Closed Bug 1778476 Opened 3 years ago Closed 10 months ago

Crash in [@ mozilla::PresShell::ElementStateChanged]

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox103 --- affected
firefox104 --- affected

People

(Reporter: Sylvestre, Unassigned)

Details

(Keywords: crash)

Crash Data

I was on my bank website https://clients.boursorama.com/connexion/saisie-mot-de-passe
and it crashed when I changed tab

Crash report: https://crash-stats.mozilla.org/report/index/f4e20574-9b04-4547-9c9a-478f50220707

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mInStyleRefresh)

Top 10 frames of crashing thread:

0 libxul.so mozilla::PresShell::ElementStateChanged layout/base/PresShell.cpp:4453
1 libxul.so mozilla::dom::HTMLInputElement::OnValueChanged dom/html/HTMLInputElement.cpp:6723
2 libxul.so mozilla::TextControlState::SetValue dom/html/TextControlState.cpp:2743
3 libxul.so mozilla::TextControlState::UnbindFromFrame dom/html/TextControlState.cpp:2506
4 libxul.so nsTextControlFrame::DestroyFrom layout/forms/nsTextControlFrame.cpp:148
5 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
6 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
7 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
8 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480
9 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:480

According to crash stop, it started only recently (early June)

status-firefox103: --- → affected
status-firefox104: --- → affected

Could this be regressed by https://bugzilla.mozilla.org/show_bug.cgi?id=1773070 ?

Flags: needinfo?(emilio)

Not really. This means that there's a state mismatch between the text control state and the input element. We've seen such things in the past, but it's hard to debug without a repro.

It's only a diagnostic assert so it doesn't affect release users but it'd be great to have a repro for this. Is this signature something fuzzers might have seen?

Flags: needinfo?(emilio) → needinfo?(jkratzer)

No, unfortunately not.

Flags: needinfo?(jkratzer)

Move to S3 as it doesn't affect release users.
P3 - Would love to have a repro for this, but it's hard to take actions without that for now.

Severity: S2 → S3
Priority: -- → P3

bp-3143def0-f7d2-474d-ae43-0975d0221008 seems to be same reason since function name is changed by bug 1773070.

Crash Signature: [@ mozilla::PresShell::ElementStateChanged] → [@ mozilla::PresShell::ElementStateChanged] [@ mozilla::PresShell::ContentStateChanged]

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.