Closed
Bug 562693
Opened 15 years ago
Closed 7 years ago
Crash in [@ nsHTMLFormElement::RemoveElementFromTable]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jst, Unassigned)
Details
(Keywords: crash)
Crash Data
Just hit this. Assuming the debugger isn't lying here this looks like something in nsGenericHTMLFormElement::ClearForm() ends up clearing mForm after it's null checked. Haven't been able to reproduce tho. The URL of the form's owner document was a bugzilla url (happened to be bug 548406, but I doubt that's important). The UnbindFromTree() calls were triggered by GC, so these are a bunch of disconnected nodes being collected due to their JS references having gone away.
#2 <signal handler called>
#3 nsHTMLFormElement::RemoveElementFromTable (this=0x0, aElement=
0x7fe35191d6b0, aName=...)
at ../../../../../mozilla/content/html/content/src/nsHTMLFormElement.cpp:1281
#4 0x00007fe39b0f17f6 in nsGenericHTMLFormElement::ClearForm (this=
0x7fe35191d6b0, aRemoveFromForm=<value optimized out>, aNotify=1)
at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2288
#5 0x00007fe39b0f338f in nsGenericHTMLFormElement::UnbindFromTree (this=
0x7fe35191d6b0, aDeep=1, aNullParent=0)
at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2428
#6 0x00007fe39b0924be in nsGenericElement::UnbindFromTree (this=
0x7fe35ce1a6a0, aDeep=<value optimized out>,
aNullParent=<value optimized out>)
at ../../../../mozilla/content/base/src/nsGenericElement.cpp:2741
#7 0x00007fe39b0f3303 in nsGenericHTMLElement::UnbindFromTree (this=
0x7fe35ce1a6a0, aDeep=1, aNullParent=0)
at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:876
#8 0x00007fe39b0924be in nsGenericElement::UnbindFromTree (this=
0x7fe35ce1a380, aDeep=<value optimized out>,
aNullParent=<value optimized out>)
at ../../../../mozilla/content/base/src/nsGenericElement.cpp:2741
#9 0x00007fe39b0f3303 in nsGenericHTMLElement::UnbindFromTree (this=
0x7fe35ce1a380, aDeep=1, aNullParent=0)
at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:876
...
|
Reporter | |
Comment 1•15 years ago
|
||
Oh, and this was in an optimized build (with symbols).
Severity: normal → critical
Keywords: crash
Summary: Crash in nsHTMLFormElement::RemoveElementFromTable() → Crash in [@ nsHTMLFormElement::RemoveElementFromTable]
|
||
Comment 2•15 years ago
|
||
I suppose that the notifications that ClearForm can dispatch might have done something weird... They really shouldn't, though.
Do you know whether the whole stack is inside a scriptblocker? If its not, it should be.
|
Assignee | |
Updated•14 years ago
|
Crash Signature: [@ nsHTMLFormElement::RemoveElementFromTable]
|
||
Comment 3•9 years ago
|
||
FWIW, there are no crashes for this in the last 6 months. https://crash-stats.mozilla.com/signature/?signature=nsHTMLFormElement%3A%3ARemoveElementFromTable&date=%3E%3D2016-04-30T12%3A54%3A19.000Z&date=%3C2016-10-31T12%3A54%3A19.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1
Does it only happen in the debugger?
|
||
Comment 4•7 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
|
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•