Closed
Bug 238906
Opened 20 years ago
Closed 20 years ago
M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mozilla, Unassigned)
References
()
Details
(Keywords: crash, fixed1.7, topcrash+, Whiteboard: fixed-aviary1.0)
Crash Data
Attachments
(1 file)
317 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 I copy '<span><input type="file" name="upload[]" /><br /></span>' into it's container (div) element with JavaScript. ---[ sourcecode ]--- <html> <head> <title>Causes mozilla 1.5 to crash</title> <script language="JavaScript" type="text/javascript"> <!-- function getHandle(myparam) { return(document.getElementById(myparam)); } function addToElement(target, source) { target.innerHTML+=source.innerHTML; } // (c) Gerben Versluis // 2004 - http://www.gerben.info --></script> </head> <body> <form enctype="multipart/form-data" method="POST" > <div id="form" style="position:relative; width:100%; border: 1px solid #000000;"> <span id="repeat"> <input type="file" name="upload[]" /><br /> </span> </div> <input type="button" name="more" value="more" onclick="addToElement(getHandle('form'), getHandle('repeat'));"> </form> </body> </html> Reproducible: Always Steps to Reproduce: 1. Create a <div><span><input type="file" name="upload[]" /><br /></span></div> with id's for the div and span. 2. With JavaScript add spanHandle.innerHTML to divHandle.innerHTML. 3. [crashes] Done Actual Results: After the JavaScript is runned Mozilla crashes completely Expected Results: Duplication of the input type file in the div tag.
Only occurs in conjunction with a <br /> tag! <input type="file" name="upload[]" /><br />
Summary: Mozilla crashes if I copy a input type="file" with an linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript
Comment 2•20 years ago
|
||
Maybe dupe of Bug 203041 (or Bug 216065) but not sure since in 1st frame in all stacktraces i found on this bug nsIFrame wasn't null, but this might be just some chance; someone who knows this code better can say something about this? Stacktrace: 00000000() nsCSSFrameConstructor::FindFrameWithContent(nsCSSFrameConstructor * const 0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIFrame * 0x00000000, nsIContent * 0x12536360, nsIContent * 0x123a6288, nsFindFrameHint * 0x00000000) line 10883 + 10 bytes nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const 0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIContent * 0x123a6288, nsIFrame * * 0x12536360, nsFindFrameHint * 0x00000000) line 11024 nsFrameManager::GetPrimaryFrameFor(nsFrameManager * const 0x08657504, nsIContent * 0x123a6288) line 460 PresShell::GetPrimaryFrameFor(const PresShell * const 0x0491b030, nsIContent * 0x123a6288, nsIFrame * * 0x0012e804) line 5374 + 16 bytes nsGenericHTMLElement::GetPrimaryFrameFor(nsIContent * 0x123a6288, nsIDocument * 0x02bda298, int 0) line 2189 nsGenericHTMLElement::GetFormControlFrameFor(nsIContent * 0x123a6288, nsIDocument * 0x02bda298, int 0) line 2198 + 14 bytes nsHTMLInputElement::GetValue(nsHTMLInputElement * const 0x123a62c4, nsAString & {...}) line 632 + 24 bytes nsHTMLInputElement::SaveState(nsHTMLInputElement * const 0x123a62a4) line 2345 nsGenericHTMLFormElement::SetDocument(nsGenericHTMLFormElement * const 0x08657504, nsIDocument * 0x00000000, int 1, int 1) line 3274 nsHTMLInputElement::SetDocument(nsHTMLInputElement * const 0x08657504, nsIDocument * 0x00000000, int 1, int 1) line 1640 nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x12536360, nsIDocument * 0x00000000, int 1) line 1703 + 17 bytes nsGenericElement::SetDocument(nsGenericElement * const 0x08657504, nsIDocument * 0x1253637c, int 1, int 1) line 1756 + 10 bytes nsGenericHTMLElement::SetDocument(nsGenericHTMLElement * const 0x08657504, nsIDocument * 0x00000000, int 1, int 1) line 1279 nsGenericElement::RemoveChildAt(nsGenericElement * const 0x08657504, unsigned int 1, int 1) line 2601 nsGenericElement::doRemoveChild(nsIContent * 0x12536310, nsIDOMNode * 0x12536360, nsIDOMNode * * 0x00000000) line 3090 + 10 bytes nsHTMLBRElement::RemoveChild(nsHTMLBRElement * const 0x12536310, nsIDOMNode * 0x1253637c, nsIDOMNode * * 0x0012eb60) line 59 + 17 bytes nsRange::DeleteContents(nsRange * const 0x125906d0) line 1601 nsGenericHTMLElement::SetInnerHTML(nsGenericHTMLElement * const 0x08657504, const nsAString & {...}) line 878 nsGenericHTMLElementTearoff::SetInnerHTML(nsGenericHTMLElementTearoff * const 0x122e9480, const nsAString & {...}) line 211 + 19 bytes XPTC_InvokeByIndex(nsISupports * 0x122e9480, unsigned int 9, unsigned int 1, nsXPTCVariant * 0x0012ebf0) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode -1345035376) line 2027 + 22 bytes XPC_WN_GetterSetter(JSContext * 0x1264d088, JSObject * 0x01f85410, unsigned int 1, long * 0x01f85464, long * 0x0012ee4c) line 1311 + 11 bytes
Structure of html file to replicate this error: * Element need to bed nested (span, with the file-input tag and break tag, must be a child of the div or span tag where the innerHTML is rewritten. * A input type file is needed followed by a break <input type="file" /><br /> Workarround is not to nest the span tags or leave the break tag. Example: <form enctype="multipart/form-data" method="POST" > <span id="repeat"> <input type="file" name="upload[]" /><br /> </span> <span id="form"> </span> <input type="button" name="more" value="more" onclick="addToElement(getHandle('form'), getHandle('repeat'));"> </form>
Comment 4•20 years ago
|
||
TalkbackID TB6717K crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316 After crashing with a current nightly, I started 1.7b to produce a talkback report. You are using the same testcase in bug 238904?
Comment 5•20 years ago
|
||
couldn´t test Bug 216065 as Mozilla didn´t show the table, Opera did. Crashed on testcase of Bug 203041 producing Talkback TB6725E
Sorry, it is a duplicate. After entering my bugreport mozilla crashed again (I decided to do some testing while filling in my report, not to smart). Than I searched in bugzilla if my bug already existed but I couldn't find it so I entered it again. Sorry again. I'll close the other bugreport (as a duplicated of this one). This bug report has a little more detail like the <br /> conjunction and workarround.
*** Bug 238904 has been marked as a duplicate of this bug. ***
Updated•20 years ago
|
Keywords: talkbackid
Whiteboard: TB6717K, TB8849H
Comment 8•20 years ago
|
||
Confirming, w98, 1.7b ID:TB9232E mail:alfonso-nospam@terra.es
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 9•20 years ago
|
||
Stack Signature 0x00000009 26fb4a9f Email Address alfonso-nospam@terra.es Product ID Mozilla1.7 Build ID 2004031615 Trigger Time 2004-03-31 10:05:46.0 Platform Win32 Operating System Windows 98 4.10 build 67766222 Module null URL visited bug 238906 User Comments Since Last Crash null sec Total Uptime null sec Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace 0x00000009 nsCSSFrameConstructor::GetInsertionPoint [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11102] nsFrameManager::GetPrimaryFrameFor [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp, line 460] PresShell::GetPrimaryFrameFor [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5375] nsGenericHTMLElement::GetPrimaryFrameFor [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2189] nsGenericHTMLElement::GetFormControlFrameFor [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2199] nsHTMLInputElement::GetValue [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 634] nsHTMLInputElement::SaveState [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 2345] nsGenericHTMLFormElement::SetDocument [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3274] nsHTMLInputElement::SetDocument [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1640] nsGenericElement::SetDocumentInChildrenOf [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 1706] nsGenericElement::SetDocument [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 1758] nsGenericHTMLElement::SetDocument [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1279] nsGenericElement::RemoveChildAt [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2601] nsGenericElement::doRemoveChild [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 3092] nsHTMLFieldSetElement::RemoveChild [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFieldSetElement.cpp, line 64] nsRange::DeleteContents [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp, line 1601] nsGenericHTMLElement::SetInnerHTML [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 878] nsGenericHTMLElementTearoff::SetInnerHTML [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 211] XPTC_InvokeByIndex [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2029] XPC_WN_GetterSetter [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1312] js_Invoke [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 943] js_InternalInvoke [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1036] js_InternalGetOrSet [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1079] js_SetProperty [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2768] js_Interpret [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 2156] js_Invoke [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 959] js_InternalInvoke [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1036] JS_CallFunctionValue [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3591] nsJSContext::CallEventHandler [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1269] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 181] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1435] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1512] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 1959] nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1399] PresShell::HandleEventInternal [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6019] PresShell::HandleEventWithTarget [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5973] nsEventStateManager::CheckForAndDispatchClick [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2860] nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 1871] PresShell::HandleEventInternal [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6072] PresShell::HandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5942] nsViewManager::HandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2281] nsViewManager::DispatchEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2025] HandleEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 79] nsWindow::DispatchEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1068] nsWindow::DispatchWindowEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1085] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5225] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5478] nsWindow::ProcessMessage [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4063] nsWindow::WindowProc [c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1347] KERNEL32.DLL + 0x363b (0xbff7363b) KERNEL32.DLL + 0x242e7 (0xbff942e7) 0x00648b5e
Keywords: topcrash+
Updated•20 years ago
|
Keywords: talkbackid
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint]
Whiteboard: TB6717K, TB8849H
Comment 11•20 years ago
|
||
It looks like the DeleteContents() on setting innerHTML removes the span child of the div (fine), which sets the document to null on the subtree (fine), which makes the file control call GetPrimaryFrameFor (to save its state). The problem is that the parent's frame (what FindPrimaryFrameFor gets as the primary frame of the parent span node) is already deleted for some reason. Not sure why that's happening, since we're not really done removing the span from the DOM at this point....
Comment 12•20 years ago
|
||
Crash Moz 1.7 Beta, Slackware Linux: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316 OS -> All? Sorry for spam if this is already known. Talkback ID is TB11343G Captured at 04/03/04 at 02:00 PM
Comment 13•20 years ago
|
||
stack from report mentioned above.. Stack Signature 0x00000000 5ef36868 Email Address neilparis_2k1@hotmail.com Product ID Mozilla1.7 Build ID 2004031615 Trigger Time 2004-04-03 11:03:51.0 Platform LinuxIntel Operating System Linux 2.4.22 Module null URL visited User Comments Bug 238906 Since Last Crash null sec Total Uptime null sec Trigger Reason SIGSEGV: Segmentation Fault: (signal 11) Source File Name Trigger Line No. Stack Trace 0x00000000 _ZN21nsCSSFrameConstructor19FindPrimaryFrameForEP14nsIPresContextP14nsFrameManagerP10nsIContentPP8nsIFrameP15nsFindFrameHint() _ZN14nsFrameManager18GetPrimaryFrameForEP10nsIContent() _ZNK9PresShell18GetPrimaryFrameForEP10nsIContentPP8nsIFrame() _ZN20nsGenericHTMLElement18GetPrimaryFrameForEP10nsIContentP11nsIDocumenti() _ZN20nsGenericHTMLElement22GetFormControlFrameForEP10nsIContentP11nsIDocumenti() _ZN18nsHTMLInputElement8GetValueER9nsAString() _ZN18nsHTMLInputElement9SaveStateEv() _ZN24nsGenericHTMLFormElement11SetDocumentEP11nsIDocumentii() _ZN18nsHTMLInputElement11SetDocumentEP11nsIDocumentii() _ZN16nsGenericElement23SetDocumentInChildrenOfEP10nsIContentP11nsIDocumenti() _ZN16nsGenericElement11SetDocumentEP11nsIDocumentii() _ZN20nsGenericHTMLElement11SetDocumentEP11nsIDocumentii() _ZN16nsGenericElement13RemoveChildAtEji() _ZN16nsGenericElement13doRemoveChildEP10nsIContentP10nsIDOMNodePS3_() _ZN16nsHTMLDivElement11RemoveChildEP10nsIDOMNodePS1_() _ZN7nsRange14DeleteContentsEv() _ZN20nsGenericHTMLElement12SetInnerHTMLERK9nsAString() _ZN27nsGenericHTMLElementTearoff12SetInnerHTMLERK9nsAString() XPTC_InvokeByIndex() _ZN16XPCWrappedNative10CallMethodER14XPCCallContextNS_8CallModeE() _Z19XPC_WN_GetterSetterP9JSContextP8JSObjectjPlS3_() js_Invoke() js_InternalInvoke() js_InternalGetOrSet() js_SetProperty() js_Interpret() js_Invoke() js_InternalInvoke() JS_CallFunctionValue() _ZN11nsJSContext16CallEventHandlerEP8JSObjectS1_jPlS2_() _ZN17nsJSEventListener11HandleEventEP11nsIDOMEvent() _ZN22nsEventListenerManager18HandleEventSubTypeEP16nsListenerStructP11nsIDOMEventP17nsIDOMEventTargetjj() _ZN22nsEventListenerManager11HandleEventEP14nsIPresContextP7nsEventPP11nsIDOMEventP17nsIDOMEventTargetjP13nsEventStatus() _ZN16nsGenericElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus() _ZN18nsHTMLInputElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus() _ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus() _ZN9PresShell21HandleEventWithTargetEP7nsEventP8nsIFrameP10nsIContentjP13nsEventStatus() _ZN19nsEventStateManager24CheckForAndDispatchClickEP14nsIPresContextP12nsMouseEventP13nsEventStatus() _ZN19nsEventStateManager15PostHandleEventEP14nsIPresContextP7nsEventP8nsIFrameP13nsEventStatusP7nsIView() _ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus() _ZN9PresShell11HandleEventEP7nsIViewP10nsGUIEventP13nsEventStatusiRi() _ZN13nsViewManager11HandleEventEP6nsViewP10nsGUIEventi() _ZN13nsViewManager13DispatchEventEP10nsGUIEventP13nsEventStatus() _Z11HandleEventP10nsGUIEvent() _ZN8nsWidget13DispatchEventEP10nsGUIEventR13nsEventStatus() _ZN8nsWidget19DispatchWindowEventEP10nsGUIEvent() _ZN8nsWidget18DispatchMouseEventER12nsMouseEvent() _ZN8nsWidget21OnButtonReleaseSignalEP15_GdkEventButton() _ZN8nsWindow21OnButtonReleaseSignalEP15_GdkEventButton() _ZN8nsWindow14HandleGDKEventEP9_GdkEvent() _Z23dispatch_superwin_eventP9_GdkEventP8nsWindow() _Z16handle_gdk_eventP9_GdkEventPv() libgdk-1.2.so.0 + 0x16b44 (0x40276b44) libglib-1.2.so.0 + 0xfe75 (0x402a3e75) libglib-1.2.so.0 + 0x1032c (0x402a432c) libglib-1.2.so.0 + 0x1055c (0x402a455c) libgtk-1.2.so.0 + 0x8c083 (0x401ce083) _ZN10nsAppShell3RunEv() _ZN17nsAppShellService3RunEv() _Z5main1iPPcP11nsISupports() main() libc.so.6 + 0x15936 (0x403cb936)
Reporter | ||
Comment 14•20 years ago
|
||
Note that Mozilla does NOT crash when entering the <br /> tag in front of the input field! -- <html> <head> <title>Causes mozilla 1.5 to crash</title> <script language="JavaScript" type="text/javascript"> <!-- function getHandle(myparam) { return(document.getElementById(myparam)); } function addToElement(target, source) { target.innerHTML+=source.innerHTML; } // (c) Gerben Versluis // 2004 - http://www.gerben.info --></script> </head> <body> <form enctype="multipart/form-data" method="POST" > <div id="form" style="position:relative; width:100%; border: 1px solid #000000;"> <span id="repeat"> <br /><input type="file" name="upload[]" /> </span> </div> <input type="button" name="more" value="more" onclick="addToElement(getHandle('form'), getHandle('repeat'));"> </form> </body> </html>
Comment 15•20 years ago
|
||
OS -> ALL since I crashed myself in Linux (comment #12)
OS: Windows 2000 → All
Comment 16•20 years ago
|
||
I can reproduce this at will by replying to certain e-mail messages. I can send the e-mail to anyone that's interested...
Comment 18•20 years ago
|
||
actually, edit message as new, or reply to, any message with 5 or more recipients, and I crash - this makes it very hard to use mail. This is on the trunk, so I believe this is worse on the trunk than on the 1.7 branch, unless the branch has regressed as well.
Comment 19•20 years ago
|
||
Since the stack signature is 0x0000000, it's hard to tell where in the topcrash list this crash is. This looks similar to or even a dup of bug 203041 as someone mentioned earlier (that bug has been a topcrasher since 1.7 beta).
Updated•20 years ago
|
Flags: blocking1.7? → blocking1.7+
Comment 20•20 years ago
|
||
testcase crashes linux trunk 2004051305
Comment 21•20 years ago
|
||
Definitely not a regression - I can recreate this crash back to 1.4.
Comment 22•20 years ago
|
||
1.4 crash is in exactly the same place. Two interesting assertions as we crash: ###!!! ASSERTION: Please remove this from the document properly: '!mDocument', f ile D:/BUILDS/1.4/mozilla/content/base/src/nsGenericElement.cpp, line 741 Document http://versluis.nl.eu.org/samples/mozillacrash.html loaded successfully ###!!! ASSERTION: frame was not removed from primary frame map before destructio n or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file D:/BUILDS/1.4/mozilla/layout/html/base/src/nsFrame Manager.cpp, line 1028
Comment 23•20 years ago
|
||
Adding M17rc2 and [@ nsCSSFrameConstructor::FindFrameWithContent]to summary for tracking since users are crashing there as well with this testcase using Mozilla 1.7 rc2. Here's my crash: Incident ID: 52728 Stack Signature 0x00000000 d3d9e6fb Email Address jay@mozilla.org Product ID Mozilla17 Build ID 2004051408 Trigger Time 2004-05-19 17:32:44.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module URL visited http://bugzilla.mozilla.org/attachment.cgi?id=148483&action=view User Comments bug 238906 - click on testcase Since Last Crash sec Total Uptime sec Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace 0x00000000 nsCSSFrameConstructor::FindFrameWithContent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 10952] nsCSSFrameConstructor::FindPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11088] nsFrameManager::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp, line 460] PresShell::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5389] nsGenericHTMLElement::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2189] nsGenericHTMLElement::GetFormControlFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2199] . . . .
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] → M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
Comment 24•20 years ago
|
||
This has the same cause as bug 203041; I have a fix over there.
Comment 25•20 years ago
|
||
fix (from bug 203041) checked into trunk, aviary branch, and 1.7 branch.
Updated•20 years ago
|
Whiteboard: fixed-aviary1.0
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::GetInsertionPoint]
[@ nsCSSFrameConstructor::FindFrameWithContent]
You need to log in
before you can comment on or make changes to this bug.
Description
•