Created attachment 259593 [details] testcase See testcase, which crashes current trunk builds within 200ms after load. Talkback ID: TB30579018E nsFileControlFrame::CreateAnonymousContent [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171] This regressed between 2005-11-05 and 2005-11-08: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot I suspect a regression from bug 315306, somehow. This doesn't happen on the branch. This crash also happens when using an isindex, btw.
(In reply to comment #0) > I suspect a regression from bug 315306, somehow. Er, I meant bug 314776 here
Created attachment 260105 [details] Testcase that crashes in older builds too All that happened with bug 314776 is the ordering changed. If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Created attachment 260106 [details] [diff] [review] Patch. This fixes this bug and bug 375839. In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable. I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable. It looks like this has NEVER worked. The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy. I suspect the two patches were just worked on independently... :( Sicking, you think this is worth taking on branches? So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Fixed. We need some tests here... :(
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 188.8.131.52 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 184.108.40.206).