242620 - Mozilla crashes trying to dislay:none; a div with <input type="file"...> field

Status: RESOLVED DUPLICATE of bug 203041

(SeaMonkey :: General, defect)

Description

[Rodd Clarkson]

The following code crashes mozilla for me after displaying a javascript alert.

If you remove the alert, mozilla just crashes.

-----------------------
<html>

<head></head>

<body>
<form method="post" action="#" enctype="multipart/form-data" name="content">
	
	<div id="sshot" style="position:absolute; left:0; top:70; width:600;
visibility:visible">
	<input type="file" name="sshot-1"  size="20">
	</div>
	
	<div id="comment" style="position:absolute; left:0; top:70; width:600;
visibility:hidden"></div>

	<script language="JavaScript">
	<!--
alert("ID: sshot");
		document.getElementById('sshot').style.display = 'none';
		document.getElementById('comment').style.display = 'none';
	// -->
	</script>
</form>
</body></html>

----------------------

If you remove the code related to 'comment' (the javascript and/or the div) then
you need to do something else (like click 'back') to crash mozilla, but it still
goes down.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Attachment: Testcase (click the "crash" button to crash)

Comment 2

[Bob Clary [:bc] (inactive)]

In a 1.7 debug build I get 

    while (--n >= 0) {
      nsIFrame *hit;
=>      nsresult rv = kid->GetFrameForPoint(aPresContext, aTmp, aWhichLayer, &hit);
      
      if (NS_SUCCEEDED(rv) && hit) {
        *aFrame = hit;
      }
      kid = kid->GetNextSibling();
    }

where 
+	aPresContext	0x02ea63b8
+	aTmp	{...}
	aWhichLayer	eFramePaintLayer_Overlay
+	&hit	0x0012f344
+	hit	0x00000000
+	kid	0x03e97440
	n	2
	rv	61037448


GetFrameFromLine(const nsRect & {...}, const nsPoint & {...},
nsLineList_iterator & {...}, nsIPresContext * 0x02ea63b8, nsFramePaintLayer
eFramePaintLayer_Overlay, nsIFrame * * 0x0305e204) line 5729 + 25 bytes

nsBlockFrame::GetFrameForPointUsing(nsIPresContext * 0x02ea63b8, const nsPoint &
{...}, nsIAtom * 0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, int 0,
nsIFrame * * 0x0305e204) line 5805 + 29 bytes

nsBlockFrame::GetFrameForPoint(nsBlockFrame * const 0x03e97370, nsIPresContext *
0x02ea63b8, const nsPoint & {...}, nsFramePaintLayer eFramePaintLayer_Overlay,
nsIFrame * * 0x0305e204) line 5839 + 26 bytes

PresShell::HandleEvent(PresShell * const 0x0305e1bc, nsIView * 0x03ea1908,
nsGUIEvent * 0x0012f75c, nsEventStatus * 0x0012f550, int 0, int & 1) line 5870 +
32 bytes

nsViewManager::HandleEvent(nsView * 0x03e93818, nsGUIEvent * 0x0012f75c, int 0)
line 2285

nsViewManager::DispatchEvent(nsViewManager * const 0x03a35b88, nsGUIEvent *
0x0012f75c, nsEventStatus * 0x0012f648) line 2025 + 20 bytes

HandleEvent(nsGUIEvent * 0x0012f75c) line 79

nsWindow::DispatchEvent(nsWindow * const 0x03e96744, nsGUIEvent * 0x0012f75c,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes

nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f75c) line 1088

nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5259 + 21 bytes

ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5514

nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 4784295, long *
0x0012fc00) line 4025 + 28 bytes

nsWindow::WindowProc(HWND__ * 0x000f024c, unsigned int 512, unsigned int 0, long
4784295) line 1349 + 27 bytes

USER32! 77d43a50()
USER32! 77d43b1f()
USER32! 77d43d79()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a561d8) line 524
main1(int 1, char * * 0x002e2638, nsISupports * 0x0099f730) line 1303 + 32 bytes
main(int 1, char * * 0x002e2638) line 1780 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7()

Comment 3

[Asa Dotzler [:asa]]

This looks very similar to stacks in bug 235405

Comment 4

[Boris Zbarsky [:bzbarsky]]

This is a dup of the bug on file control frame not behaving nicely at
teardown... stack is:

0  0x41287ac7 in nsCSSFrameConstructor::FindFrameWithContent(nsIPresContext*,
nsFrameManager*, nsIFrame*, nsIContent*, nsIContent*, nsFindFrameHint*)
(this=0x874e1e0, 
    aPresContext=0x8713400, aFrameManager=0x874de28, aParentFrame=0x875f0d0, 
    aParentContent=0x8761d40, aContent=0x8761900, aHint=0x0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10993
#1  0x41287c6d in nsCSSFrameConstructor::FindPrimaryFrameFor(nsIPresContext*,
nsFrameManager*, nsIContent*, nsIFrame**, nsFindFrameHint*) (this=0x874e1e0,
aPresContext=0x8713400, 
    aFrameManager=0x874de28, aContent=0x8761900, aFrame=0xbfffbdb8, aHint=0x0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:11082
#2  0x411b29e4 in nsFrameManager::GetPrimaryFrameFor(nsIContent*) (this=0x874de28, 
    aContent=0x8761900)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsFrameManager.cpp:472
#3  0x41287c35 in nsCSSFrameConstructor::FindPrimaryFrameFor(nsIPresContext*,
nsFrameManager*, nsIContent*, nsIFrame**, nsFindFrameHint*) (this=0x874e1e0,
aPresContext=0x8713400, 
    aFrameManager=0x874de28, aContent=0x8762ab8, aFrame=0xbfffbe88, aHint=0x0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:11079
#4  0x411b29e4 in nsFrameManager::GetPrimaryFrameFor(nsIContent*) (this=0x874de28, 
    aContent=0x8762ab8)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsFrameManager.cpp:472
#5  0x4120a224 in PresShell::GetPrimaryFrameFor(nsIContent*, nsIFrame**) const (
    this=0x874de10, aContent=0x8762ab8, aResult=0xbfffbf0c)
    at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsPresShell.cpp:5372
#6  0x4146e785 in nsGenericHTMLElement::GetPrimaryFrameFor(nsIContent*,
nsIDocument*, int) (aContent=0x8762ab8, aDocument=0x8241b68, aFlushContent=0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2171
#7  0x4146e7b2 in nsGenericHTMLElement::GetFormControlFrameFor(nsIContent*,
nsIDocument*, int) (aContent=0x8762ab8, aDocument=0x8241b68, aFlushContent=0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2183
#8  0x4148a439 in nsGenericHTMLElement::GetFormControlFrame(int) (this=0x8762ab8, 
aFlushCoQuit
) at nsGenericHTMLElement.h:278
#9  0x414aa058 in nsHTMLInputElement::GetValue(nsAString&) (this=0x8762ab8, 
    aValue=@0xbfffbfec)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsHTMLInputElement.cpp:631
w#10 0x412450ac in nsFileControlFrame::Destroy(nsIPresContext*) (this=0x875f390, 
h    aPresContext=0x8713400)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/forms/src/nsFileControlFrame.cpp:128
#11 0x411d8e19 in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) (
    aPresContext=0x8713400, aLines=@0x875f10c)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsLineBox.cpp:300     
  #12 0x411825b1 in nsBlockFrame::Destroy(nsIPresContext*) (this=0x875f0d0, 
    aPresContext=0x8713400)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsBlockFrame.cpp:300  
  #13 0x41180116 in nsAreaFrame::Destroy(nsIPresContext*) (this=0x875f0d0, 
    aPresContext=0x8713400)
    at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsAreaFrame.cpp:155
#14 0x41338f31 in nsFrameList::DestroyFrame(nsIPresContext*, nsIFrame*)
(this=0x875e8f8, 
    aPresContext=0x8713400, aFrame=0x875f0d0)
    at /home/bzbarsky/mozilla/xlib/mozilla/layout/base/src/nsFrameList.cpp:213
#15 0x4117df7a in nsAbsoluteContainingBlock::RemoveFrame(nsIFrame*,
nsIPresContext*, nsIPresShell&, nsIAtom*, nsIFrame*) (this=0x875e8f4,
aDelegatingFrame=0x875e8a8, 
    aPresContext=0x8713400, aPresShell=@0x874de10, aListName=0x80b9620, 
    aOldFrame=0x875f0d0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsAbsoluteContainingBlock.cpp:136
#16 0x4118c071 in nsBlockFrame::RemoveFrame(nsIPresContext*, nsIPresShell&,
nsIAtom*, nsIFrame*) (this=0x875e8a8, aPresContext=0x8713400,
aPresShell=@0x874de10, 
    aListName=0x80b9620, aOldFrame=0x875f0d0)
etc

Comment 5

[Asa Dotzler [:asa]]

*** This bug has been marked as a duplicate of 203041 ***