Open Bug 1778476 Opened 2 years ago Updated 2 years ago

Crash in [@ mozilla::PresShell::ElementStateChanged]

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

Tracking Status
firefox103 --- affected
firefox104 --- affected

People

(Reporter: Sylvestre, Unassigned)

Details

(Keywords: crash)

Crash Data

I was on my bank website https://clients.boursorama.com/connexion/saisie-mot-de-passe
and it crashed when I changed tab

Crash report: https://crash-stats.mozilla.org/report/index/f4e20574-9b04-4547-9c9a-478f50220707

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mInStyleRefresh)

Top 10 frames of crashing thread:

0 libxul.so mozilla::PresShell::ElementStateChanged layout/base/PresShell.cpp:4453
1 libxul.so mozilla::dom::HTMLInputElement::OnValueChanged dom/html/HTMLInputElement.cpp:6723
2 libxul.so mozilla::TextControlState::SetValue dom/html/TextControlState.cpp:2743
3 libxul.so mozilla::TextControlState::UnbindFromFrame dom/html/TextControlState.cpp:2506
4 libxul.so nsTextControlFrame::DestroyFrom layout/forms/nsTextControlFrame.cpp:148
5 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
6 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
7 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
8 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
9 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480

According to crash stop, it started only recently (early June)

Flags: needinfo?(emilio)

Not really. This means that there's a state mismatch between the text control state and the input element. We've seen such things in the past, but it's hard to debug without a repro.

It's only a diagnostic assert so it doesn't affect release users but it'd be great to have a repro for this. Is this signature something fuzzers might have seen?

Flags: needinfo?(emilio) → needinfo?(jkratzer)

No, unfortunately not.

Flags: needinfo?(jkratzer)

Move to S3 as it doesn't affect release users.
P3 - Would love to have a repro for this, but it's hard to take actions without that for now.

Severity: S2 → S3
Priority: -- → P3

bp-3143def0-f7d2-474d-ae43-0975d0221008 seems to be same reason since function name is changed by bug 1773070.

Crash Signature: [@ mozilla::PresShell::ElementStateChanged] → [@ mozilla::PresShell::ElementStateChanged] [@ mozilla::PresShell::ContentStateChanged]
You need to log in before you can comment on or make changes to this bug.