Closed Bug 15189 Opened 25 years ago Closed 25 years ago

EventStateManager crashes when document is changed during the processing of a DOM event

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: morse, Assigned: joki)

Details

(Keywords: crash, Whiteboard: [nsbeta2+][dogfood-]) 

Following content displays a list.  Change the selected item (i.e., select
the second item) in the list.  The browser will crash with the stacktrace shown
below.

This bug is not blocking anything right now, but it will cause the wallet editor
to crash after bug 15170 is fixed.

<HTML>
  <HEAD>
    <SCRIPT>

      function Changed() {
        dump("Got a change\n");
        loadMain();
      }

      function loadMain() {
        top.frames[0].document.open();
        top.frames[0].document.write(
          "<FORM>" +
            "<TABLE>" +
              "<TR>" +
                "<TD>" +
//                "<SELECT ONCHANGE=\"setTimeout('top.Changed();',0)\">" +
                  "<SELECT ONCHANGE=top.Changed();>" +
                    "<option>first</option>" +
                    "<option>second</option>" +
                  "</SELECT>" +
                "</TD>" +
              "</TR>" +
            "</TABLE>" +
          "</FORM>"
        );
        top.frames[0].document.close();
      }
    </SCRIPT>
  </HEAD>

<FRAMESET ROWS=*,1
         BORDER=0
         FRAMESPACING=0
         onLoad=loadMain()>
  <FRAME SRC=about:blank
        NAME=main_frame
        SCROLLING=AUTO
        MARGINWIDTH=0
        MARGINHEIGHT=0
        NORESIZE>
  <FRAME SRC=about:blank
        NAME=dummy_frame
        SCROLLING=AUTO
        MARGINWIDTH=0
        MARGINHEIGHT=0
        NORESIZE>
</FRAMESET>

  <NOFRAMES>
    <BODY> <P> </BODY>
  </NOFRAMES>
</HTML>

stacktrace:

RAPTORHTML! const  nsTextNode::`vftable'{for `nsIContent'} + 1 byte
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x029eab90,
nsIPresContext & {...}, nsEvent * 0x0012f6a8, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 789
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x029fa9b0,
nsIContent * 0x029ff60c) line 1450
nsEventStateManager::SetContentState(nsEventStateManager * const 0x029fa9b0,
nsIContent * 0x029ff60c, int 2) line 1339
nsHTMLInputElement::SetFocus(nsHTMLInputElement * const 0x029ff614,
nsIPresContext * 0x0288bae0) line 477
nsEventStateManager::ChangeFocus(nsIContent * 0x029ff60c, int 1) line 996
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x029fa9b0,
nsIPresContext & {...}, nsGUIEvent * 0x0012fbc8, nsIFrame * 0x02a16450,
nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x02959140) line 392 + 19 bytes
PresShell::HandleEvent(PresShell * const 0x02958f64, nsIView * 0x02959140,
nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 2091 + 43
bytes
nsView::HandleEvent(nsView * const 0x02959140, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828
nsView::HandleEvent(nsView * const 0x0295f3d0, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsView::HandleEvent(nsView * const 0x0295f460, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsView::HandleEvent(nsView * const 0x0289c4a0, nsGUIEvent * 0x0012fbc8, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsViewManager::DispatchEvent(nsViewManager * const 0x0289c530, nsGUIEvent *
0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 1664
HandleEvent(nsGUIEvent * 0x0012fbc8) line 63
nsWindow::DispatchEvent(nsWindow * const 0x0295f244, nsGUIEvent * 0x0012fbc8,
nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbc8) line 361
nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3226 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line
3444
nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 917559, long *
0x0012fde8) line 2448 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x00150496, unsigned int 513, unsigned int 1, long
917559) line 449 + 27 bytes
USER32! 77e71268()
I should add that this is a regression that just started in the past week
probably.  It used to work before that.
Assignee: harishd → rods
Here is a new trace:

nsComboboxControlFrame::SelectionChanged(nsComboboxControlFrame * const
0x011cbba0, int 1) line 1087 + 12 bytes
nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const
0x011cbc18, int 1, int 0, int 1) line 996 + 23 bytes
nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const
0x011cbc18, nsIPresContext * 0x011331d0) line 969
nsListControlFrame::MouseUp(nsIDOMEvent * 0x011cf330) line 1979
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012fcbc, nsIDOMEvent * * 0x0012f9d0, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 578 + 17 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fcbc,
nsIDOMEvent * * 0x0012f9d0, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 794
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x011baa90,
nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x0012f9d0,
unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 789
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fcbc,
nsIDOMEvent * * 0x0012f9d0, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 796 + 39 bytes
nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x011ca29c,
nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 437
PresShell::HandleEvent(PresShell * const 0x01185dc4, nsIView * 0x011cd680,
nsGUIEvent * 0x0012fcbc, nsEventStatus & nsEventStatus_eIgnore) line 2077 + 39
bytes
nsView::HandleEvent(nsView * const 0x011cd680, nsGUIEvent * 0x0012fcbc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828
nsView::HandleEvent(nsView * const 0x011cc6c0, nsGUIEvent * 0x0012fcbc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsView::HandleEvent(nsView * const 0x011cc370, nsGUIEvent * 0x0012fcbc, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsViewManager::DispatchEvent(nsViewManager * const 0x011857c0, nsGUIEvent *
0x0012fcbc, nsEventStatus & nsEventStatus_eIgnore) line 1664
HandleEvent(nsGUIEvent * 0x0012fcbc) line 63
nsWindow::DispatchEvent(nsWindow * const 0x011cc754, nsGUIEvent * 0x0012fcbc,
nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fcbc) line 361
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3226 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line
3444
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1507373, long *
0x0012fec8) line 2453 + 24 bytes
nsWindow::WindowProc(void * 0x01c4088a, unsigned int 514, unsigned int 0, long
1507373) line 449 + 27 bytes
USER32! 77e71250()


Assigning bug to rods@netscape.com
I was surprised at the regression, I am not sure why this statred to fail. This
may be the same bug I found today and have a fix for.
This should be fixed, could you test it and let me know? Thanks.
I'm pulling a new tree right now.  Will let you know shortly if it is fixed.
Nope, still not fixed.  Now I'm getting the same stack that harishd reported
(yesterday I reported a different stack trace but I was using a build from a
couple of days ago).  Also if I use the alternate select statement (by changing
the line that is commented out) I get the stack trace shown below.  The
alternate select statement was a work-around that pollmann gave me a while ago
as a work-around for a related bug.

nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f6fc,
nsIDOMEvent * * 0x0012f5d4, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 776 + 33 bytes
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x029c4b90,
nsIPresContext & {...}, nsEvent * 0x0012f6fc, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 789
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x029cee70,
nsIContent * 0x029edb80) line 1506
nsEventStateManager::SetContentState(nsEventStateManager * const 0x029cee70,
nsIContent * 0x029edb80, int 2) line 1395
nsHTMLSelectElement::SetFocus(nsHTMLSelectElement * const 0x029edb88,
nsIPresContext * 0x02648b60) line 594
nsEventStateManager::ChangeFocus(nsIContent * 0x029edb80, int 1) line 1052
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x029cee70,
nsIPresContext & {...}, nsGUIEvent * 0x0012fbc8, nsIFrame * 0x029e0200,
nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x02703cb0) line 449 + 19 bytes
PresShell::HandleEvent(PresShell * const 0x026fd124, nsIView * 0x02703cb0,
nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 2091 + 43
bytes
nsView::HandleEvent(nsView * const 0x02703cb0, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828
nsView::HandleEvent(nsView * const 0x02703440, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsView::HandleEvent(nsView * const 0x027002b0, nsGUIEvent * 0x0012fbc8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsView::HandleEvent(nsView * const 0x026fd540, nsGUIEvent * 0x0012fbc8, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813
nsViewManager::DispatchEvent(nsViewManager * const 0x026fd7f0, nsGUIEvent *
0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 1664
HandleEvent(nsGUIEvent * 0x0012fbc8) line 63
nsWindow::DispatchEvent(nsWindow * const 0x02702174, nsGUIEvent * 0x0012fbc8,
nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbc8) line 361
nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3226 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line
3444
nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 983100, long *
0x0012fde8) line 2448 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x00060564, unsigned int 513, unsigned int 1, long
983100) line 449 + 27 bytes
USER32! 77e71268()
Assignee: rods → joki
Severity: normal → critical
Summary: Browser crashes when item is selected → EventStateManager crashes when document is changed during the processing of a DOM event
Facinating bug. I have a minor fix in my tree that pushes the crash off into
the EventStatemanager (I will check that in soon). If the document changes while
you are processing a DOMEvent what should happen? Basically, now a listener is
processing the event but the eventstatemanager and document and everything has
changed so when it comes out of the listener call it crashes.

I am going to reassign this to Tom, this is significant and he may already have
a bug filed on this. Changing description and status and reassigning.
Summary: EventStateManager crashes when document is changed during the processing of a DOM event → [DOGFOOD]EventStateManager crashes when document is changed during the processing of a DOM event
This is still not working.  And now that bug 15170 is fixed, this is preventing
the wallet editor from working.

With a current build, the stack trace is now different.  Below are three stack
traces.  The first is for an assertion failure that appears when the item is
selected.  If the execution is resumed from that assertion failure, a hard crash
occurs.  That crash is different depending on whether or not the setTimeout is
included on the select statement.  These are the second and third stack traces.

I. Debug Assertion:

NTDLL! 77f76274()
nsDebug::PreCondition(const char * 0x01951c54, const char * 0x01951c48, const
char * 0x01951c14, int 424) line 262 + 13 bytes
FrameManager::SetPrimaryFrameFor(FrameManager * const 0x024148b0, nsIContent *
0x00000000, nsIFrame * 0x00000000) line 424 + 32 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02933cb0) line
6734
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029321f0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029322d0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02932cc0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931090) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029312f0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931850) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931e20) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02930040) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029303f0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x024250b0) line
6787 + 25 bytes
DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90,
nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02425b00) line
6787 + 25 bytes
nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x02414da0,
nsIPresContext * 0x028edf10, nsIContent * 0x00000000, nsIContent * 0x0292cdac,
int 0) line 6997 + 35 bytes
StyleSetImpl::ContentRemoved(StyleSetImpl * const 0x02414e40, nsIPresContext *
0x028edf10, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 963
PresShell::ContentRemoved(PresShell * const 0x02414c98, nsIDocument *
0x028ef3f0, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 1863 +
50 bytes
nsDocument::ContentRemoved(nsDocument * const 0x028ef3f0, nsIContent *
0x00000000, nsIContent * 0x0292cdac, int 0) line 1589
nsHTMLDocument::ContentRemoved(nsHTMLDocument * const 0x028ef3f0, nsIContent *
0x00000000, nsIContent * 0x0292cdac, int 0) line 1094
nsDocument::Reset(nsIChannel * 0x02941a90, nsILoadGroup * 0x028ee7f0) line 799
nsHTMLDocument::Reset(nsIChannel * 0x02941a90, nsILoadGroup * 0x028ee7f0) line
322 + 16 bytes
nsHTMLDocument::OpenCommon(nsIURI * 0x02941a20) line 1691 + 32 bytes
nsHTMLDocument::Open(nsHTMLDocument * const 0x028ef4d0, JSContext * 0x028edbb0,
long * 0x01f0af90, unsigned int 0) line 1781 + 18 bytes
NSHTMLDocumentOpen(JSContext * 0x028edbb0, JSObject * 0x01f0d408, unsigned int
0, long * 0x01f0af90, long * 0x0012d9e0) line 1115 + 24 bytes
js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 672 + 26
bytes
js_Interpret(JSContext * 0x028edbb0, long * 0x0012e258) line 2247 + 15 bytes
js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 688 + 13
bytes
js_Interpret(JSContext * 0x028edbb0, long * 0x0012ea8c) line 2247 + 15 bytes
js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 688 + 13
bytes
js_Interpret(JSContext * 0x028edbb0, long * 0x0012f2c0) line 2247 + 15 bytes
js_Invoke(JSContext * 0x028edbb0, unsigned int 1, unsigned int 2) line 688 + 13
bytes
js_InternalCall(JSContext * 0x028edbb0, JSObject * 0x01f0d478, long 32560264,
unsigned int 1, long * 0x0012f440, long * 0x0012f3f8) line 765 + 15 bytes
JS_CallFunction(JSContext * 0x028edbb0, JSObject * 0x01f0d478, JSFunction *
0x02424280, unsigned int 1, long * 0x0012f440, long * 0x0012f3f8) line 2653 + 32
bytes
nsJSContext::CallFunction(nsJSContext * const 0x028edd20, void * 0x01f0d478,
void * 0x02424280, unsigned int 1, void * 0x0012f440, int * 0x0012f43c) line 231
+ 39 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x0292d970) line 103 + 48 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012f698, nsIDOMEvent * * 0x0012f6c4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 971 + 21 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f698,
nsIDOMEvent * * 0x0012f6c4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 794
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0,
nsIPresContext & {...}, nsEvent * 0x0012f698, nsIDOMEvent * * 0x0012f6c4,
unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793
nsListControlFrame::SelectionChanged(nsIContent * 0x02422fa0) line 1780 + 45
bytes
nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02932234, int
1, int 0, nsIContent * 0x02422fa0) line 1745 + 15 bytes
nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const
0x02932344, int 1, int 0, int 1) line 996
nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const
0x02932344, nsIPresContext * 0x028edf10) line 974
nsListControlFrame::MouseUp(nsIDOMEvent * 0x0293ec40) line 2151
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 578 + 17 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc,
nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 794
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0,
nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4,
unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc,
nsIDOMEvent * * 0x0012f8e4, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 796 + 39 bytes
nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x02930afc,
nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 429
PresShell::HandleEvent(PresShell * const 0x02414c94, nsIView * 0x02934560,
nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 2164 + 39
bytes
nsView::HandleEvent(nsView * const 0x02934560, nsGUIEvent * 0x0012fbcc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834
nsView::HandleEvent(nsView * const 0x02933440, nsGUIEvent * 0x0012fbcc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x02933750, nsGUIEvent * 0x0012fbcc, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsViewManager::DispatchEvent(nsViewManager * const 0x02415260, nsGUIEvent *
0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 1739
HandleEvent(nsGUIEvent * 0x0012fbcc) line 63
nsWindow::DispatchEvent(nsWindow * const 0x02933304, nsGUIEvent * 0x0012fbcc,
nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbcc) line 422
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3394 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line
3612
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1900578, long *
0x0012fdf4) line 2626 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x01810406, unsigned int 514, unsigned int 0, long
1900578) line 579 + 27 bytes
US

II. Crash without setTimeout:

nsListControlFrame::SelectionChanged(nsIContent * 0x02422fa0) line 1793 + 18
bytes
nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02932234, int
1, int 0, nsIContent * 0x02422fa0) line 1745 + 15 bytes
nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const
0x02932344, int 1, int 0, int 1) line 996
nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const
0x02932344, nsIPresContext * 0x028edf10) line 974
nsListControlFrame::MouseUp(nsIDOMEvent * 0x0293ec40) line 2151
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 578 + 17 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc,
nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus &
nsEventStatus_eIgnore) line 794
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0,
nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4,
unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc,
nsIDOMEvent * * 0x0012f8e4, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 796 + 39 bytes
nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x02930afc,
nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 429
PresShell::HandleEvent(PresShell * const 0x02414c94, nsIView * 0x02934560,
nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 2164 + 39
bytes
nsView::HandleEvent(nsView * const 0x02934560, nsGUIEvent * 0x0012fbcc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834
nsView::HandleEvent(nsView * const 0x02933440, nsGUIEvent * 0x0012fbcc, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x02933750, nsGUIEvent * 0x0012fbcc, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsViewManager::DispatchEvent(nsViewManager * const 0x02415260, nsGUIEvent *
0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 1739
HandleEvent(nsGUIEvent * 0x0012fbcc) line 63
nsWindow::DispatchEvent(nsWindow * const 0x02933304, nsGUIEvent * 0x0012fbcc,
nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbcc) line 422
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3394 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line
3612
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1900578, long *
0x0012fdf4) line 2626 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x01810406, unsigned int 514, unsigned int 0, long
1900578) line 579 + 27 bytes
USER32! 77e71268()

III. Crash with setTimeout:

nsGenericElement::GetParent(nsIContent * & 0x00000000) line 723 + 24 bytes
nsHTMLSelectElement::GetParent(const nsHTMLSelectElement * const 0x0242b920,
nsIContent * & 0x00000000) line 165 + 18 bytes
nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const
0x023c3bf0, nsIPresContext * 0x028cb0d0, nsIFrameManager * 0x023c4e40,
nsIContent * 0x0242b920, nsIFrame * * 0x023c3668) line 8468
StyleSetImpl::FindPrimaryFrameFor(StyleSetImpl * const 0x023c3c90,
nsIPresContext * 0x028cb0d0, nsIFrameManager * 0x023c4e40, nsIContent *
0x0242b920, nsIFrame * * 0x023c3668) line 1049
FrameManager::GetPrimaryFrameFor(FrameManager * const 0x023c4e40, nsIContent *
0x0242b920, nsIFrame * * 0x023c3668) line 412
PresShell::GetPrimaryFrameFor(const PresShell * const 0x023c3610, nsIContent *
0x0242b920, nsIFrame * * 0x023c3668) line 1965 + 32 bytes
PresShell::HandleEvent(PresShell * const 0x023c3614, nsIView * 0x0243f390,
nsGUIEvent * 0x0012fac8, nsEventStatus & nsEventStatus_eIgnore) line 2143
nsView::HandleEvent(nsView * const 0x0243f390, nsGUIEvent * 0x0012fac8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834
nsView::HandleEvent(nsView * const 0x0242c7f0, nsGUIEvent * 0x0012fac8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x0242c880, nsGUIEvent * 0x0012fac8, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x023c3110, nsGUIEvent * 0x0012fac8, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsViewManager::DispatchEvent(nsViewManager * const 0x023c1500, nsGUIEvent *
0x0012fac8, nsEventStatus & nsEventStatus_eIgnore) line 1739
HandleEvent(nsGUIEvent * 0x0012fac8) line 63
nsWindow::DispatchEvent(nsWindow * const 0x0242c6b4, nsGUIEvent * 0x0012fac8,
nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fac8) line 422
nsWindow::DispatchKeyEvent(unsigned int 132, unsigned short 116, unsigned int
116) line 2049 + 15 bytes
nsWindow::OnKeyUp(unsigned int 116, unsigned int 63) line 2304
nsWindow::ProcessMessage(unsigned int 257, unsigned int 116, long -1069613055,
long * 0x0012fdf4) line 2555 + 40 bytes
nsWindow::WindowProc(HWND__ * 0x07b704ac, unsigned int 257, unsigned int 116,
long -1069613055) line 579 + 27 bytes
USER32! 77e71268()
Severity: critical → blocker
Summary: [DOGFOOD]EventStateManager crashes when document is changed during the processing of a DOM event → [DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Whiteboard: [PDT-]
Impt for beta, not for dogfood.  Adding vidur per rickg.
Blocks: 17432
Blocks: 17907
Summary: [DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → [CRASH][DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Marking [CRASH].
Moving crash bugs into M13.
Target Milestone: M13 → M14
Mass-moving excess bugs to M14
Adding "crash" keyword to all known open crasher bugs.
Keywords: crash
bug 15170 is marked fixed.  does the wallet editor crash now?
Sorry, I should have updated this report long ago.  The wallet editor has been 
completely rewritten and is no longer affected by this bug.
Putting dogfood in the keyword field.
Keywords: dogfood
Summary: [CRASH][DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → [BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Summary: [BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → EventStateManager crashes when document is changed during the processing of a DOM event
this is pdt- and I'm not going to get to it for M14.  Moving.
Severity: blocker → major
Status: NEW → ASSIGNED
Target Milestone: M14 → M15
Mass-moving bugs out of M15 that I won't get to.  Will refit individual 
milestones after moving them.
Target Milestone: M15 → M16
Added keyword nsbeta2.
Keywords: nsbeta2
Whiteboard: [PDT-]
Putting on [dogfood-] radar per last morse comment.  But rickg, your thoughts on 
[nsbeta2+]?
Whiteboard: [NEED INFO][dogfood-]
I suggest that this needs to be fixed for beta2. 
Putting on [nsbeta2+] radar.
Whiteboard: [NEED INFO][dogfood-] → [nsbeta2+][dogfood-]
Severity: major → critical
Okay, through the benefit of some changed I made a couple of weeks ago this was 
a cakewalk to fix now.  Fixed.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
With the May 22 build, I don't get a crash when changing menu item in sample 
html. Marking verified fixed.
Status: RESOLVED → VERIFIED
No longer blocks: 17432
No longer blocks: 17907
You need to log in before you can comment on or make changes to this bug.