Closed
Bug 231830
Opened 21 years ago
Closed 18 years ago
crash on style.display = 'none' for select element when event onchange occurs [@ nsStyleContext::GetRuleNode ][@ nsIFrame::Invalidate ]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: antonus, Assigned: smaug)
References
()
Details
(4 keywords)
Crash Data
Attachments
(11 files, 2 obsolete files)
(deleted),
text/plain
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.8.0.7+
beltzner
:
approval1.8.1+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
I've a select element filled in with some options.
I want to make it disappear when the selected value has changed.
It works fine when I do it with mouse, but crash if I do it with arrow keys.
3 conditions :
- must have 'onchange' (onblur works)
- must do style.display = 'none' (style.visibility = 'hidden' works)
- value must be changed with the keyboard (with the mouse, it... works)
The Bug is also reproductible on MozillaFirebird-0.7/Win32
Reproducible: Always
Steps to Reproduce:
1. select the select element (default value : 'A') with mouse or keyboard
2. press the down arrow key to select the value 'B"
3. press <TAB>
Actual Results:
Mozilla crashes
Expected Results:
select element disappear (display = 'none')
Comment 1•21 years ago
|
||
WFM Firebird 0.8 branch builds 20040120.
Reporter | ||
Comment 2•21 years ago
|
||
I tried Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040120
Firebird/0.8.0+
it, crashes too.
If after selecting 'B', it works if you press enter, but crash if you lose focus
with TAB
Comment 3•21 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040122
Confirming crash using Mozilla Nightly 2004012209 on Windows 2000.
Requesting Status: NEW, Keyword: Crash
Comment 4•21 years ago
|
||
Comment 5•21 years ago
|
||
confirmed with linux trunk 2004012109
==> layout
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: testcase
OS: Windows 2000 → All
Comment 7•21 years ago
|
||
Comment on attachment 139715 [details]
stacktrace
The nsComboboxControlFrame in frame #8 of this stack is clearly deleted.
Reporter | ||
Comment 8•21 years ago
|
||
bug #230842 seems to be the same
Comment 9•21 years ago
|
||
The question is why GetPrimaryFrameFor is returning a deleted frame...
Blocks: 230842
Keywords: helpwanted
Comment 10•21 years ago
|
||
*** Bug 230842 has been marked as a duplicate of this bug. ***
Comment 11•21 years ago
|
||
The Mac-OS-X version is also reproduced.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7b) Gecko/20040404
Firefox/0.8.0+
Comment 12•21 years ago
|
||
mats, haven't you looked into similar things before?
Updated•21 years ago
|
Summary: crash on style.display = 'none' for select element when event onchange occurs → crash on style.display = 'none' for select element when event onchange occurs [@ nsStyleContext::GetRuleNode ]
Comment 13•20 years ago
|
||
Comment 14•20 years ago
|
||
Comment 15•20 years ago
|
||
OK, the problem here is that the onchange event is fired synchronously from
frame code (in nsComboboxControlFrame::SetFocus, when it calls FireOnChange() on
its mListControlFrame). When this FireOnChange() call returns, the list
combobox frame object is dead. Then it tries to access its members (and hence
crashes).
I looked in nsListControlFrame, and there are other codepaths that call
FireOnChange() and then access members (eg nsListControlFrame::KeyPress will
call UpdateSelection(), which calls FireOnChange(), and then do stuff with
mStartSelectionIndex and such).
Can we just not fire events from frames, somehow?
Updated•20 years ago
|
Summary: crash on style.display = 'none' for select element when event onchange occurs [@ nsStyleContext::GetRuleNode ] → crash on style.display = 'none' for select element when event onchange occurs [@ nsStyleContext::GetRuleNode ][@ nsIFrame::Invalidate ]
Updated•20 years ago
|
Maybe we could have a way to post a DOM event with a callback object that will
be invoked when the event has been processed. This callback would hold
references to content, not frames, and reacquire the frame before doing the rest
of the processing.
Comment 17•20 years ago
|
||
The problem in this case, I think, is that we need to somehow "synchronously"
dispatch the onchange (that is, we need to preserve existing ordering of
focus/blur/change events, whatever it is).
The more I think about it, the more I think what we need is a system for firing
things (DOM events, XBL constructors, HTML scripts) "when it's safe"....
Comment 18•20 years ago
|
||
*** Bug 288827 has been marked as a duplicate of this bug. ***
Comment 19•20 years ago
|
||
(In reply to comment #15)
Yep, that is indeed the problem. I changed it to post an event instead (in the
same way we did for RedisplayText) and it does not crash anymore.
The problem is that this reorders the sequence handlers are called, from
change-blur to blur-change which will probably break some sites.
I will have a look what IE6 does and then see if I can do the event posting
earlier, maybe directly on select?
Assignee: nobody → mats.palmgren
Keywords: helpwanted
Comment 20•19 years ago
|
||
I am experiencing this crash in my code, which sets style.display to "none" on a table row which contains a select which triggers the code. I have devised a workaround for this crash. The function that is called by the onchange handler simply creates a timeout on a global variable. This seems to avoid the browser crash completely.
Example:
...
<select name="foo" onchange="changeMe(event);">
...
<script type="JavaScript">
var theTO;
var theEvt;
function changeMe(evt) {
theEvt = evt;
theTO = window.setTimeout("realChangeMe(theEvt);",500);
}
function realChangeMe(evt) {
...
Your actual event handler here
...
)
I have not done extensive testing, but this seems to work.
Please keep me updated on your progress in fixing this bug, as I use style.display="none" quite often for dynamic web sites.
Comment 21•19 years ago
|
||
adding myself to the CC list
Comment 22•19 years ago
|
||
We should really fix this -- accessing deleted frames is bad juju.
Mats, please let me know if you won't be able to work on this in the near future; in that case I'll try to take a look...
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Updated•19 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Whiteboard: reassign?
Comment 23•19 years ago
|
||
TB17145720K, TB17145584K
Comment 24•19 years ago
|
||
TB17145760Z, TB17145107K Seamonkey Trunk
Comment 25•19 years ago
|
||
Taking bz up on his comment 22 offer. Given the timeframe a 1.8.0.4 fix is unrealistic, moving nomination to a later release.
Assignee: mats.palmgren → bzbarsky
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4-
Flags: blocking1.8.0.4+
Whiteboard: reassign?
Comment 26•19 years ago
|
||
OK, I tried poking at this for the last few days, and I've totally failed to do anything about it without regressing firing of onchange events, generally speaking. I can probably fix the testcase in this bug, but not the various of UpdateSelection() callers...
roc, this seems like a place where your safe script thing would be really nice. :(
I guess I'll try again next time I have a chance, but that's looking like it'll be sometime after May 29 at this point.
Assignee: bzbarsky → nobody
Keywords: helpwanted
Comment 27•19 years ago
|
||
Back to Mats, since apparently he'll be around again before the next chance I'll have to look at this.
Assignee: nobody → mats.palmgren
This is a situation where delaying event firing to a safe time will likely break things, even if we do it "automatically". Changes to the timing of onchange firing have traditionally been very fragile with respect to breaking Web content. This is why I'm not satisfied that my run-at-same-times patch is a good solution to these problems.
The solution here could be to move a lot of this stuff to content. Not very branch-friendly but we could do it on trunk and see how invasive it is.
Updated•19 years ago
|
Flags: blocking1.9a1?
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Comment 29•19 years ago
|
||
Doesn't look like it's being worked on (no comment in 6 weeks), can't see how it can make 1.8.0.5
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5-
Flags: blocking1.8.0.5+
Comment 30•19 years ago
|
||
Mats - will you have a chance to take a look?
Flags: blocking1.8.1+ → blocking1.8.1-
Comment 31•19 years ago
|
||
Comment 32•19 years ago
|
||
(In reply to comment #30)
> Mats - will you have a chance to take a look?
It seems the order of events in a current trunk build is blur-change,
so the problem I mentioned in comment 19 is not an issue anymore.
(See Testcase #2 - it does not crash, just logs the order of events)
I have a patch that fixes the crash coming up...
I think the way we fire DOM events from comboboxes in general is a bit
strange though. All the other browsers I tested fire Change then Blur
for Testcase #2, in fact they fire Change immediately (and each time) a new
value is selected using the arrow keys, which makes sense to me and I think
we should do it like that too eventually (currently we fire Change on blur,
from nsComboboxControlFrame::SetFocus()). But I'll handle that in a different
bug, let's fix the crash first.
Keywords: helpwanted
Comment 33•19 years ago
|
||
> It seems the order of events in a current trunk build is blur-change,
Er... so it changed and is not compatible with other browsers? When did that happen? That sounds bad.
> in fact they fire Change immediately (and each time)
We don't do that on purpose, for accessibility reasons; see bugs on it... Doing that makes it pretty painful to use the thing with a keyboard.
Comment 34•19 years ago
|
||
Comment 35•19 years ago
|
||
Attachment #227543 -
Attachment is obsolete: true
Comment 36•19 years ago
|
||
(In reply to comment #33)
> > in fact they fire Change immediately (and each time)
>
> We don't do that on purpose, for accessibility reasons; see bugs on it...
One being bug 126379? My thoughts on that: bug 126379 comment 83
Are there other bugs on it?
Comment 37•19 years ago
|
||
This fixes the crash and bug 126379.
Attachment #227736 -
Flags: superreview?(bzbarsky)
Attachment #227736 -
Flags: review?(bzbarsky)
Comment 38•19 years ago
|
||
Comment on attachment 227736 [details] [diff] [review]
Patch rev. 2
> One being bug 126379?
That's the one. Let's put discussion on that issue in that bug, where it belongs.
I'm really not happy making that change in the context of this bug. Is there really absolutely no other way to fix this?
Comment 39•19 years ago
|
||
This patch fixes the crash only, but the order of events is still wrong...
Comment 40•19 years ago
|
||
Filed bug 343303 on the event order regression.
Comment 41•19 years ago
|
||
Did you want to request review for that third patch?
Comment 42•18 years ago
|
||
*** Bug 299867 has been marked as a duplicate of this bug. ***
Updated•18 years ago
|
Flags: blocking1.9+
Assignee | ||
Comment 43•18 years ago
|
||
Bit ugly, but doesn't change event ordering.
The fix for this bug is in nsComboboxControlFrame.cpp, but
changed also nsListControlFrame to avoid other similar crashes.
Attachment #232102 -
Flags: superreview?(bzbarsky)
Attachment #232102 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 44•18 years ago
|
||
Comment on attachment 232102 [details] [diff] [review]
making sure that deleted objects aren't used
I know this is not perfect, especially the changes to nsListControlFrame.cpp, but those crashes must be prevented and changing the order of the events is not an option, IMO.
Comment 45•18 years ago
|
||
(In reply to comment #41)
> Did you want to request review for that third patch?
I was waiting for Boris reply to bug 126379 comment 92 before I did anything
further with this bug. I still think "Patch rev. 2" is the way to go.
Comment 46•18 years ago
|
||
> I was waiting for Boris reply to bug 126379 comment 92
Er... I'm not cced on that bug, apparently, so that would have been a really long wait, esp. since you didn't tell me you were waiting. ;)
I've commented there.
Comment 47•18 years ago
|
||
Comment on attachment 232102 [details] [diff] [review]
making sure that deleted objects aren't used
This generally works, yes. You could also put an nsWeakFrame thisPtr(this); on the stack and null-check that, right? That would handle the case of a new frame object being allocated in the memory slot freed by |this| when it's deallocated...
Assignee | ||
Comment 48•18 years ago
|
||
Attachment #232102 -
Attachment is obsolete: true
Attachment #232889 -
Flags: superreview?(bzbarsky)
Attachment #232889 -
Flags: review?(bzbarsky)
Attachment #232102 -
Flags: superreview?(bzbarsky)
Attachment #232102 -
Flags: review?(bzbarsky)
Updated•18 years ago
|
Attachment #227736 -
Flags: superreview?(bzbarsky)
Attachment #227736 -
Flags: review?(bzbarsky)
Comment 49•18 years ago
|
||
Comment on attachment 232889 [details] [diff] [review]
using weakframe
Yeah, I like this.
Attachment #232889 -
Flags: superreview?(bzbarsky)
Attachment #232889 -
Flags: superreview+
Attachment #232889 -
Flags: review?(bzbarsky)
Attachment #232889 -
Flags: review+
Updated•18 years ago
|
Assignee: mats.palmgren → Olli.Pettay
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 50•18 years ago
|
||
I'll make patches for branches asap.
Comment 51•18 years ago
|
||
I would think that we want this fixed in 1.8.1, renominating.
Flags: blocking1.8.1- → blocking1.8.1?
Comment 52•18 years ago
|
||
Comment on attachment 232889 [details] [diff] [review]
using weakframe
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #232889 -
Flags: approval1.8.1?
Attachment #232889 -
Flags: approval1.8.0.7+
Updated•18 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Comment 53•18 years ago
|
||
Comment on attachment 232889 [details] [diff] [review]
using weakframe
a=drivers, please land on MOZILLA_1_8_BRANCH
Attachment #232889 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 54•18 years ago
|
||
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.7,
fixed1.8.1
Comment 55•18 years ago
|
||
Verified FIXED using latest 1.8 and 1.8.0 on Linux (X11; U; Linux i686; en-US;).
I no longer crash with the testcase in attachment 227652 [details].
Status: RESOLVED → VERIFIED
Comment 56•18 years ago
|
||
*** Bug 350593 has been marked as a duplicate of this bug. ***
Comment 57•18 years ago
|
||
*** Bug 279867 has been marked as a duplicate of this bug. ***
No longer blocks: 279867
Updated•14 years ago
|
Crash Signature: [@ nsStyleContext::GetRuleNode ]
[@ nsIFrame::Invalidate ]
You need to log in
before you can comment on or make changes to this bug.
Description
•