Closed Bug 125437 Opened 23 years ago Closed 22 years ago

crash on changing style

Categories

(Core :: Layout: Form Controls, defect, P1)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: jlarsen, Assigned: john)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

WinNT stack trace
172.00 KB, text/plain
Details
Reduced testcase; crashes w stack overflow when click chkbox
186 bytes, text/html
Details 
Goto www.bluesnews.com on left bar select the check box for retro colors.
Crash.
Its not generating a talkback sorry. :(  (windows 2000 often doesn't is there a
trick to that?)
opps sorry, build 2002021203

Ok got a windows98 system to crash on this too, and it generated a talkback
TB 2916281Q
Confirming for myself, making crasher and critical :)
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
From talkback: (dupe or related to bug 77441?)

nsReadingIterator::advance [..\..\dist\include\string\nsStringIterator.h, line 172]
copy_string [..\..\dist\include\string\nsAlgorithm.h, line 95]
CopyASCIItoUCS2 [d:\builds\seamonkey\mozilla\string\src\nsReadableUtils.cpp,
line 176]
nsGenericHTMLElement::EnumValueToString
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 2556]
nsHTMLInputElement::AttributeToString
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 1507]
nsGenericHTMLElement::GetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 2050]
nsHTMLInputElement::IsImage
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 242]
nsHTMLInputElement::StringToAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 1479]
nsGenericHTMLElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 1612]
nsGenericHTMLElement::SetFormControlAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4193]
nsGenericHTMLLeafFormElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4410]
nsHTMLInputElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 183]
nsHTMLInputElement::SetChecked
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 727]
nsGfxCheckboxControlFrame::SetCheckboxState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 285]
nsGfxCheckboxControlFrame::SetCheckboxControlFrameState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 304]
nsGfxCheckboxControlFrame::RestoreState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 391]
FrameManager::RestoreFrameStateFor
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2346]
nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6455]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4653]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7024]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6919]
nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8764]
nsCSSFrameConstructor::RecreateFramesForContent
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11879]
nsCSSFrameConstructor::AttributeChanged
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 10564]
StyleSetImpl::AttributeChanged
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1495]
PresShell::AttributeChanged
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5123]
nsDocument::AttributeChanged
[d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1992]
nsHTMLDocument::AttributeChanged
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line
1464]
nsGenericHTMLElement::SetHTMLAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 1887]
nsGenericHTMLElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 1615]
nsGenericHTMLElement::SetFormControlAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4193]
nsGenericHTMLLeafFormElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4410]
nsHTMLInputElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 183]
nsHTMLInputElement::SetChecked
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 727]
nsGfxCheckboxControlFrame::SetCheckboxState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 285]
nsGfxCheckboxControlFrame::SetCheckboxControlFrameState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 304]
nsGfxCheckboxControlFrame::RestoreState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 391]
FrameManager::RestoreFrameStateFor
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2346]
nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6455]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4653]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7024]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6919]
nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8764]
nsCSSFrameConstructor::RecreateFramesForContent
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11879]
nsCSSFrameConstructor::AttributeChanged
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 10564]
StyleSetImpl::AttributeChanged
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1495]
PresShell::AttributeChanged
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5123]
nsDocument::AttributeChanged
[d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1992]
nsHTMLDocument::AttributeChanged
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line
1464]
nsGenericHTMLElement::SetHTMLAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 1887]
nsGenericHTMLElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 1615]
nsGenericHTMLElement::SetFormControlAttribute
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4193]
nsGenericHTMLLeafFormElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 4410]
nsHTMLInputElement::SetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 183]
nsHTMLInputElement::SetChecked
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 727]
nsGfxCheckboxControlFrame::SetCheckboxState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 285]
nsGfxCheckboxControlFrame::SetCheckboxControlFrameState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 304]
nsGfxCheckboxControlFrame::RestoreState
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxCheckboxControlFrame.cpp,
line 391]
FrameManager::RestoreFrameStateFor
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2346]
nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6455]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4653]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7024]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6919]
nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8764]
When I crash, it's because of a stack overflow in GKLAYOUT.DLL.
Some debugging shows the line that causes the problem:

First, here is the HTML for the "Retro Colors" checkbox:

document.write('<INPUT TYPE="checkbox" onClick="updateTargetCookie(this)"' + 
(bbgclr == "true" ? " CHECKED" : "") + '> Retro Colors ');


where the onClick handler is:


function updateTargetCookie (obj) {
   if (obj.checked) {
      SetCookie("bbgclr", "true");
   } else {
      SetCookie("bbgclr", "false");
   }

   location.reload();  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< WE CRASH ON THIS LINE
}


Reassigning to Layout; I will attach my WinNT stack trace below -
Assignee: rogerl → attinasi
Component: JavaScript Engine → Layout
QA Contact: pschwartau → petersen
Attached file WinNT stack trace 

    
    

    
  
There is an infinite loop in the stack trace causing the stack overflow.
Just search for this string in the stack trace: "SetCheckboxState",
and you'll see the loop...

    
    

    
  
Note: if I simply load the site and do the following javascript: URL,
I do NOT crash:

                javascript: location.reload();

The problem only occurs if this is done in the onClick handler
of the checkbox. I'll bet that when we reload, somehow we are 
generating a click event, which triggers the reload again, 
hence apparently the click again, hence the reload again...

    
    

    
  
That's it. Will attach reduced testcase below -

    
    

    
  
Marking nsbeta1+.
Target Milestone: --- → mozilla1.0

    
    

    
  
+
Keywords: nsbeta1+

    
    

    
  
I crash on the www.bluesnews.com site and on the testcase.  --> P1, accepting,
investigating.
Status: NEW → ASSIGNED
Priority: -- → P1

    
    

    
  
Phil nailed this on in comment #7

Over to jkaiser to look at - form controls.

Assignee: attinasi → jkeiser
Status: ASSIGNED → NEW
Component: Layout → HTML Form Controls

    
  
Keywords: testcase

    
    

    
  
This works for me with build 20020308, Win2000 SP2

    
    

    
  
It sounds like this was setting an attribute in SetCheckboxState.  Baaaaad. 
That was fixed in bug 108308.  John, can you confirm?

    
    

    
  
Marking fixed by bug 108308.  Reopen if you still see this.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
verified fixed on win2000 build id : 2002-03-18-05trunk
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: