Closed Bug 15769 Opened 25 years ago Closed 25 years ago

[BLOCKER][CRASHER][TESTCASE] Having <select></select> without options inside crash application.

Categories

(Core :: Layout: Form Controls, defect, P1)

x86
All
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: desale, Assigned: pollmann)

References

Details

Attachments

(1 file)

Having <select></select> without options inside, crash application real hard. BUILDS: 10-06-19 [M10][Apprunner/Viewer] STEPS TO REPRODUCE: 1] Please copy code I'm providing. Save it as HTML file. 2] Open this HTML file with apprunner as well as viewer. EXPECTED RESULTS: Application should simply load the page. ACTUAL RESULTS: Application crashes. DESCRIPTION: Application is crashing because of having empty select list in HTML code. We can have empty select list because we can expect cgi to fill this select depending on the data coming from cgi. Having <select> </select> in HTML code is crashing application. On other hand if we put option inside the select list then it does not crash. If we use <select> <option>opt1</option> </select> then it does not crash. So having empty select is crashing the application. CODE: <html> <head> <title>Tester.html</title> </head> <body> <form name="workform" > <select> </select> </form> </body> </html> END OF CODE: STACK REPORT Incident ID: 14133930 Trigger Type: Program Crash Trigger Reason: Access violation Call Stack: (Signature = nsListControlFrame::DisplaySelected 4708ac3c) nsListControlFrame::DisplaySelected [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line 545] nsListControlFrame::SetContentSelected [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line 1220] nsListControlFrame::Reset [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line 1339] nsListControlFrame::Init [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line 981] nsCSSFrameConstructor::InitializeScrollFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 4038] nsCSSFrameConstructor::ConstructSelectFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 2950] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3060] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 4869] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7987] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3153] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 4869] nsCSSFrameConstructor::ContentAppended [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5417] StyleSetImpl::ContentAppended [d:\builds\seamonkey\mozilla\layout\base\src\nsStyleSet.cpp, line 864] PresShell::ContentAppended [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 1724] nsDocument::ContentAppended [d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 1575] nsHTMLDocument::ContentAppended [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line 1044] HTMLContentSink::NotifyBody [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp, line 276] HTMLContentSink::WillInterrupt [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp, line 1770] CNavDTD::WillInterruptParse [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3116] nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 958] nsParser::OnDataAvailable [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1340] nsDocumentBindInfo::OnDataAvailable [d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1372] nsChannelListener::OnDataAvailable [d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1613] nsHTTPResponseListener::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp p, line 195] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 359] nsStreamListenerEvent::HandlePLEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 153] PL_HandleEvent [plevent.c, line 542] PL_ProcessPendingEvents [plevent.c, line 501] _md_EventReceiverProc [plevent.c, line 974] KERNEL32.DLL + 0x35d9 (0xbff735d9) KERNEL32.DLL + 0x2222f (0xbff9222f) 0x00638bec
Priority: P3 → P1
QA Contact: cpratt → desale
Summary: [CRASHER][TESTCASE] Having <select></select> without options inside crash application. → [BLOCKER][CRASHER][TESTCASE] Having <select></select> without options inside crash application.
Changing priority to P1 and QA contact to myself. Pratt is this okay if I keep QA contact ?
Assignee: karnaze → rods
Severity: normal → blocker
Reassigning to Rod.
Target Milestone: M11
Setting to M11.
I fixed this a while ago. This works for me, although I was mucking about in the select code and just did a check in. This test is in test8 in the viewer and apprunner. test8 has been working and quite sometme. Please repull or wait until tomorrow and test it then after verifications. Tomorrow I will mark as works for me.
I'm not seeing a "crash", but I see a couple of asserts because of this check: if (mSelectionCacheLength != length) { NS_ASSERTION(0,"nsListControlFrame: Cache sync'd with content!\n"); when adding items to a list in JavaScript. I notice that if there's no items added, there is a "X" that appears as a single list item -- so the above check fails since mSelectionCacheLength = 0 but length = 1 (for the "X") Stack: nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02e52524, int 0, nsIContent * 0x02e326d0) line 1724 + 35 bytes nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const 0x02e52884, int 0, int 1, int -1) line 986
Assignee: rods → pollmann
The asserts are in Eric P. new code and this then needs to be assigned to him. The "X" shouldn't be appearing. If it is it is because the visibility (shown below) is incorrectly set to collapse instead of hidden. It should be hidden now. select:-moz-dummy-option { visibility: hidden; content: "X"; /*display: block;*/ } Assigning to Eric to check for the problem with the asserts.
*** Bug 16062 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
This crash has been fixed in M11. I'll look into those asserts. Charlie, do you have a testcase that will reproduce them?
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
I'm now resizing the cache eagerly when an option is added or removed. This got rid of the assert I was able to reproduce. To verify, browse to the attachment I'm about to make. Click on the RemoveOption button. You should not see any warnings printed out to the terminal.
Attached file Test Case (deleted) —
Status: RESOLVED → VERIFIED
Marking verified.
*** Bug 17355 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: