Mozilla crashes when form is moved by JavaScript M096 & Trunk [@ nsGenericHTMLElement::GetPrimaryFrame]

RESOLVED DUPLICATE of bug 114220

Status

()

Core
Layout: Form Controls
--
critical
RESOLVED DUPLICATE of bug 114220
16 years ago
16 years ago

People

(Reporter: Stefan Seifert, Assigned: kinmoz)

Tracking

({crash, qawanted, topcrash})

Trunk
mozilla0.9.8
crash, qawanted, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
if you go to http://www.detonation.org/mozilla-crash-testcase.html and hit 
the "quickpost" link Mozilla crashes. This happens on builds 2001110503 and 
2001110603 for me. #mozillazine reported that it works on 2001100303.

The testcase is a form consisting at least two <input> inside a form. It is 
initially on position -300 -300 and should be moved to inside the screen when 
hitting the link. However if you remove one of the two <input> the crash goes 
away and everything works fine. Same is when you remove the value attribute of 
the first input but then both fields are initialized with the value of the 
second one.

Talkback of crash: TB37641687G
(Reporter)

Comment 1

16 years ago
Created attachment 56733 [details]
Testcase from URL
(Reporter)

Updated

16 years ago
Keywords: crash
confirming with win2k build 20011106..

Stack Trace:
CallQueryInterface(nsIFrame * 0x047dfa84, nsIFormControlFrame * * 0x0012ca84) 
line 270 + 19 bytes
nsGenericHTMLElement::GetPrimaryFrame(nsIHTMLContent * 0x03dea050, 
nsIFormControlFrame * & 0x00000000, int 0, int 0) line 3143 + 13 bytes
nsHTMLInputElement::SetValueSecure(nsHTMLInputElement * const 0x03dea050, const 
nsAString & {...}, int 1) line 520 + 17 bytes
nsHTMLInputElement::SetValue(nsHTMLInputElement * const 0x03dea07c, const 
nsAString & {...}) line 484
nsHTMLInputElement::RestoreState(nsHTMLInputElement * const 0x03dea074, 
nsIPresContext * 0x03b04848, nsIPresState * 0x03d732e0) line 2011
nsFormControlHelper::RestoreContentState(nsIFrame * 0x047e024c, nsIPresContext * 
0x03b04848, nsIPresState * 0x03d732e0) line 1077
nsGfxTextControlFrame2::RestoreState(nsGfxTextControlFrame2 * const 0x047e02d8, 
nsIPresContext * 0x03b04848, nsIPresState * 0x03d732e0) line 3511 + 23 bytes
FrameManager::RestoreFrameStateFor(FrameManager * const 0x03e7db70, 
nsIPresContext * 0x03b04848, nsIFrame * 0x047e024c, nsILayoutHistoryState * 
0x03ea5cd0, nsIStatefulFrame::SpecialStateID eNoID) line 2218 + 25 bytes
FrameManager::RestoreFrameState(FrameManager * const 0x03e7db70, nsIPresContext 
* 0x03b04848, nsIFrame * 0x047e024c, nsILayoutHistoryState * 0x03ea5cd0) line 
2232 + 29 bytes
nsCSSFrameConstructor::InitAndRestoreFrame(nsIPresContext * 0x03b04848, 
nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame * 0x047df828, 
nsIStyleContext * 0x047e0218, nsIFrame * 0x00000000, nsIFrame * 0x047e024c) line 
6517
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 
0x03dea050, nsIFrame * 0x047df828, nsIAtom * 0x00f8b700, int 3, nsIStyleContext 
* 0x047e0218, nsFrameItems & {...}) line 4745
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 
0x03dea050, nsIFrame * 0x047df828, nsIAtom * 0x00f8b700, int 3, nsIStyleContext 
* 0x047e0218, nsFrameItems & {...}, int 0) line 7031 + 49 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext 
* 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame 
* 0x047df828, nsFrameItems & {...}) line 6945 + 56 bytes
nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x03df3520, nsIPresContext 
* 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame 
* 0x047df828, int 1, nsFrameItems & {...}, int 0, nsTableCreator * 0x00000000) 
line 11572 + 66 bytes
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 
0x03dd9980, nsIFrame * 0x047df600, nsIAtom * 0x00f8ce28, int 3, nsIStyleContext 
* 0x047df790, nsFrameItems & {...}) line 4779 + 41 bytes
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 
0x03dd9980, nsIFrame * 0x047df600, nsIAtom * 0x00f8ce28, int 3, nsIStyleContext 
* 0x047df790, nsFrameItems & {...}, int 0) line 7031 + 49 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext 
* 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame 
* 0x047df600, nsFrameItems & {...}) line 6945 + 56 bytes
nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x03df3520, nsIPresContext 
* 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03adcf20, nsIFrame 
* 0x047df600, int 1, nsFrameItems & {...}, int 1, nsTableCreator * 0x00000000) 
line 11572 + 66 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, const 
nsStyleDisplay * 0x047df524, nsIContent * 0x03adcf20, nsIFrame * 0x047dda0c, 
nsIStyleContext * 0x047df4f0, nsFrameItems & {...}) line 6130
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, 
nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 
0x03adcf20, nsIFrame * 0x047dda0c, nsIAtom * 0x00f8c7c8, int 3, nsIStyleContext 
* 0x047df4f0, nsFrameItems & {...}, int 0) line 7074 + 45 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext 
* 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03adcf20, nsIFrame 
* 0x047dda0c, nsFrameItems & {...}) line 6945 + 56 bytes
nsCSSFrameConstructor::ContentInserted(nsCSSFrameConstructor * const 0x03c19850, 
nsIPresContext * 0x03b04848, nsIContent * 0x03b58de0, nsIContent * 0x03adcf20, 
int 5, nsILayoutHistoryState * 0x03ea5cd0) line 8679
nsCSSFrameConstructor::RecreateFramesForContent(nsIPresContext * 0x03b04848, 
nsIContent * 0x03adcf20, int 1, nsIStyleRule * 0x03dd990c, nsIStyleContext * 
0x047df4f0) line 11430 + 45 bytes
nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 
0x03c19850, nsIPresContext * 0x03b04848, nsIContent * 0x03adcf20, int 0, nsIAtom 
* 0x00f8f988, int 1, int 6) line 10057 + 38 bytes
StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x03c052f0, nsIPresContext * 
0x03b04848, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) 
line 1456
PresShell::AttributeChanged(PresShell * const 0x03df3528, nsIDocument * 
0x03dee058, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) 
line 5094 + 61 bytes
nsDocument::AttributeChanged(nsDocument * const 0x03dee058, nsIContent * 
0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 1785 + 36 bytes
nsHTMLDocument::AttributeChanged(nsHTMLDocument * const 0x03dee058, nsIContent * 
0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 1252
nsDOMCSSAttributeDeclaration::RemoveProperty(nsDOMCSSAttributeDeclaration * 
const 0x03ae7550, const nsAString & {...}, nsAString & {...}) line 219
CallSetProperty(nsDOMCSSDeclaration * 0x03ae7550, const nsAString & {...}, const 
nsAString & {...}) line 225 + 23 bytes
nsDOMCSSDeclaration::SetTop(nsDOMCSSDeclaration * const 0x03ae7554, const 
nsAString & {...}) line 357 + 39 bytes
XPTC_InvokeByIndex(nsISupports * 0x03ae7554, unsigned int 226, unsigned int 1, 
nsXPTCVariant * 0x0012e218) line 154
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_SETTER) line 2009 + 42 bytes
XPCWrappedNative::SetAttribute(XPCCallContext & {...}) line 1828 + 14 bytes
XPC_WN_GetterSetter(JSContext * 0x0378aaa0, JSObject * 0x03b87288, unsigned int 
1, long * 0x03d83878, long * 0x0012e500) line 1290 + 12 bytes
js_Invoke(JSContext * 0x0378aaa0, unsigned int 1, unsigned int 2) line 832 + 23 
bytes
js_InternalInvoke(JSContext * 0x0378aaa0, JSObject * 0x03b87288, long 62419664, 
unsigned int 0, unsigned int 1, long * 0x0012f32c, long * 0x0012f32c) line 924 + 
20 bytes
js_SetProperty(JSContext * 0x0378aaa0, JSObject * 0x03b87288, long 15826824, 
long * 0x0012f32c) line 2590 + 47 bytes
js_Interpret(JSContext * 0x0378aaa0, long * 0x0012f54c) line 2634 + 1939 bytes
js_Execute(JSContext * 0x0378aaa0, JSObject * 0x03ac78e8, JSScript * 0x03df6c58, 
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f54c) line 1012 + 13 
bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x0378aaa0, JSObject * 0x03ac78e8, 
JSPrincipals * 0x03df13d8, const unsigned short * 0x0012f688, unsigned int 16, 
const char * 0x00000000, unsigned int 0, long * 0x0012f54c) line 3368 + 25 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x03adab90, const nsAString & 
{...}, void * 0x03ac78e8, nsIPrincipal * 0x03df13d4, const char * 0x00000000, 
unsigned int 0, const char * 0x00000000, nsAString & {...}, int * 0x0012f74c) 
line 653 + 85 bytes
nsJSThunk::EvaluateScript() line 260 + 64 bytes
nsJSChannel::AsyncOpen(nsJSChannel * const 0x03e3f8e0, nsIStreamListener * 
0x03e3e538, nsISupports * 0x00000000) line 576 + 11 bytes
nsDocumentOpenInfo::Open(nsIChannel * 0x03e3f8e0, int 1, nsISupports * 
0x03ab4358) line 198 + 18 bytes
nsURILoader::OpenURIVia(nsURILoader * const 0x00fbd180, nsIChannel * 0x03e3f8e0, 
int 1, nsISupports * 0x03ab4358, unsigned int 0) line 548 + 20 bytes
nsURILoader::OpenURI(nsURILoader * const 0x00fbd180, nsIChannel * 0x03e3f8e0, 
int 1, nsISupports * 0x03ab4358) line 510
nsDocShell::DoChannelLoad(nsIChannel * 0x03e3f8e0, nsIURILoader * 0x00fbd180) 
line 4455 + 39 bytes
nsDocShell::DoURILoad(nsIURI * 0x03e87e20, nsIURI * 0x047c4200, nsISupports * 
0x03df13c8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 4239 
+ 38 bytes
nsDocShell::InternalLoad(nsDocShell * const 0x03ab4358, nsIURI * 0x03e87e20, 
nsIURI * 0x047c4200, nsISupports * 0x00000000, int 1, const unsigned short * 
0x0012fc10, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned 
int 2097153, nsISHEntry * 0x00000000) line 4054 + 39 bytes
nsWebShell::HandleLinkClickEvent(nsIContent * 0x03b5b490, nsLinkVerb 
eLinkVerb_Replace, const unsigned short * 0x03e0d210, const unsigned short * 
0x100d1150 gCommonEmptyBuffer, nsIInputStream * 0x00000000, nsIInputStream * 
0x00000000) line 807 + 80 bytes
OnLinkClickEvent::HandleEvent() line 655
HandlePLEvent(OnLinkClickEvent * 0x03adc9e8) line 669
PL_HandleEvent(PLEvent * 0x03adc9e8) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00e59428) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x002203c8, unsigned int 49380, unsigned int 0, 
long 15045672) line 1071 + 9 bytes
USER32! 77e02e98()
USER32! 77e030e0()
USER32! 77e05824()
nsAppShellService::Run(nsAppShellService * const 0x00e56f10) line 303
main1(int 2, char * * 0x003526f0, nsISupports * 0x00000000) line 1304 + 32 bytes
main(int 2, char * * 0x003526f0) line 1630 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87d08()
Status: UNCONFIRMED → NEW
Ever confirmed: true
jkeiser, is this yours?  CallQueryInterface is not null-safe...

I see this on Linux too.
OS: Windows 98 → All
Hardware: PC → All

Comment 4

16 years ago
Yeah, I think that's me.  Didn't know it wasn't null-safe.  I'll go through the
code I changed and see if anything else does that.  Thanks!
Assignee: rods → jkeiser

Comment 5

16 years ago
Hmm.  Much like the Transformers, there's more than meets the eye here.

This is not a null problem at all.  The strange thing is, aSource looks like
this when I print it in GDB:

$2 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = 0, y = 0, width =
1406,
    height = 380}
, mContent = 0x0, mStyleContext = 0x0, mParent = 0x86fcd40,
  mNextSibling = 0x86dee90, mState = 2160345124}

Since CallQueryInterface() is doing aSource->QueryInterface(), I am thinking the
problem lies in the fact that the nsISupports vptr is null!  I am not sure how
to interpret this.  Could this mean the frame was deleted and someone hung on to
it?  The mParent and mNextSibling pointers seem to be valid (I can follow them
and they have vptrs and all that).

Given that this worked on the 3rd, I am unsure whether this was caused by my
checkin(s).  CC'ing people who might have an idea (or at least have an idea who
would have an idea).
Looks like nsIPresShell::GetPrimaryFrameFor() is handing back a pointer to a
deleted frame, we've seen that before, and I think there are open bugs on it
already. Typically if a vptr is bad (null or garbage) it means the underlying
object has been deleted. And since frames (nsIFrame's) aren't refcounted it's
kinda hard to say where this problem comes from.

John, did you change the destructor or any ::Destroy() methods? IIRC that's
where we make sure frames that are destroyed are removed from the
nsIContent->nsIFrame maps.

Comment 7

16 years ago
OK, for now I am thinking the problem just looks like it's 34297 breakage
because of where it shows up, but the real problem is when it's getting deleted.
 My changes haven't messed with that stuff (only added to Destroy() and ~, not
deleted).  I've heard there have been bug reports like this in the preceding
months too.

To rods with love.
Assignee: jkeiser → rods

Comment 8

16 years ago
this is probably what I'm getting as well.  This game, which plays fine in ie or
ns, crashes mz when opened.  http://www6.ewebcity.com/nakedchaos/keyboarder.html

Comment 9

16 years ago
I am going to send this over to kin.

Here is what I know by setting breakpoints in the constructor and destructor of 
GfxText. When they get removed and destroyed, in nsFrame::Destroy the 
ClearFrameRefs is NOT being called for either of the GfxText frames.

  if ((mState & NS_FRAME_EXTERNAL_REFERENCE) ||
      (mState & NS_FRAME_SELECTED_CONTENT)) {
    if (shell) {
      shell->ClearFrameRefs(this);
    }
  }

What is strange is that it doesn't crash until after the GfxText is created the 
second tmie (when it is being moved). I't also doesn't crash with one text 
control and some other form control. It seems that it takes to text controls to 
crash.
Assignee: rods → kin
(Reporter)

Comment 10

16 years ago
this is what I said in the first comment. Repeat: if you remove the value
attribute of the first textfield the crash does not happen but both fields are
initialized with the value of the second field.

Comment 11

16 years ago
I'm seeing a similar crash with recent MozillaTrunk builds and Mozilla 0.9.6. 
Adding topcrash keyword and M096 & Trunk [@
nsGenericHTMLElement::GetPrimaryFrame] to summary. 

Here is the latest info from MozillaTrunk Talkback data:
nsGenericHTMLElement::GetPrimaryFrame   13 
BBID range: 38486432 - 38805101
Min/Max Seconds since last crash: 605 - 79756
Min/Max Runtime: 605 - 347005
Crash data range: 2001-11-25 to 2001-12-02
Build ID range: 2001112210 to 2001120211
Keyword List : 
Stack Trace: 

	 nsGenericHTMLElement::GetPrimaryFrame
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp 
line 2799]
	 nsHTMLInputElement::SetValueSecure
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp 
line 521]
	 nsHTMLInputElement::SetValue
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp 
line 476]
	 nsHTMLInputElement::RestoreState
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp 
line 2033]
	 nsFormControlHelper::RestoreContentState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp  line
1080]
	 nsGfxTextControlFrame2::RestoreState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp 
line 3527]
	 FrameManager::RestoreFrameStateFor
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp  line 2220]
	 FrameManager::RestoreFrameState
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp  line 2236]
	 nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6480]
	 nsCSSFrameConstructor::ConstructFrameByTag
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 4722]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7001]
	 nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6911]
	 nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 11678]
	 nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 5602]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7005]
	 nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6911]
	 nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 11678]
	 nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 5602]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7005]
	 nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6911]
	 nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 11678]
	 nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 5602]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7005]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6972]
	 nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6911]
	 nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 11678]
	 nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 5602]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7005]
	 nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 6911]
	 nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 11678]
	 nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 5602]
	 nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 7005]
	 nsCSSFrameConstructor::CreateTreeWidgetContent
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp 
line 12705]
	 nsXULTreeGroupFrame::GetFirstTreeBox
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeGroupFrame.cpp  line 326]
	 nsTreeLayout::LazyRowCreator
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp  line 362]
	 nsTreeLayout::LazyRowCreator
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp  line 373]
	 nsXULTreeOuterGroupFrame::ReflowFinished
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp 
line 1351]
	 PresShell::HandlePostedReflowCallbacks
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 4947]
	 PresShell::ProcessReflowCommands
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 6185]
	 PresShell::FlushPendingNotifications
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5041]
	 nsXULTreeOuterGroupFrame::InternalPositionChanged
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp 
line 809]
	 nsXULTreeOuterGroupFrame::PositionChanged
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp 
line 669]
	 nsSliderFrame::SetCurrentPosition
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp  line 816]
	 nsSliderFrame::HandleEvent
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp  line 596]
	 PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5871]
	 PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5779]
	 nsView::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp  line 385]
	 nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp  line 1914]
	 HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp  line 83]
	 nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 849]
	 nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 866]
	 nsWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 4424]
	 ChildWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 4674]
	 nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 3390]
	 nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 1114]
	 USER32.DLL + 0x2e98 (0x77e12e98)
	 USER32.DLL + 0x30e0 (0x77e130e0)
	 USER32.DLL + 0x5824 (0x77e15824)
	 nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 303]
	 main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1285]
	 main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1602]
	 WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1620]
	 WinMainCRTStartup()
	 KERNEL32.DLL + 0x17d08 (0x77e97d08)
 
 	Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/content/src/nsGenericHTMLElement.cpp
line : 2799
     (38805101)	Comments: creating an address list
     (38673103)	Comments: working with addressing fields of mail/news  composition.   I've
always experienced random instability with this Mozilla component.  I sense it's
with LDAP auto-complete.
     (38660341)	URL:
http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW
(38617494)
Comments: Composed a message in HTML format (with images) added several
recipients  started to change some of the recipients from "To:" to "Cc:"
     (38578773)	URL:
http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW
(38578773)
Comments: http://bugzilla.mozilla.org/show_bug.cgi?id=108704
(38566916)
URL: http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW
(38554498)
Comments: send a big email with attached file while writing another email
     (38522292)	Comments: aaargghhhh!!!
     (38487518)	Comments: Scrolling the recipient list in a message composition window...
THIS HAS HAPPENED REPEATEDLY

Here's the comments from M096 data as well:
Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/content/src/nsGenericHTMLElement.cpp
line : 2804
     (38777884)	Comments: I was editing message filtering rule.
     (38773860)	Comments: I was adding receipients to an email message
     (38716872)	Comments: cutting an email address from web page  and about to paste into
the email client
     (38638817)	Comments: Failed to create a mail filter
     (38627709)	Comments: composing an email - specifically  using my mouse wheel to scroll
up on the list of email recepiants for review after keying them in (To: and Cc:
area)
     (38610598)	Comments: composing email (addressing)
     (38598472)	Comments: trying to add more than one rule to a single message filter
     (38598435)	Comments: attempting to add more than one rule to a message filter
     (38583779)	Comments: clicked on the more button to add to a filter
     (38582138)	Comments: composing an email...
     (38578365)	Comments: Adding a new rule (first and only rule) to the mail client's
message filter.
     (38569467)	Comments: Composing an email.  At particular time of failure I was scrolling
through list of people that I planned sending the message to.  I had 5 addresses
in my distribution list.
     (38561245)	Comments: auto completion of e-mail addresses. Addresses were both LDAPand
local address book
     (38556409)	Comments: send EMAIL!
     (38554808)	Comments: Adding e-mail addresses to a mail. One e-mail address was suddenly
not display (the field was blank) and when I clicked on that field Mozilla crashed.
     (38543270)	Comments: I was scrolling in the address list of a mail message I was composing.
     (38530056)	URL: http://www.centrobank.com
(38530056)
Comments: dhtml
     (38508026)	Comments: mailnews. sending a message to several recipients. Got an error
message (dialog box) for one of them saying the recipients mailbox quota had
been exceeded (recipient on same ISP). Dismissed the dialog and then clicked on
message window and got a crash.
     (38501039)	Comments: Changing and adding email recipients
     (38498541)	Comments: clicking in mailfilters and an then twice the up arrow in the
criteriaselector
     (38488089)	URL: www.overture.com
(38474459)
Comments: Entering a Filter-Rule in the Mail-Client
     (38462627)	Comments: Creating a list in the address book.  It was a long list.  I was
dragging and dropping the addresses.  When I clicked OK  it died.
     (38405871)	Comments: I was generating an email-filter rule. after pressing the more
button I tried to scroll down -> mozilla died  [:(] 
(38367039)
Comments: Scrolling down the recipients list in a message compose window. Almost
reproducible. Cannot find the exact way to reproduce it.
     (38365867)	Comments: I renamed a mail folder (freshmeat to osdn)  then warning occured
that correspondent filter will be updated  then afterwards I wanted to edit the
filter  renamed it and wanted to add another criteria (MORE)  then strange date
has been displayed as
     (38365867)	Comments:  subject  then in 1 sec crash
Keywords: topcrash
Summary: Mozilla crashes when form is moved by JavaScript → Mozilla crashes when form is moved by JavaScript M096 & Trunk [@ nsGenericHTMLElement::GetPrimaryFrame]
*** Bug 114329 has been marked as a duplicate of this bug. ***

Comment 13

16 years ago
*** Bug 114403 has been marked as a duplicate of this bug. ***

Comment 14

16 years ago
Here's a recent incident on the MozillaTrunk if it helps:

Incident ID 272145   
Stack Signature  nsGenericHTMLElement::GetPrimaryFrame ed8e0c95
Trigger Time 2001-12-10 01:44:37
Email Address
URL visited
User Comments
Build ID 2001120509
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
nsGenericHTMLElement::GetPrimaryFrame
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 2794]
nsHTMLInputElement::SetValueSecure
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 521]
nsHTMLInputElement::SetValue
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 476]
nsHTMLInputElement::RestoreState
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 2037]
nsFormControlHelper::RestoreContentState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp, line
1080]
nsGfxTextControlFrame2::RestoreState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp,
line 3527]
FrameManager::RestoreFrameStateFor
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2220]
FrameManager::RestoreFrameState
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2236]
nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6514]
nsCSSFrameConstructor::ConstructFrameByTag
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4723]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7035]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6945]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11729]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5618]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7039]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6945]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11729]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5618]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7039]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6945]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11729]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5618]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7039]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7006]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6945]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11729]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5618]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7039]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6945]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11729]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5618]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7039]
nsCSSFrameConstructor::CreateTreeWidgetContent
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 12756]
nsXULTreeGroupFrame::GetFirstTreeBox
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeGroupFrame.cpp, line 326]
nsTreeLayout::LazyRowCreator
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp, line 362]
nsTreeLayout::LazyRowCreator
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp, line 373]
nsXULTreeOuterGroupFrame::ReflowFinished
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp,
line 1351]
PresShell::HandlePostedReflowCallbacks
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4947]
PresShell::ProcessReflowCommands
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6185]
PresShell::FlushPendingNotifications
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5041]
nsXULTreeOuterGroupFrame::InternalPositionChanged
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp,
line 809]
nsXULTreeOuterGroupFrame::PositionChanged
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp,
line 669]
nsSliderFrame::SetCurrentPosition
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp, line 816]
nsSliderFrame::HandleEvent
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp, line 596]
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5871]
PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5779]
nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 387]
nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1914]
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83]
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 849]
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 866]
nsWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4424]
ChildWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4674]
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3390]
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 1114]
KERNEL32.DLL + 0x363b (0xbff7363b)
KERNEL32.DLL + 0x245af (0xbff945af)
0x00688bfe 

This continues to be topcrasher for M096 and there are a few incidents with
recent MozillaTrunk builds as well.  Adding qawanted to see if we can reproduce
with any builds after 12/5 (which is the last build Talkback currently shows
this crashing with). 

This bug is also missing a target milestone...
Keywords: qawanted
I believe this was fixed by dbaron a week ago or so, can someone still reproduce
this?

Comment 16

16 years ago
madhur: see if you can reproduce this with any build after 12/5.  if not, we can
mark this fixed according to jst's comment #15.  

i'm not sure if i'm allowed to change the target milestone or not...but since
this was just fixed recently, i'm going to make it mozilla0.9.7.
Target Milestone: --- → mozilla0.9.7
Even if this isn't fixed yet, it most likely won't be fixed for mozilla0.9.7,
moving to mozilla0.9.8 to avoid having this hold mozilla0.9.7 from being released.
Target Milestone: mozilla0.9.7 → mozilla0.9.8
(Reporter)

Comment 18

16 years ago
from the testcase it seems like this bug is fixed. Does not crash anymore when
hitting "Quickpost". This is on a 2001121306 Linux.
The bug jst mentioned in comment 15 was bug 114220, fixed in 2001-12-11 builds
or later.

Comment 20

16 years ago
WFM on 
win2k build : 2001-12-17-06trunk 
redhatlinux 7.1 build : 2001-20-01-08trunk
macos9.1 build : 2001-20-01-06trunk

I do not get any crash. We can go ahead and mark this fixed.
ok

*** This bug has been marked as a duplicate of 114220 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsGenericHTMLElement::GetPrimaryFrame]
You need to log in before you can comment on or make changes to this bug.