Mouseover link with onMouseOver="document.write()" crashes mozilla [@ nsIFrame::GetFrameState]

VERIFIED DUPLICATE of bug 204781

Status

()

Core
Layout
--
critical
VERIFIED DUPLICATE of bug 204781
15 years ago
15 years ago

People

(Reporter: Lorenzo Colitti, Unassigned)

Tracking

({crash, regression})

Trunk
x86
Windows 98
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.4b) Gecko/20030507
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.4b) Gecko/20030507

If you mouseover a href which has onMouseOver=document.write(), mozilla will
crash every time.

This is sufficient to crash mozilla, if you mouseover it:

<a href="#" onMouseOver="document.write('hello');">Mouseover to crash</a>

I tested whis with 1.4b (2003050714) on WinME and today's trunk build on WinXP.

Reproducible: Always

Steps to Reproduce:
1. Load testcase
Actual Results:  
Crash in gklayout.dll

Expected Results:  
No crash
(Reporter)

Updated

15 years ago
Flags: blocking1.4?
Keywords: crash, regression
(Reporter)

Comment 1

15 years ago
Created attachment 122924 [details]
testcase

Mouseover link to crash
(Reporter)

Comment 2

15 years ago
I would add a Talkback ID, but Talkback seems to be down.
(Reporter)

Comment 3

15 years ago
Talkback ID TB19955920M
|this| is null at nsIFrame::GetFrameState
Summary: Mouseover link with onMouseOver="document.write()" crashes mozilla → Mouseover link with onMouseOver="document.write()" crashes mozilla [@ nsIFrame::GetFrameState]

Comment 6

15 years ago
TB19957293M Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4b) Gecko/20030509
Talkback is working again, showing details about what is sent.
Dup based on stack.

*** This bug has been marked as a duplicate of 204781 ***
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE

Updated

15 years ago
Flags: blocking1.4?
(Reporter)

Comment 8

15 years ago
Verified: now attachment 122882 [details] [diff] [review] is checked in, this is fixed.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsIFrame::GetFrameState]
You need to log in before you can comment on or make changes to this bug.