Closed Bug 238906 Opened 20 years ago Closed 20 years ago

M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mozilla, Unassigned)

References

(
URL
)

Details

(Keywords: crash, fixed1.7, topcrash+, Whiteboard: fixed-aviary1.0)

Crash Data

Attachments

(1 file)

testcase
317 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

I copy '<span><input type="file" name="upload[]" /><br /></span>' into it's
container (div) element with JavaScript.

---[ sourcecode ]---
<html>
<head>
	<title>Causes mozilla 1.5 to crash</title>
	<script language="JavaScript" type="text/javascript">
	<!-- 
	function getHandle(myparam) {
		return(document.getElementById(myparam));
	}		
	function addToElement(target, source) {
		target.innerHTML+=source.innerHTML;
	}
	// (c) Gerben Versluis // 2004 - http://www.gerben.info --></script>
</head>

<body>
	<form enctype="multipart/form-data" method="POST" >
		<div id="form" style="position:relative; width:100%; border: 1px solid #000000;">
			<span id="repeat">
				<input type="file" name="upload[]" /><br />
			</span>
		</div>
		<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
	</form>
</body>
</html>


Reproducible: Always
Steps to Reproduce:
1. Create a <div><span><input type="file" name="upload[]" /><br /></span></div>
with id's for the div and span.
2. With JavaScript add spanHandle.innerHTML to divHandle.innerHTML.
3. [crashes] Done

Actual Results:  
After the JavaScript is runned Mozilla crashes completely

Expected Results:  
Duplication of the input type file in the div tag.
Only occurs in conjunction with a <br /> tag!
<input type="file" name="upload[]" /><br />
Summary: Mozilla crashes if I copy a input type="file" with an linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript
Maybe dupe of Bug 203041 (or Bug 216065) but not sure since in 1st frame in all
stacktraces i found on this bug nsIFrame wasn't null, but this might be just
some chance; someone who knows this code better can say something about this?

Stacktrace:

00000000()
nsCSSFrameConstructor::FindFrameWithContent(nsCSSFrameConstructor * const
0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIFrame *
0x00000000, nsIContent * 0x12536360, nsIContent * 0x123a6288, nsFindFrameHint *
0x00000000) line 10883 + 10 bytes
nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const
0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIContent
* 0x123a6288, nsIFrame * * 0x12536360, nsFindFrameHint * 0x00000000) line 11024
nsFrameManager::GetPrimaryFrameFor(nsFrameManager * const 0x08657504, nsIContent
* 0x123a6288) line 460
PresShell::GetPrimaryFrameFor(const PresShell * const 0x0491b030, nsIContent *
0x123a6288, nsIFrame * * 0x0012e804) line 5374 + 16 bytes
nsGenericHTMLElement::GetPrimaryFrameFor(nsIContent * 0x123a6288, nsIDocument *
0x02bda298, int 0) line 2189
nsGenericHTMLElement::GetFormControlFrameFor(nsIContent * 0x123a6288,
nsIDocument * 0x02bda298, int 0) line 2198 + 14 bytes
nsHTMLInputElement::GetValue(nsHTMLInputElement * const 0x123a62c4, nsAString &
{...}) line 632 + 24 bytes
nsHTMLInputElement::SaveState(nsHTMLInputElement * const 0x123a62a4) line 2345
nsGenericHTMLFormElement::SetDocument(nsGenericHTMLFormElement * const
0x08657504, nsIDocument * 0x00000000, int 1, int 1) line 3274
nsHTMLInputElement::SetDocument(nsHTMLInputElement * const 0x08657504,
nsIDocument * 0x00000000, int 1, int 1) line 1640
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x12536360, nsIDocument *
0x00000000, int 1) line 1703 + 17 bytes
nsGenericElement::SetDocument(nsGenericElement * const 0x08657504, nsIDocument *
0x1253637c, int 1, int 1) line 1756 + 10 bytes
nsGenericHTMLElement::SetDocument(nsGenericHTMLElement * const 0x08657504,
nsIDocument * 0x00000000, int 1, int 1) line 1279
nsGenericElement::RemoveChildAt(nsGenericElement * const 0x08657504, unsigned
int 1, int 1) line 2601
nsGenericElement::doRemoveChild(nsIContent * 0x12536310, nsIDOMNode *
0x12536360, nsIDOMNode * * 0x00000000) line 3090 + 10 bytes
nsHTMLBRElement::RemoveChild(nsHTMLBRElement * const 0x12536310, nsIDOMNode *
0x1253637c, nsIDOMNode * * 0x0012eb60) line 59 + 17 bytes
nsRange::DeleteContents(nsRange * const 0x125906d0) line 1601
nsGenericHTMLElement::SetInnerHTML(nsGenericHTMLElement * const 0x08657504,
const nsAString & {...}) line 878
nsGenericHTMLElementTearoff::SetInnerHTML(nsGenericHTMLElementTearoff * const
0x122e9480, const nsAString & {...}) line 211 + 19 bytes
XPTC_InvokeByIndex(nsISupports * 0x122e9480, unsigned int 9, unsigned int 1,
nsXPTCVariant * 0x0012ebf0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
-1345035376) line 2027 + 22 bytes
XPC_WN_GetterSetter(JSContext * 0x1264d088, JSObject * 0x01f85410, unsigned int
1, long * 0x01f85464, long * 0x0012ee4c) line 1311 + 11 bytes
Structure of html file to replicate this error:
* Element need to bed nested (span, with the file-input tag and break tag, must
be a child of the div or span tag where the innerHTML is rewritten.
* A input type file is needed followed by a break <input type="file" /><br />

Workarround is not to nest the span tags or leave the break tag.
Example:
<form enctype="multipart/form-data" method="POST" >
	<span id="repeat">
		<input type="file" name="upload[]" /><br />
	</span>
	<span id="form">
	</span>
	<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
</form>
TalkbackID TB6717K
crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316

After crashing with a current nightly, I started 1.7b to produce a talkback report. 
You are using the same testcase in bug 238904?
couldn´t test Bug 216065 as Mozilla didn´t show the table, Opera did.
Crashed on testcase of Bug 203041 producing Talkback TB6725E
Sorry, it is a duplicate. After entering my bugreport mozilla crashed again (I
decided to do some testing while filling in my report, not to smart). Than I
searched in bugzilla if my bug already existed but I couldn't find it so I
entered it again. Sorry again. I'll close the other bugreport (as a duplicated
of this one). This bug report has a little more detail like the <br />
conjunction and workarround.
*** Bug 238904 has been marked as a duplicate of this bug. ***
Severity: normal → critical
Keywords: crash
Keywords: talkbackid
Whiteboard: TB6717K, TB8849H
Confirming, w98, 1.7b

ID:TB9232E mail:alfonso-nospam@terra.es
Status: UNCONFIRMED → NEW
Ever confirmed: true
Stack Signature	 0x00000009 26fb4a9f
Email Address	alfonso-nospam@terra.es
Product ID	Mozilla1.7
Build ID	2004031615
Trigger Time	2004-03-31 10:05:46.0
Platform	Win32
Operating System	Windows 98 4.10 build 67766222
Module	null
URL visited	bug 238906
User Comments	
Since Last Crash	null sec
Total Uptime	null sec
Trigger Reason	Access violation
Source File Name	
Trigger Line No.	
Stack Trace 	
0x00000009
nsCSSFrameConstructor::GetInsertionPoint
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11102]
nsFrameManager::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 460]
PresShell::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5375]
nsGenericHTMLElement::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2189]
nsGenericHTMLElement::GetFormControlFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2199]
nsHTMLInputElement::GetValue
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 634]
nsHTMLInputElement::SaveState
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 2345]
nsGenericHTMLFormElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 3274]
nsHTMLInputElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1640]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1706]
nsGenericElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1758]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1279]
nsGenericElement::RemoveChildAt
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2601]
nsGenericElement::doRemoveChild
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3092]
nsHTMLFieldSetElement::RemoveChild
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFieldSetElement.cpp,
line 64]
nsRange::DeleteContents
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp,
line 1601]
nsGenericHTMLElement::SetInnerHTML
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 878]
nsGenericHTMLElementTearoff::SetInnerHTML
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 211]
XPTC_InvokeByIndex
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2029]
XPC_WN_GetterSetter
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1312]
js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 943]
js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
js_InternalGetOrSet
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1079]
js_SetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2768]
js_Interpret
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2156]
js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 959]
js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
JS_CallFunctionValue
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3591]
nsJSContext::CallEventHandler
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1269]
nsJSEventListener::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 181]
nsEventListenerManager::HandleEventSubType
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1435]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1512]
nsGenericElement::HandleDOMEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1959]
nsHTMLInputElement::HandleDOMEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1399]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6019]
PresShell::HandleEventWithTarget
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5973]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2860]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1871]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6072]
PresShell::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5942]
nsViewManager::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2281]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2025]
HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 79]
nsWindow::DispatchEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1068]
nsWindow::DispatchWindowEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1085]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5225]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5478]
nsWindow::ProcessMessage
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4063]
nsWindow::WindowProc
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1347]
KERNEL32.DLL + 0x363b (0xbff7363b)
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00648b5e
Keywords: topcrash+
Keywords: talkbackid
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint]
Whiteboard: TB6717K, TB8849H
dbaron/jst,  can you help sort this one out?
Blocks: 238446
It looks like the DeleteContents() on setting innerHTML removes the span child
of the div (fine), which sets the document to null on the subtree (fine), which
makes the file control call GetPrimaryFrameFor (to save its state).  The problem
is that the parent's frame (what FindPrimaryFrameFor gets as the primary frame
of the parent span node) is already deleted for some reason.  Not sure why
that's happening, since we're not really done removing the span from the DOM at
this point....
Crash Moz 1.7 Beta, Slackware Linux: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.7b) Gecko/20040316

OS -> All? Sorry for spam if this is already known.

Talkback ID is TB11343G
Captured at 04/03/04 at 02:00 PM
stack from report mentioned above..

Stack Signature	 0x00000000 5ef36868
Email Address	neilparis_2k1@hotmail.com
Product ID	Mozilla1.7
Build ID	2004031615
Trigger Time	2004-04-03 11:03:51.0
Platform	LinuxIntel
Operating System	Linux 2.4.22
Module	null
URL visited	
User Comments	Bug 238906
Since Last Crash	null sec
Total Uptime	null sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File Name	
Trigger Line No.	
Stack Trace 	
0x00000000
_ZN21nsCSSFrameConstructor19FindPrimaryFrameForEP14nsIPresContextP14nsFrameManagerP10nsIContentPP8nsIFrameP15nsFindFrameHint()
_ZN14nsFrameManager18GetPrimaryFrameForEP10nsIContent()
_ZNK9PresShell18GetPrimaryFrameForEP10nsIContentPP8nsIFrame()
_ZN20nsGenericHTMLElement18GetPrimaryFrameForEP10nsIContentP11nsIDocumenti()
_ZN20nsGenericHTMLElement22GetFormControlFrameForEP10nsIContentP11nsIDocumenti()
_ZN18nsHTMLInputElement8GetValueER9nsAString()
_ZN18nsHTMLInputElement9SaveStateEv()
_ZN24nsGenericHTMLFormElement11SetDocumentEP11nsIDocumentii()
_ZN18nsHTMLInputElement11SetDocumentEP11nsIDocumentii()
_ZN16nsGenericElement23SetDocumentInChildrenOfEP10nsIContentP11nsIDocumenti()
_ZN16nsGenericElement11SetDocumentEP11nsIDocumentii()
_ZN20nsGenericHTMLElement11SetDocumentEP11nsIDocumentii()
_ZN16nsGenericElement13RemoveChildAtEji()
_ZN16nsGenericElement13doRemoveChildEP10nsIContentP10nsIDOMNodePS3_()
_ZN16nsHTMLDivElement11RemoveChildEP10nsIDOMNodePS1_()
_ZN7nsRange14DeleteContentsEv()
_ZN20nsGenericHTMLElement12SetInnerHTMLERK9nsAString()
_ZN27nsGenericHTMLElementTearoff12SetInnerHTMLERK9nsAString()
XPTC_InvokeByIndex()
_ZN16XPCWrappedNative10CallMethodER14XPCCallContextNS_8CallModeE()
_Z19XPC_WN_GetterSetterP9JSContextP8JSObjectjPlS3_()
js_Invoke()
js_InternalInvoke()
js_InternalGetOrSet()
js_SetProperty()
js_Interpret()
js_Invoke()
js_InternalInvoke()
JS_CallFunctionValue()
_ZN11nsJSContext16CallEventHandlerEP8JSObjectS1_jPlS2_()
_ZN17nsJSEventListener11HandleEventEP11nsIDOMEvent()
_ZN22nsEventListenerManager18HandleEventSubTypeEP16nsListenerStructP11nsIDOMEventP17nsIDOMEventTargetjj()
_ZN22nsEventListenerManager11HandleEventEP14nsIPresContextP7nsEventPP11nsIDOMEventP17nsIDOMEventTargetjP13nsEventStatus()
_ZN16nsGenericElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus()
_ZN18nsHTMLInputElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus()
_ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus()
_ZN9PresShell21HandleEventWithTargetEP7nsEventP8nsIFrameP10nsIContentjP13nsEventStatus()
_ZN19nsEventStateManager24CheckForAndDispatchClickEP14nsIPresContextP12nsMouseEventP13nsEventStatus()
_ZN19nsEventStateManager15PostHandleEventEP14nsIPresContextP7nsEventP8nsIFrameP13nsEventStatusP7nsIView()
_ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus()
_ZN9PresShell11HandleEventEP7nsIViewP10nsGUIEventP13nsEventStatusiRi()
_ZN13nsViewManager11HandleEventEP6nsViewP10nsGUIEventi()
_ZN13nsViewManager13DispatchEventEP10nsGUIEventP13nsEventStatus()
_Z11HandleEventP10nsGUIEvent()
_ZN8nsWidget13DispatchEventEP10nsGUIEventR13nsEventStatus()
_ZN8nsWidget19DispatchWindowEventEP10nsGUIEvent()
_ZN8nsWidget18DispatchMouseEventER12nsMouseEvent()
_ZN8nsWidget21OnButtonReleaseSignalEP15_GdkEventButton()
_ZN8nsWindow21OnButtonReleaseSignalEP15_GdkEventButton()
_ZN8nsWindow14HandleGDKEventEP9_GdkEvent()
_Z23dispatch_superwin_eventP9_GdkEventP8nsWindow()
_Z16handle_gdk_eventP9_GdkEventPv()
libgdk-1.2.so.0 + 0x16b44 (0x40276b44)
libglib-1.2.so.0 + 0xfe75 (0x402a3e75)
libglib-1.2.so.0 + 0x1032c (0x402a432c)
libglib-1.2.so.0 + 0x1055c (0x402a455c)
libgtk-1.2.so.0 + 0x8c083 (0x401ce083)
_ZN10nsAppShell3RunEv()
_ZN17nsAppShellService3RunEv()
_Z5main1iPPcP11nsISupports()
main()
libc.so.6 + 0x15936 (0x403cb936)
Note that Mozilla does NOT crash when entering the <br /> tag in front of the
input field!

--
<html>
<head>
	<title>Causes mozilla 1.5 to crash</title>
	<script language="JavaScript" type="text/javascript">
	<!-- 
	function getHandle(myparam) {
		return(document.getElementById(myparam));
	}		
	function addToElement(target, source) {
		target.innerHTML+=source.innerHTML;
	}
	// (c) Gerben Versluis // 2004 - http://www.gerben.info --></script>
</head>

<body>
	<form enctype="multipart/form-data" method="POST" >
		<div id="form" style="position:relative; width:100%; border: 1px solid #000000;">
			<span id="repeat">
				<br /><input type="file" name="upload[]" />
			</span>
		</div>
		<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
	</form>
</body>
</html>
OS -> ALL since I crashed myself in Linux (comment #12)
OS: Windows 2000 → All
I can reproduce this at will by replying to certain e-mail messages. I can send
the e-mail to anyone that's interested...
jay, can you check talkback for ranking?
Flags: blocking1.7?
actually, edit message as new, or reply to, any message with 5 or more
recipients, and I crash - this makes it very hard to use mail. This is on the
trunk, so I believe this is worse on the trunk than on the 1.7 branch, unless
the branch has regressed as well.
Since the stack signature is 0x0000000, it's hard to tell where in the topcrash
list this crash is.  This looks similar to or even a dup of bug 203041 as
someone mentioned earlier (that bug has been a topcrasher since 1.7 beta).
Flags: blocking1.7? → blocking1.7+
Attached file testcase 
testcase crashes linux trunk 2004051305
Definitely not a regression - I can recreate this crash back to 1.4.
1.4 crash is in exactly the same place.

Two interesting assertions as we crash:

###!!! ASSERTION: Please remove this from the document properly: '!mDocument', f
ile D:/BUILDS/1.4/mozilla/content/base/src/nsGenericElement.cpp, line 741
Document http://versluis.nl.eu.org/samples/mozillacrash.html loaded successfully

###!!! ASSERTION: frame was not removed from primary frame map before destructio
n or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) ||
entry->frame != aFrame', file D:/BUILDS/1.4/mozilla/layout/html/base/src/nsFrame
Manager.cpp, line 1028

Adding M17rc2 and [@ nsCSSFrameConstructor::FindFrameWithContent]to summary for
tracking since users are crashing there as well with this testcase using Mozilla
1.7 rc2.  Here's my crash:

Incident ID: 52728
Stack Signature	0x00000000 d3d9e6fb
Email Address	jay@mozilla.org
Product ID	Mozilla17
Build ID	2004051408
Trigger Time	2004-05-19 17:32:44.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	http://bugzilla.mozilla.org/attachment.cgi?id=148483&action=view
User Comments	bug 238906 - click on testcase
Since Last Crash	sec
Total Uptime	sec
Trigger Reason	Access violation
Source File Name	
Trigger Line No.	
Stack Trace 	
0x00000000
nsCSSFrameConstructor::FindFrameWithContent
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10952]
nsCSSFrameConstructor::FindPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11088]
nsFrameManager::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 460]
PresShell::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5389]
nsGenericHTMLElement::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2189]
nsGenericHTMLElement::GetFormControlFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2199]
.
.
.
.
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] → M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
Depends on: 203041
This has the same cause as bug 203041; I have a fix over there.
fix (from bug 203041) checked into trunk, aviary branch, and 1.7 branch.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Crash Signature: [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: