Closed
Bug 913292
Opened 11 years ago
Closed 11 years ago
Assertion failure: value >= minimum && value <= maximum (Unsanitized value), at layout/forms/nsRangeFrame.cpp:450
Categories
(Core :: Layout: Form Controls, defect)
Core
Layout: Form Controls
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: kinetik, Assigned: jwatt)
References
()
Details
Attachments
(2 files)
125 bytes,
text/html
|
Details | |
1.32 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
The assertion in the summary is triggered by the page linked in the URL field. It's easily reproduced with the following code: <input type=range> onload = function() { document.getElementsByTagName("input")[0].max = 9; }
Reporter | ||
Comment 1•11 years ago
|
||
Jonathan, can you look into this?
Flags: needinfo?(jwatt)
Assignee | ||
Comment 3•11 years ago
|
||
So the issue is that under nsRangeFrame::AttributeChanged we look at the HTMLInputElement's value in order to update the anonymous frames. Unfortunately it isn't until HTMLInputElement::AfterSetAttr is called that we sanitize the element's value (for the change to @max) and HTMLInputElement::GetValueAsDecimal will return the value that should have been returned to nsRangeFrame::AttributeChanged. In other words we first get here: mozilla::dom::HTMLInputElement::GetValueInternal mozilla::dom::HTMLInputElement::GetValueAsDecimal nsRangeFrame::GetValueAsFractionOfRange nsRangeFrame::DoUpdateRangeProgressFrame nsRangeFrame::UpdateForValueChange nsRangeFrame::AttributeChanged mozilla::RestyleManager::AttributeChanged PresShell::AttributeChanged non-virtual thunk to PresShell::AttributeChanged nsNodeUtils::AttributeChanged * mozilla::dom::Element::SetAttrAndNotify mozilla::dom::Element::SetAttr nsGenericHTMLElement::SetAttr nsGenericHTMLElement::SetAttr nsGenericHTMLElement::SetHTMLAttr mozilla::dom::HTMLInputElement::SetMax and then here: mozilla::dom::HTMLInputElement::SanitizeValue mozilla::dom::HTMLInputElement::SetValueInternal mozilla::dom::HTMLInputElement::AfterSetAttr * mozilla::dom::Element::SetAttrAndNotify mozilla::dom::Element::SetAttr nsGenericHTMLElement::SetAttr nsGenericHTMLElement::SetAttr nsGenericHTMLElement::SetHTMLAttr mozilla::dom::HTMLInputElement::SetMax It's really unfortunate that we don't have a better place to do the sanitization than in AfterSetAttr. :/
Flags: needinfo?(jwatt)
Assignee | ||
Updated•11 years ago
|
OS: Linux → All
Hardware: x86_64 → All
Assignee | ||
Comment 4•11 years ago
|
||
It seems like probably we should call AfterSetAttr on elements before calling AttributeChanged on their frames in order to let elements finish doing whatever they might want to do. What do you think, Boris? This seems to pass Try FWIW: https://tbpl.mozilla.org/?tree=Try&rev=4f258bc82561
Assignee: nobody → jwatt
Attachment #802412 -
Flags: review?(bzbarsky)
Comment 5•11 years ago
|
||
Comment on attachment 802412 [details] [diff] [review] possible patch Hmm. The ordering here is _very_ finicky. In particular, if AfterSetAttr can trigger any intrinsic state changes this will lead to incorrect restyling. Can it? If so, that just means we don't have good enough tests.
Comment 6•11 years ago
|
||
Comment on attachment 802412 [details] [diff] [review] possible patch I was wrong. This should be fine. r=me
Attachment #802412 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 7•11 years ago
|
||
Okay, great. https://hg.mozilla.org/integration/mozilla-inbound/rev/ae560f8f4c78 I added a reftest.
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ae560f8f4c78
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•