M18a3 Crash [@ @0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
14 years ago
8 years ago

People

(Reporter: martijn.martijn, Unassigned)

Tracking

({crash, testcase, topcrash})

Trunk
x86
All
crash, testcase, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

14 years ago
This is a spin-off of bug 255431.
The upcoming testcase will crash, when clicking the link in it.
It seems a recent regression. It doesn't crash in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040811
Firefox/0.9.1+
But it does crash in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040812
Firefox/0.9.1+

I've backed out the patch for bug 255153 and after that the testcase doesn't
crash anymore in my debug build.
(Reporter)

Comment 1

14 years ago
Created attachment 156320 [details]
Testcase, this will crash when clicking the link
When you file crashers, please always mark them as critical (well, at least when
there's a 100% reproducible case such as this).


0x00000000
GetNifOrSpecialSibling 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 413]
nsCSSFrameConstructor::FindFrameWithContent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11035]
nsCSSFrameConstructor::FindPrimaryFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11101]
nsFrameManager::GetPrimaryFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 476]
PresShell::GetPrimaryFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5355]
nsGenericHTMLElement::GetPrimaryFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2239]
nsGenericHTMLElement::GetFormControlFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2249]
nsGenericHTMLElement::GetFormControlFrame 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.h,
line 283]
nsHTMLInputElement::GetValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 600]
nsHTMLInputElement::SaveState 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 2404]
nsGenericHTMLFormElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 3352]
nsHTMLInputElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1677]
nsGenericElement::SetDocumentInChildrenOf 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::SetDocumentInChildrenOf 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1698]
nsGenericElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1756]
nsGenericHTMLElement::SetDocument 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1313]
nsGenericElement::RemoveChildAt 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2575]
nsGenericElement::doRemoveChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3045]
nsHTMLScriptElement::RemoveChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 329]
nsRange::DeleteContents 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp,
line 1600]
nsGenericHTMLElement::SetInnerHTML 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 909]
nsGenericHTMLElementTearoff::SetInnerHTML 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 214]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2030]
XPC_WN_GetterSetter 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1312]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1283]
js_InternalInvoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1379]
js_InternalGetOrSet 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1422]
js_SetProperty 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2896]
js_Interpret 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2531]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1302]
js_InternalInvoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1379]
JS_CallFunctionValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3686]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1352]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 180]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1513]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1590]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 1963]
nsGenericHTMLElement::HandleDOMEventForAnchors 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1380]
nsHTMLLinkElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLLinkElement.cpp,
line 286]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6012]
PresShell::HandleEventWithTarget 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5956]
nsEventStateManager::CheckForAndDispatchClick 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2931]
nsEventStateManager::PostHandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1956]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6065]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5925]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2295]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2025]
HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 79]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1101]
nsWindow::DispatchWindowEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1118]
nsWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5404]
ChildWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5655]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4159]
nsWindow::WindowProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1380]
Severity: normal → critical
Summary: Crash with input type=file on clicking link using some javascript → Crash { @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript
Summary: Crash { @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript → Crash [ @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript

Comment 3

14 years ago
fwiw, also crashing with same stack on Linux (trunk 20040816 build).
Keywords: testcase
OS: Windows XP → All
Is the testcase minimal?  For example, is the table needed?

Comment 5

14 years ago
I was unable to reproduce the crash with my latest Firefox10 branch build: 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040817
Firefox/0.9.1+ 

But I did crash with Mozilla 1.8a3: 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040817

Here is my incident with M18a3:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=594995

Adding M18a3 to summary and topcrash keyword for tracking.
Keywords: topcrash
Summary: Crash [ @ GetNifOrSpecialSibling 0x00000000] with input type=file on clicking link using some javascript → M18a3 Crash [ @ 0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript
(Reporter)

Comment 6

14 years ago
(In reply to comment #4)
> Is the testcase minimal?  For example, is the table needed?
Yes, the table is needed. Also the href="#" is needed for the link (a dry
onclick event doesn't crash for me). So the testcase is minimal.

I don't have a debug build (or any build), and won't until mid-September, so I
need some help diagnosing this one....  It doesn't help that I'm not seeing
offhand how the fix to bug 255153 could be causing a crash here.

Does just setting innerHTML to "" (instead of appending) also cause the crash? 
Does it have to be a file input (as in, does a text input crash too?).

Can you check what sort of input element "this" is in the
"nsHTMLInputElement::GetValue" stack frame?

Also, what's the value of aParentFrame in the GetNifOrSpecialSibling stack
frame?  In general, what's actually crashing?  If you have a debug build, you
should be able to post a useful stack (with local symbols, and the like).

(Reporter)

Comment 8

14 years ago
Created attachment 156498 [details]
More minimal testcase

innerHTML='' also crashes.
The input type=file is necessary for the crash. input type=text doesn't crash.
The link and the input type=file need to be in the table to get the crash.

I'll try to come up with some useful debug info.
Attachment #156320 - Attachment is obsolete: true
(Reporter)

Comment 9

14 years ago
Created attachment 156575 [details]
stack1

I'm submitting two stacktraces, which I hope will answer the questions in
comment 7. I didn't see a GetNifOrSpecialSibling stack frame, so I could not
answer that question.

For easy viewing of the stacks see here:
http://home.hccnet.nl/m.wargers/test/mozilla/stack/
(Reporter)

Comment 10

14 years ago
Created attachment 156576 [details]
stack2

Comment 11

14 years ago
Created attachment 156583 [details]
Testcase without table ;) ATT: crash on click!
(Reporter)

Comment 12

14 years ago
This testcase: http://bugzilla.mozilla.org/attachment.cgi?id=147697&action=view
from bug 203041 is also crashing again. Possibly related?
> Testcase without table 

This is bug 256242.

> bug 203041 is also crashing again.

That's also bug 256242.

Chances are, this will just need to be retested once bug 256242 is fixed... but
pending that, could someone check which nodes are being restyled in the flush
that's triggered in nsGenericHTMLElement::GetFormControlFrame?  Break in
"ProcessRestyle" and see what the content nodes coming through are?
Fixed by the patch in bug 257818
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Depends on: 257818
Resolution: --- → FIXED
*** Bug 256912 has been marked as a duplicate of this bug. ***
Verified FIXED on Windows XP build 2004-09-13 in Seamonkey trunk.

I'll let those with other platforms verify theirs...
Since this was filed on XP, and I verified on XP, I'm marking the state final as
such.
Status: RESOLVED → VERIFIED

Updated

9 years ago
Summary: M18a3 Crash [ @ 0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript → M18a3 Crash [@ @0x00000000 - GetNifOrSpecialSibling ] with input type=file on clicking link using some javascript
(Assignee)

Updated

8 years ago
Crash Signature: [@ @0x00000000 - GetNifOrSpecialSibling ]
You need to log in before you can comment on or make changes to this bug.