Closed
Bug 238906
Opened 21 years ago
Closed 21 years ago
M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mozilla, Unassigned)
References
()
Details
(Keywords: crash, fixed1.7, topcrash+, Whiteboard: fixed-aviary1.0)
Crash Data
Attachments
(1 file)
|
317 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
I copy '<span><input type="file" name="upload[]" /><br /></span>' into it's
container (div) element with JavaScript.
---[ sourcecode ]---
<html>
<head>
<title>Causes mozilla 1.5 to crash</title>
<script language="JavaScript" type="text/javascript">
<!--
function getHandle(myparam) {
return(document.getElementById(myparam));
}
function addToElement(target, source) {
target.innerHTML+=source.innerHTML;
}
// (c) Gerben Versluis // 2004 - http://www.gerben.info --></script>
</head>
<body>
<form enctype="multipart/form-data" method="POST" >
<div id="form" style="position:relative; width:100%; border: 1px solid #000000;">
<span id="repeat">
<input type="file" name="upload[]" /><br />
</span>
</div>
<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
</form>
</body>
</html>
Reproducible: Always
Steps to Reproduce:
1. Create a <div><span><input type="file" name="upload[]" /><br /></span></div>
with id's for the div and span.
2. With JavaScript add spanHandle.innerHTML to divHandle.innerHTML.
3. [crashes] Done
Actual Results:
After the JavaScript is runned Mozilla crashes completely
Expected Results:
Duplication of the input type file in the div tag.
Only occurs in conjunction with a <br /> tag!
<input type="file" name="upload[]" /><br />
Summary: Mozilla crashes if I copy a input type="file" with an linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript
|
||
Comment 2•21 years ago
|
||
Maybe dupe of Bug 203041 (or Bug 216065) but not sure since in 1st frame in all
stacktraces i found on this bug nsIFrame wasn't null, but this might be just
some chance; someone who knows this code better can say something about this?
Stacktrace:
00000000()
nsCSSFrameConstructor::FindFrameWithContent(nsCSSFrameConstructor * const
0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIFrame *
0x00000000, nsIContent * 0x12536360, nsIContent * 0x123a6288, nsFindFrameHint *
0x00000000) line 10883 + 10 bytes
nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const
0x08657504, nsIPresContext * 0x06f29760, nsFrameManager * 0x0491b048, nsIContent
* 0x123a6288, nsIFrame * * 0x12536360, nsFindFrameHint * 0x00000000) line 11024
nsFrameManager::GetPrimaryFrameFor(nsFrameManager * const 0x08657504, nsIContent
* 0x123a6288) line 460
PresShell::GetPrimaryFrameFor(const PresShell * const 0x0491b030, nsIContent *
0x123a6288, nsIFrame * * 0x0012e804) line 5374 + 16 bytes
nsGenericHTMLElement::GetPrimaryFrameFor(nsIContent * 0x123a6288, nsIDocument *
0x02bda298, int 0) line 2189
nsGenericHTMLElement::GetFormControlFrameFor(nsIContent * 0x123a6288,
nsIDocument * 0x02bda298, int 0) line 2198 + 14 bytes
nsHTMLInputElement::GetValue(nsHTMLInputElement * const 0x123a62c4, nsAString &
{...}) line 632 + 24 bytes
nsHTMLInputElement::SaveState(nsHTMLInputElement * const 0x123a62a4) line 2345
nsGenericHTMLFormElement::SetDocument(nsGenericHTMLFormElement * const
0x08657504, nsIDocument * 0x00000000, int 1, int 1) line 3274
nsHTMLInputElement::SetDocument(nsHTMLInputElement * const 0x08657504,
nsIDocument * 0x00000000, int 1, int 1) line 1640
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x12536360, nsIDocument *
0x00000000, int 1) line 1703 + 17 bytes
nsGenericElement::SetDocument(nsGenericElement * const 0x08657504, nsIDocument *
0x1253637c, int 1, int 1) line 1756 + 10 bytes
nsGenericHTMLElement::SetDocument(nsGenericHTMLElement * const 0x08657504,
nsIDocument * 0x00000000, int 1, int 1) line 1279
nsGenericElement::RemoveChildAt(nsGenericElement * const 0x08657504, unsigned
int 1, int 1) line 2601
nsGenericElement::doRemoveChild(nsIContent * 0x12536310, nsIDOMNode *
0x12536360, nsIDOMNode * * 0x00000000) line 3090 + 10 bytes
nsHTMLBRElement::RemoveChild(nsHTMLBRElement * const 0x12536310, nsIDOMNode *
0x1253637c, nsIDOMNode * * 0x0012eb60) line 59 + 17 bytes
nsRange::DeleteContents(nsRange * const 0x125906d0) line 1601
nsGenericHTMLElement::SetInnerHTML(nsGenericHTMLElement * const 0x08657504,
const nsAString & {...}) line 878
nsGenericHTMLElementTearoff::SetInnerHTML(nsGenericHTMLElementTearoff * const
0x122e9480, const nsAString & {...}) line 211 + 19 bytes
XPTC_InvokeByIndex(nsISupports * 0x122e9480, unsigned int 9, unsigned int 1,
nsXPTCVariant * 0x0012ebf0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
-1345035376) line 2027 + 22 bytes
XPC_WN_GetterSetter(JSContext * 0x1264d088, JSObject * 0x01f85410, unsigned int
1, long * 0x01f85464, long * 0x0012ee4c) line 1311 + 11 bytes
Structure of html file to replicate this error:
* Element need to bed nested (span, with the file-input tag and break tag, must
be a child of the div or span tag where the innerHTML is rewritten.
* A input type file is needed followed by a break <input type="file" /><br />
Workarround is not to nest the span tags or leave the break tag.
Example:
<form enctype="multipart/form-data" method="POST" >
<span id="repeat">
<input type="file" name="upload[]" /><br />
</span>
<span id="form">
</span>
<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
</form>
|
||
Comment 4•21 years ago
|
||
TalkbackID TB6717K
crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316
After crashing with a current nightly, I started 1.7b to produce a talkback report.
You are using the same testcase in bug 238904?
|
|
||
Comment 5•21 years ago
|
||
couldn´t test Bug 216065 as Mozilla didn´t show the table, Opera did.
Crashed on testcase of Bug 203041 producing Talkback TB6725E
Sorry, it is a duplicate. After entering my bugreport mozilla crashed again (I
decided to do some testing while filling in my report, not to smart). Than I
searched in bugzilla if my bug already existed but I couldn't find it so I
entered it again. Sorry again. I'll close the other bugreport (as a duplicated
of this one). This bug report has a little more detail like the <br />
conjunction and workarround.
*** Bug 238904 has been marked as a duplicate of this bug. ***
|
||
Updated•21 years ago
|
Keywords: talkbackid
Whiteboard: TB6717K, TB8849H
|
||
Comment 8•21 years ago
|
||
Confirming, w98, 1.7b
ID:TB9232E mail:alfonso-nospam@terra.es
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 9•21 years ago
|
||
Stack Signature 0x00000009 26fb4a9f
Email Address alfonso-nospam@terra.es
Product ID Mozilla1.7
Build ID 2004031615
Trigger Time 2004-03-31 10:05:46.0
Platform Win32
Operating System Windows 98 4.10 build 67766222
Module null
URL visited bug 238906
User Comments
Since Last Crash null sec
Total Uptime null sec
Trigger Reason Access violation
Source File Name
Trigger Line No.
Stack Trace
0x00000009
nsCSSFrameConstructor::GetInsertionPoint
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11102]
nsFrameManager::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 460]
PresShell::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5375]
nsGenericHTMLElement::GetPrimaryFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2189]
nsGenericHTMLElement::GetFormControlFrameFor
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2199]
nsHTMLInputElement::GetValue
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 634]
nsHTMLInputElement::SaveState
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 2345]
nsGenericHTMLFormElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 3274]
nsHTMLInputElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1640]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1706]
nsGenericElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1758]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1279]
nsGenericElement::RemoveChildAt
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2601]
nsGenericElement::doRemoveChild
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3092]
nsHTMLFieldSetElement::RemoveChild
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFieldSetElement.cpp,
line 64]
nsRange::DeleteContents
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp,
line 1601]
nsGenericHTMLElement::SetInnerHTML
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 878]
nsGenericHTMLElementTearoff::SetInnerHTML
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 211]
XPTC_InvokeByIndex
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2029]
XPC_WN_GetterSetter
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1312]
js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 943]
js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
js_InternalGetOrSet
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1079]
js_SetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2768]
js_Interpret
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2156]
js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 959]
js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
JS_CallFunctionValue
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3591]
nsJSContext::CallEventHandler
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1269]
nsJSEventListener::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 181]
nsEventListenerManager::HandleEventSubType
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1435]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1512]
nsGenericElement::HandleDOMEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1959]
nsHTMLInputElement::HandleDOMEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1399]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6019]
PresShell::HandleEventWithTarget
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5973]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2860]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1871]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6072]
PresShell::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5942]
nsViewManager::HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2281]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2025]
HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 79]
nsWindow::DispatchEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1068]
nsWindow::DispatchWindowEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1085]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5225]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5478]
nsWindow::ProcessMessage
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4063]
nsWindow::WindowProc
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1347]
KERNEL32.DLL + 0x363b (0xbff7363b)
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00648b5e
Keywords: topcrash+
|
|
||
Updated•21 years ago
|
Keywords: talkbackid
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript → Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint]
Whiteboard: TB6717K, TB8849H
|
||
Comment 11•21 years ago
|
||
It looks like the DeleteContents() on setting innerHTML removes the span child
of the div (fine), which sets the document to null on the subtree (fine), which
makes the file control call GetPrimaryFrameFor (to save its state). The problem
is that the parent's frame (what FindPrimaryFrameFor gets as the primary frame
of the parent span node) is already deleted for some reason. Not sure why
that's happening, since we're not really done removing the span from the DOM at
this point....
|
||
Comment 12•21 years ago
|
||
Crash Moz 1.7 Beta, Slackware Linux: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.7b) Gecko/20040316
OS -> All? Sorry for spam if this is already known.
Talkback ID is TB11343G
Captured at 04/03/04 at 02:00 PM
|
|
||
Comment 13•21 years ago
|
||
stack from report mentioned above..
Stack Signature 0x00000000 5ef36868
Email Address neilparis_2k1@hotmail.com
Product ID Mozilla1.7
Build ID 2004031615
Trigger Time 2004-04-03 11:03:51.0
Platform LinuxIntel
Operating System Linux 2.4.22
Module null
URL visited
User Comments Bug 238906
Since Last Crash null sec
Total Uptime null sec
Trigger Reason SIGSEGV: Segmentation Fault: (signal 11)
Source File Name
Trigger Line No.
Stack Trace
0x00000000
_ZN21nsCSSFrameConstructor19FindPrimaryFrameForEP14nsIPresContextP14nsFrameManagerP10nsIContentPP8nsIFrameP15nsFindFrameHint()
_ZN14nsFrameManager18GetPrimaryFrameForEP10nsIContent()
_ZNK9PresShell18GetPrimaryFrameForEP10nsIContentPP8nsIFrame()
_ZN20nsGenericHTMLElement18GetPrimaryFrameForEP10nsIContentP11nsIDocumenti()
_ZN20nsGenericHTMLElement22GetFormControlFrameForEP10nsIContentP11nsIDocumenti()
_ZN18nsHTMLInputElement8GetValueER9nsAString()
_ZN18nsHTMLInputElement9SaveStateEv()
_ZN24nsGenericHTMLFormElement11SetDocumentEP11nsIDocumentii()
_ZN18nsHTMLInputElement11SetDocumentEP11nsIDocumentii()
_ZN16nsGenericElement23SetDocumentInChildrenOfEP10nsIContentP11nsIDocumenti()
_ZN16nsGenericElement11SetDocumentEP11nsIDocumentii()
_ZN20nsGenericHTMLElement11SetDocumentEP11nsIDocumentii()
_ZN16nsGenericElement13RemoveChildAtEji()
_ZN16nsGenericElement13doRemoveChildEP10nsIContentP10nsIDOMNodePS3_()
_ZN16nsHTMLDivElement11RemoveChildEP10nsIDOMNodePS1_()
_ZN7nsRange14DeleteContentsEv()
_ZN20nsGenericHTMLElement12SetInnerHTMLERK9nsAString()
_ZN27nsGenericHTMLElementTearoff12SetInnerHTMLERK9nsAString()
XPTC_InvokeByIndex()
_ZN16XPCWrappedNative10CallMethodER14XPCCallContextNS_8CallModeE()
_Z19XPC_WN_GetterSetterP9JSContextP8JSObjectjPlS3_()
js_Invoke()
js_InternalInvoke()
js_InternalGetOrSet()
js_SetProperty()
js_Interpret()
js_Invoke()
js_InternalInvoke()
JS_CallFunctionValue()
_ZN11nsJSContext16CallEventHandlerEP8JSObjectS1_jPlS2_()
_ZN17nsJSEventListener11HandleEventEP11nsIDOMEvent()
_ZN22nsEventListenerManager18HandleEventSubTypeEP16nsListenerStructP11nsIDOMEventP17nsIDOMEventTargetjj()
_ZN22nsEventListenerManager11HandleEventEP14nsIPresContextP7nsEventPP11nsIDOMEventP17nsIDOMEventTargetjP13nsEventStatus()
_ZN16nsGenericElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus()
_ZN18nsHTMLInputElement14HandleDOMEventEP14nsIPresContextP7nsEventPP11nsIDOMEventjP13nsEventStatus()
_ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus()
_ZN9PresShell21HandleEventWithTargetEP7nsEventP8nsIFrameP10nsIContentjP13nsEventStatus()
_ZN19nsEventStateManager24CheckForAndDispatchClickEP14nsIPresContextP12nsMouseEventP13nsEventStatus()
_ZN19nsEventStateManager15PostHandleEventEP14nsIPresContextP7nsEventP8nsIFrameP13nsEventStatusP7nsIView()
_ZN9PresShell19HandleEventInternalEP7nsEventP7nsIViewjP13nsEventStatus()
_ZN9PresShell11HandleEventEP7nsIViewP10nsGUIEventP13nsEventStatusiRi()
_ZN13nsViewManager11HandleEventEP6nsViewP10nsGUIEventi()
_ZN13nsViewManager13DispatchEventEP10nsGUIEventP13nsEventStatus()
_Z11HandleEventP10nsGUIEvent()
_ZN8nsWidget13DispatchEventEP10nsGUIEventR13nsEventStatus()
_ZN8nsWidget19DispatchWindowEventEP10nsGUIEvent()
_ZN8nsWidget18DispatchMouseEventER12nsMouseEvent()
_ZN8nsWidget21OnButtonReleaseSignalEP15_GdkEventButton()
_ZN8nsWindow21OnButtonReleaseSignalEP15_GdkEventButton()
_ZN8nsWindow14HandleGDKEventEP9_GdkEvent()
_Z23dispatch_superwin_eventP9_GdkEventP8nsWindow()
_Z16handle_gdk_eventP9_GdkEventPv()
libgdk-1.2.so.0 + 0x16b44 (0x40276b44)
libglib-1.2.so.0 + 0xfe75 (0x402a3e75)
libglib-1.2.so.0 + 0x1032c (0x402a432c)
libglib-1.2.so.0 + 0x1055c (0x402a455c)
libgtk-1.2.so.0 + 0x8c083 (0x401ce083)
_ZN10nsAppShell3RunEv()
_ZN17nsAppShellService3RunEv()
_Z5main1iPPcP11nsISupports()
main()
libc.so.6 + 0x15936 (0x403cb936)
|
Reporter | |
Comment 14•21 years ago
|
||
Note that Mozilla does NOT crash when entering the <br /> tag in front of the
input field!
--
<html>
<head>
<title>Causes mozilla 1.5 to crash</title>
<script language="JavaScript" type="text/javascript">
<!--
function getHandle(myparam) {
return(document.getElementById(myparam));
}
function addToElement(target, source) {
target.innerHTML+=source.innerHTML;
}
// (c) Gerben Versluis // 2004 - http://www.gerben.info --></script>
</head>
<body>
<form enctype="multipart/form-data" method="POST" >
<div id="form" style="position:relative; width:100%; border: 1px solid #000000;">
<span id="repeat">
<br /><input type="file" name="upload[]" />
</span>
</div>
<input type="button" name="more" value="more"
onclick="addToElement(getHandle('form'), getHandle('repeat'));">
</form>
</body>
</html>
|
|
||
Comment 15•21 years ago
|
||
OS -> ALL since I crashed myself in Linux (comment #12)
OS: Windows 2000 → All
|
||
Comment 16•21 years ago
|
||
I can reproduce this at will by replying to certain e-mail messages. I can send
the e-mail to anyone that's interested...
|
|
||
Comment 18•21 years ago
|
||
actually, edit message as new, or reply to, any message with 5 or more
recipients, and I crash - this makes it very hard to use mail. This is on the
trunk, so I believe this is worse on the trunk than on the 1.7 branch, unless
the branch has regressed as well.
|
||
Comment 19•21 years ago
|
||
Since the stack signature is 0x0000000, it's hard to tell where in the topcrash
list this crash is. This looks similar to or even a dup of bug 203041 as
someone mentioned earlier (that bug has been a topcrasher since 1.7 beta).
|
|
||
Updated•21 years ago
|
Flags: blocking1.7? → blocking1.7+
|
||
Comment 20•21 years ago
|
||
testcase crashes linux trunk 2004051305
|
||
Comment 21•21 years ago
|
||
Definitely not a regression - I can recreate this crash back to 1.4.
|
|
||
Comment 22•21 years ago
|
||
1.4 crash is in exactly the same place.
Two interesting assertions as we crash:
###!!! ASSERTION: Please remove this from the document properly: '!mDocument', f
ile D:/BUILDS/1.4/mozilla/content/base/src/nsGenericElement.cpp, line 741
Document http://versluis.nl.eu.org/samples/mozillacrash.html loaded successfully
###!!! ASSERTION: frame was not removed from primary frame map before destructio
n or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) ||
entry->frame != aFrame', file D:/BUILDS/1.4/mozilla/layout/html/base/src/nsFrame
Manager.cpp, line 1028
|
|
||
Comment 23•21 years ago
|
||
Adding M17rc2 and [@ nsCSSFrameConstructor::FindFrameWithContent]to summary for
tracking since users are crashing there as well with this testcase using Mozilla
1.7 rc2. Here's my crash:
Incident ID: 52728
Stack Signature 0x00000000 d3d9e6fb
Email Address jay@mozilla.org
Product ID Mozilla17
Build ID 2004051408
Trigger Time 2004-05-19 17:32:44.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module
URL visited http://bugzilla.mozilla.org/attachment.cgi?id=148483&action=view
User Comments bug 238906 - click on testcase
Since Last Crash sec
Total Uptime sec
Trigger Reason Access violation
Source File Name
Trigger Line No.
Stack Trace
0x00000000
nsCSSFrameConstructor::FindFrameWithContent
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10952]
nsCSSFrameConstructor::FindPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11088]
nsFrameManager::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 460]
PresShell::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5389]
nsGenericHTMLElement::GetPrimaryFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2189]
nsGenericHTMLElement::GetFormControlFrameFor
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2199]
.
.
.
.
Summary: Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] → M17rc2 Mozilla crashes if I copy a input type="file" in conjunction with a linebreak into an div element with JavaScript [@ nsCSSFrameConstructor::GetInsertionPoint] [@ nsCSSFrameConstructor::FindFrameWithContent]
|
||
Comment 24•21 years ago
|
||
This has the same cause as bug 203041; I have a fix over there.
|
|
||
Comment 25•21 years ago
|
||
fix (from bug 203041) checked into trunk, aviary branch, and 1.7 branch.
|
||
Updated•20 years ago
|
Whiteboard: fixed-aviary1.0
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::GetInsertionPoint]
[@ nsCSSFrameConstructor::FindFrameWithContent]
You need to log in
before you can comment on or make changes to this bug.
Description
•