Closed
Bug 255845
Opened 21 years ago
Closed 21 years ago
M18a3 Crash [@ @0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, topcrash)
Crash Data
Attachments
(4 files, 1 obsolete file)
This is a spin-off of bug 255431.
The upcoming testcase will crash, when clicking the link in it.
It seems a recent regression. It doesn't crash in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040811
Firefox/0.9.1+
But it does crash in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040812
Firefox/0.9.1+
I've backed out the patch for bug 255153 and after that the testcase doesn't
crash anymore in my debug build.
|
Reporter | |
Comment 1•21 years ago
|
||
|
||
Comment 2•21 years ago
|
||
When you file crashers, please always mark them as critical (well, at least when
there's a 100% reproducible case such as this).
0x00000000
GetNifOrSpecialSibling
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 413]
nsCSSFrameConstructor::FindFrameWithContent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11035]
nsCSSFrameConstructor::FindPrimaryFrameFor
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11101]
nsFrameManager::GetPrimaryFrameFor
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 476]
PresShell::GetPrimaryFrameFor
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5355]
nsGenericHTMLElement::GetPrimaryFrameFor
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2239]
nsGenericHTMLElement::GetFormControlFrameFor
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2249]
nsGenericHTMLElement::GetFormControlFrame
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.h,
line 283]
nsHTMLInputElement::GetValue
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 600]
nsHTMLInputElement::SaveState
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 2404]
nsGenericHTMLFormElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 3352]
nsHTMLInputElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1677]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::RemoveChildAt
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2575]
nsGenericElement::doRemoveChild
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3045]
nsHTMLScriptElement::RemoveChild
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 329]
nsRange::DeleteContents
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp,
line 1600]
nsGenericHTMLElement::SetInnerHTML
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 909]
nsGenericHTMLElementTearoff::SetInnerHTML
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 214]
XPTC_InvokeByIndex
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2030]
XPC_WN_GetterSetter
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1312]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1283]
js_InternalInvoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1379]
js_InternalGetOrSet
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1422]
js_SetProperty
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2896]
js_Interpret
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2531]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1302]
js_InternalInvoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1379]
JS_CallFunctionValue
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3686]
nsJSContext::CallEventHandler
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1352]
nsJSEventListener::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 180]
nsEventListenerManager::HandleEventSubType
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1513]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1590]
nsGenericElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1963]
nsGenericHTMLElement::HandleDOMEventForAnchors
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1380]
nsHTMLLinkElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLLinkElement.cpp,
line 286]
PresShell::HandleEventInternal
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6012]
PresShell::HandleEventWithTarget
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5956]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2931]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1956]
PresShell::HandleEventInternal
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6065]
PresShell::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5925]
nsViewManager::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2295]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2025]
HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 79]
nsWindow::DispatchEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1101]
nsWindow::DispatchWindowEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1118]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5404]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5655]
nsWindow::ProcessMessage
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4159]
nsWindow::WindowProc
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1380]
Severity: normal → critical
Summary: Crash with input type=file on clicking link using some javascript → Crash { @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript
|
|
||
Updated•21 years ago
|
Summary: Crash { @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript → Crash [ @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript
|
||
Comment 3•21 years ago
|
||
fwiw, also crashing with same stack on Linux (trunk 20040816 build).
Keywords: testcase
OS: Windows XP → All
|
||
Comment 4•21 years ago
|
||
Is the testcase minimal? For example, is the table needed?
|
||
Comment 5•21 years ago
|
||
I was unable to reproduce the crash with my latest Firefox10 branch build:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040817
Firefox/0.9.1+
But I did crash with Mozilla 1.8a3:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040817
Here is my incident with M18a3:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=594995
Adding M18a3 to summary and topcrash keyword for tracking.
Keywords: topcrash
Summary: Crash [ @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript → M18a3 Crash [ @ 0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript
|
|
Reporter | |
Comment 6•21 years ago
|
||
(In reply to comment #4)
> Is the testcase minimal? For example, is the table needed?
Yes, the table is needed. Also the href="#" is needed for the link (a dry
onclick event doesn't crash for me). So the testcase is minimal.
|
|
||
Comment 7•21 years ago
|
||
I don't have a debug build (or any build), and won't until mid-September, so I
need some help diagnosing this one.... It doesn't help that I'm not seeing
offhand how the fix to bug 255153 could be causing a crash here.
Does just setting innerHTML to "" (instead of appending) also cause the crash?
Does it have to be a file input (as in, does a text input crash too?).
Can you check what sort of input element "this" is in the
"nsHTMLInputElement::GetValue" stack frame?
Also, what's the value of aParentFrame in the GetNifOrSpecialSibling stack
frame? In general, what's actually crashing? If you have a debug build, you
should be able to post a useful stack (with local symbols, and the like).
|
|
Reporter | |
Comment 8•21 years ago
|
||
innerHTML='' also crashes.
The input type=file is necessary for the crash. input type=text doesn't crash.
The link and the input type=file need to be in the table to get the crash.
I'll try to come up with some useful debug info.
Attachment #156320 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 9•21 years ago
|
||
I'm submitting two stacktraces, which I hope will answer the questions in
comment 7. I didn't see a GetNifOrSpecialSibling stack frame, so I could not
answer that question.
For easy viewing of the stacks see here:
http://home.hccnet.nl/m.wargers/test/mozilla/stack/
|
|
Reporter | |
Comment 10•21 years ago
|
||
|
||
Comment 11•21 years ago
|
||
|
|
Reporter | |
Comment 12•21 years ago
|
||
This testcase: http://bugzilla.mozilla.org/attachment.cgi?id=147697&action=view
from bug 203041 is also crashing again. Possibly related?
|
|
||
Comment 13•21 years ago
|
||
> Testcase without table
This is bug 256242.
> bug 203041 is also crashing again.
That's also bug 256242.
Chances are, this will just need to be retested once bug 256242 is fixed... but
pending that, could someone check which nodes are being restyled in the flush
that's triggered in nsGenericHTMLElement::GetFormControlFrame? Break in
"ProcessRestyle" and see what the content nodes coming through are?
|
|
||
Comment 14•21 years ago
|
||
Fixed by the patch in bug 257818
|
|
||
Comment 15•21 years ago
|
||
*** Bug 256912 has been marked as a duplicate of this bug. ***
Verified FIXED on Windows XP build 2004-09-13 in Seamonkey trunk.
I'll let those with other platforms verify theirs...
Since this was filed on XP, and I verified on XP, I'm marking the state final as
such.
Status: RESOLVED → VERIFIED
Summary: M18a3 Crash [ @ 0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript → M18a3 Crash [@ @0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript
|
Assignee | |
Updated•14 years ago
|
Crash Signature: [@ @0x00000000 - GetNifOrSpecialSibling ]
You need to log in
before you can comment on or make changes to this bug.
Description
•