
Verified as fixed on Firefox 18 beta 4:
Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/18.0 Firefox/18.0
Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18.0 Firefox/18.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
You need to log in
before you can comment on or make changes to this bug.
Description
•