Crash in khtml::ComboBoxWidget selection event

Koos Vriezen koos.vriezen at xs4all.nl
Mon Aug 12 21:20:32 BST 2002 

On Sun, 11 Aug 2002, Koos Vriezen wrote:

> >   <HTML><HEAD><SCRIPT>
> >     function selected(option) {
> >       loaded();
> >     }
> >     function loaded() {
> >       myframe.document.open();
> >       myframe.document.write("<html><body><form><select onChange=
> >         'javascript:top.selected(this.options[this.selectedIndex].text)'>
> >         <option selected>one</option><option>two</option>
> >         <option>three</option></select></form></body></html>");
> >       myframe.document.close();
> >     }
> >   </SCRIPT> </HEAD>
> >   <FRAMESET onLoad="loaded()">
> >     <FRAME NAME="myframe" SRC="about:blank">
> >   </FRAMESET></HTML>
> >
> > (Don't forget to join the myframe.document.write line)
>
> Obviously QComboBox don't like to be deleted while emit'ing a signal.

Using ref/deref while doing element()->onChange() prevents it too (see
attached patch).

Next case is a bit harder to find.

  <HTML> <HEAD> <SCRIPT>
    function focus() {
      loaded();
    }
    function loaded() {
      myframe.document.open();
      myframe.document.write("<html><body><form><input type='text'
                              onFocus='top.focus()'><form></body></html>");
      myframe.document.close();
    }
  </SCRIPT> </HEAD>
  <FRAMESET onLoad="loaded()">
    <FRAME NAME="myframe" SRC="about:blank">
  </FRAMESET></HTML>

This one will crash when you click on the text box.

Regards,

Koos


-------------- next part --------------
Index: rendering/render_form.cpp
===================================================================
RCS file: /home/kde/kdelibs/khtml/rendering/render_form.cpp,v
retrieving revision 1.186
diff -u -3 -p -r1.186 render_form.cpp
--- rendering/render_form.cpp	2002/08/10 08:43:17	1.186
+++ rendering/render_form.cpp	2002/08/12 20:18:13
@@ -1092,10 +1092,11 @@ void RenderSelect::slotSelected(int inde
         }
     }
 
+    ref();
     element()->onChange();
+    deref();
 }
 
-
 void RenderSelect::slotSelectionChanged()
 {
     if ( m_ignoreSelectEvents ) return;
@@ -1110,7 +1111,9 @@ void RenderSelect::slotSelectionChanged(
             static_cast<HTMLOptionElementImpl*>( listItems[i] )
                 ->m_selected = static_cast<KListBox*>( m_widget )->isSelected( i );
 
+    ref();
     element()->onChange();
+    deref();
 }

More information about the kfm-devel mailing list