Closed Bug 90797 Opened 24 years ago Closed 21 years ago

Crash when changing form element type[form sub]

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: michael, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(4 files, 1 obsolete file)

Stack from linux tip build from 20010713 at above URL.
6.87 KB, text/plain
Details
simple testcase - crashes every build :-)
438 bytes, text/html
Details
sample testcase - all trasformations - may crash your browser so use it in a test build
3.48 KB, text/html
Details
stack showing how frame is readded to PFM during destruction
9.53 KB, text/plain
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010628 BuildID: 2001062823 The form exampel tries to change a form element from one type to another (e.g from button to hidden). This done by a simple javascript When the script are changing the form-element-type then mozilla "closes"/crash Reproducible: Always Steps to Reproduce: 1. Make a simple form - with ONE element 2. Make a simple javascript - which tries the following thing : document.<formname>.<elementname>.type="button"; 3. call the javascript => crash Actual Results: crashes Expected Results: 1. Javascript error or 2. changed the form-element-type
Severity: normal → critical
Keywords: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Not all changes crash the browser. I have a bunch of testcases at http://www.returnvalue.com/mozilla/bug90797.html which might be of use. Click on a drop down next to an form element and on change, it will attempt to change the type to whatever you select. Happy crashing! :)
Oooh, nice testcases! Prashant, can you dig it :-] At any rate, I don't crash on many of the transitions, but I do on a transition to hidden (for one at least). However, I crash on a very different stack than the one attached here. Also, a number of the transitions (e.g., <select> -> <button>) don't work at all. It would probably be worthwhile madhur to go through all the permutations in that testcase, and note which ones crash (and what stack) and which ones just silently don't work. Should be separate bugs. Loads of fun :-]
Mozilla (Win32 build 20010717) crashes when selecting "Paint Shop Pro 7.02" from drop-down list at this URL: http://www.jasc.com/download_4.asp Is this covered by this bug?
Shouldn't this be in DOM somewhere?
Summary: Mozilla crashed - when changing form element → Crash when changing form element type
<jst> caillon: nope, looks like hyatt's bug, or pierre
Eric, it looks like you did a lot of work with this.
Assignee: rods → pollmann
FWIW, the transitions in this testcase that just "don't work" are okay, they should not work. <input type=select-one>, <input type=select-multiple>, and <input type=textarea> are not valid - these form controls are created by the following elements: <select> <select multiple=true> <textarea>. I was able to reproduce a crash, but we seem flaky: sometimes the transition will work fine with only a few asserts, but sometimes it will result in a crash.
according to the stack trace, cc dbaron who worked in that area lately
Reassigning to evaughan
Assignee: pollmann → evaughan
got a crash when attempting testcase mentioned in the url. Following is the stack trace:- ======================================== Incident ID 36317856 Stack Signature SelectorMatches 45c584e5 Bug ID Trigger Time 2001-10-05 12:44:29 Email Address madhur@netscape.com User Comments trying to reproduce bugzilla bug 90797 Build ID 2001100305 Product ID Netscape6.20 Platform ID Win32 Trigger Reason Stack overflow Stack Trace SelectorMatches [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSStyleSheet.cpp, line 3047] ContentEnumFunc [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSStyleSheet.cpp, line 3476] RuleHash::EnumerateAllRules [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSStyleSheet.cpp, line 610] CSSRuleProcessor::RulesMatching [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSStyleSheet.cpp, line 3544] EnumRulesMatching [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 746] nsSupportsArray::EnumerateForwards [d:\builds\seamonkey\mozilla\xpcom\ds\nsSupportsArray.cpp, line 672] StyleSetImpl::WalkRuleProcessors [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1705] StyleSetImpl::ResolveStyleFor [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 844] nsPresContext::ResolveStyleContextFor [d:\builds\seamonkey\mozilla\layout\base\src\nsPresContext.cpp, line 709] nsCSSFrameConstructor::ResolveStyleContext [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6887] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7263] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8829] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11537] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6833] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5064] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7368] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7279] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8829] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11537] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6833] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5064] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7368] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7279] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8829] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11537] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255]
another crash - stack trace -- Incident ID 36318685 Stack Signature nsPersistentProperties::AddRef 040b5fc0 Bug ID Trigger Time 2001-10-05 13:05:42 Email Address madhur@netscape.com User Comments Build ID 2001100305 Product ID Netscape6.20 Platform ID Win32 Trigger Reason Stack overflow Stack Trace nsPersistentProperties::AddRef [d:\builds\seamonkey\mozilla\xpcom\ds\nsPersistentProperties.cpp, line 91] nsBlockFrame::GetAdditionalChildListName [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 527] nsCSSFrameConstructor::FindFrameWithContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11297] nsCSSFrameConstructor::FindPrimaryFrameFor [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11376] StyleSetImpl::FindPrimaryFrameFor [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1292] FrameManager::GetPrimaryFrameFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 601] PresShell::GetPrimaryFrameFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5217] nsCSSFrameConstructor::ContentRemoved [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 9219] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11509] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6833] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5064] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7368] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7279] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8829] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11537] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6833] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5064] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7368] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7279] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8829] nsCSSFrameConstructor::RecreateFramesForContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11537] nsCSSFrameConstructor::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 10305] StyleSetImpl::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1230] PresShell::AttributeChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5013] nsDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1718] nsHTMLDocument::AttributeChanged [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1289] nsGenericHTMLElement::SetHTMLAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1742] nsGenericHTMLElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 1495] nsGenericHTMLElement::SetFormControlAttribute [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4056] nsGenericHTMLLeafFormElement::SetAttr [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 4254] nsHTMLButtonControlFrame::SetProperty [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp, line 799] nsGfxButtonControlFrame::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxButtonControlFrame.cpp, line 767] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2239] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2255] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6833] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5064] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7368] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7279]
The previous stack trace was generated when I was tring to attempt the testcases in http://www.returnvalue.com/mozilla/bug90797.html Trying to figure out the permutations.
Ok - i figured out come set of combination that resulted in a crash. URL:- http://www.returnvalue.com/mozilla/bug90797.html hidden -> button -> checkbox -> file -> hidden -> image -> password -> radio -> reset -> submit -> text -> textarea -> submit ----- resulted in *** crash ***
adding keyword mozilla0.9.6
Keywords: mozilla0.9.6
This needs to go to the new form owner
Assignee: evaughan → kmcclusk
Reassigning to Alex
Assignee: kmcclusk → alexsavulov
Summary: Crash when changing form element type → Crash when changing form element type[form sub]
Attached file simpler testcase (obsolete) —
I can reproduce this bug with Netscape6.2, the 0.9.4 branch, however unsing the trunk build (pulled 11.5.01/noon) the crash does not occur (i attached a simpler testcase that does not need a select)
unable to check on trunk build 11-06-01-03 win 2000, due to bug 108637.
Attachment #56812 - Attachment is obsolete: true
D'OH!... this one is a bad bug (actually a multi-bug) My last test case reveals a crash in a completly different piece of code than the previous stacks. I think that we need an automatic javascript driven test that tries every transformation for the TYPE attribute. However, I'm still not sure whether this will cover all possible ways to crash the app considering that there may be some particular sequels of transformations for a given element that lead to a crash. On the other side, the likelyhood of having a page that performs more than one transformation for a given form element is so small that we can limit our testing to only one transformation per given form element. (ok, i agree that some pages may provide the user with multiple choices, and if he bounces between them multiple times a lethal sequel of trasformations may be the result). Working on test case....
Status: NEW → ASSIGNED
in order to avoid confusion: in my last test case the type is changed to "select-multiple" - that's an invalid type.
testing results using the sample case: The latest trunk crashes with the following stack (using "bogus"): nsFormFrame::AddFormControlFrame(nsIPresContext * 0x029c8040, nsIFormControlFrame & {...}) line 397 + 14 bytes nsFormFrame::AddFormControlFrame(nsIPresContext * 0x029c8040, nsIFrame & {...}) line 193....... ******************************************************************************** The latest 0.9.4 branch build crashes with the following stack (without using "bogus"): nsCharTraits<unsigned short>::assign(unsigned short & 3, const unsigned short & 116) line 61 nsCharTraits<unsigned short>::move(unsigned short * 0x00033686, const unsigned short * 0x000330fe, unsigned int 5) line 136 + 31 bytes nsWritingIterator<unsigned short>::write(const unsigned short * 0x000330f4, unsigned int 6) line 353 + 20 bytes nsCharSinkTraits<nsWritingIterator<unsigned short> >::write(nsWritingIterator<unsigned short> & {...}, const unsigned short * 0x000330f4, unsigned int 6) line 661 copy_string(nsReadingIterator<unsigned short> & {...}, const nsReadingIterator<unsigned short> & {...}, nsWritingIterator<unsigned short> & {...}) line 76 + 39 bytes nsAString::do_AppendFromReadable(const nsAString & {...}) line 321 + 55 bytes nsAString::AppendFromReadable(const nsAString & {...}) line 288 nsAString::Append(const nsAString & {...}) line 197 + 19 bytes nsGenericHTMLElement::EnumValueToString(const nsHTMLValue & {...}, nsGenericHTMLElement::EnumTable * 0x021fb9c0, nsAString & {...}, int 0) line 2392 + 28 bytes nsHTMLInputElement::AttributeToString(const nsHTMLInputElement * const 0x0270ad78, nsIAtom * 0x0122d3f8, const nsHTMLValue & {...}, nsAString & {...}) line 1389 + 20 bytes nsGenericHTMLElement::GetAttr(const nsGenericHTMLElement * const 0x0270ad78, int 0, nsIAtom * 0x0122d3f8, nsAString & {...}) line 1902 + 27 bytes SelectorMatches(SelectorMatchesData & {...}, nsCSSSelector * 0x026114d8, int 1, char 0) line 3224 + 44 bytes PseudoEnumFunc(nsICSSStyleRule * 0x02612690, void * 0x000337a4) line 3581 + 17 bytes RuleHash::EnumerateTagRules(nsIAtom * 0x012229b0, void (nsICSSStyleRule *, void *)* 0x01f88a20 PseudoEnumFunc(nsICSSStyleRule *, void *), void * 0x000337a4) line 642 + 13 bytes CSSRuleProcessor::RulesMatching(CSSRuleProcessor * const 0x025f7b18, nsIPresContext * 0x025f3900, nsIAtom * 0x0122ea68, nsIContent * 0x0270ad78, nsIAtom * 0x012229b0, nsIStyleContext * 0x028e6dcc, nsICSSPseudoComparator * 0x00000000, nsIRuleWalker * 0x0262a790) line 3644 EnumPseudoRulesMatching(nsISupports * 0x025f7b18, void * 0x000338a8) line 893 nsSupportsArray::EnumerateForwards(nsSupportsArray * const 0x025f80c8, int (nsISupports *, void *)* 0x01ee85c0 EnumPseudoRulesMatching(nsISupports *, void *), void * 0x000338a8) line 669 + 20 bytes StyleSetImpl::WalkRuleProcessors(int (nsISupports *, void *)* 0x01ee85c0 EnumPseudoRulesMatching(nsISupports *, void *), void * 0x000338a8, nsIContent * 0x0270ad78) line 1704 StyleSetImpl::ProbePseudoStyleFor(nsIPresContext * 0x025f3900, nsIContent * 0x0270ad78, nsIAtom * 0x012229b0, nsIStyleContext * 0x028e6dcc, int 0) line 962 nsPresContext::ProbePseudoStyleContextFor(nsPresContext * const 0x025f3900, nsIContent * 0x0270ad78, nsIAtom * 0x012229b0, nsIStyleContext * 0x028e6dcc, int 0, nsIStyleContext * * 0x028e6e64) line 776 + 42 bytes nsButtonFrameRenderer::ReResolveStyles(nsIPresContext * 0x025f3900) line 347 + 66 bytes nsButtonFrameRenderer::SetFrame(nsFrame * 0x028e6e00, nsIPresContext * 0x025f3900) line 59 nsHTMLButtonControlFrame::Init(nsHTMLButtonControlFrame * const 0x028e6e00,
removing keyword 0.9.6 and critical since the crash occurs on the trunk only when changing a 'radio' to 'bogus' (likelyhood of occurence small)
Severity: critical → normal
Keywords: mozilla0.9.6
OS: Linux → All
the crash occurs only when "bogus" is used. setting milestone and severity
Severity: normal → minor
Target Milestone: --- → Future
is still a crasher even if the type "bogus" is not used. (see attachment 56971 [details]. reassigning to html forms controls.
Assignee: alexsavulov → form
Status: ASSIGNED → NEW
QA Contact: madhur → tpreston
Without bogus I get these assertions: ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /home/bzbarsky/mozilla/debug/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1051 Break: at file /home/bzbarsky/mozilla/debug/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1051 ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /home/bzbarsky/mozilla/debug/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1051 (which the testcase erroneously says to ignore) and the crash in DoDeletingFrameSubtree because I try to do something to mEditor on an already-destroyed text frame from PreDestroy, called from RemoveAsPrimaryFrame (mEditor == 0xdddddddd is a bad sign, usually). The point is, the assertions tell us that we are accessing alredy-destroyed frames.
This is a stack (using the testcase in attachment 56971 [details]) showing how a frame is readded to the primary frame map during its destruction. I think we should probably just change this debugging code in NotifyDestroyingFrame to a runtime check-and-remove (and maybe leave the assertion too, since I think it's probably bad practice to cause this to happen, but we can at least make it not crash). We've run into this problem enough times already.
Hrm. So the problem is that storing the value back into the input sends out error notifications, which is bad? Or that the frame is removed from the map before PreDestroy is called... that could be an issue in general.
Yeah, I'm also a bit puzzled about why we're dealing with an already-destroyed frame this early in the process. Though perhaps we're doing multiple reconstructs on the same subtree and trying to destroy a frame from before the previous reconstruct.
Actually, no, I'd already rejected that theory since the fix I suggested doesn't fix the crash. For reference, that fix was: Index: nsFrameManager.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/html/base/src/nsFrameManager.cpp,v retrieving revision 1.130 diff -u -6 -d -r1.130 nsFrameManager.cpp --- nsFrameManager.cpp 17 Nov 2002 15:37:39 -0000 1.130 +++ nsFrameManager.cpp 20 Nov 2002 02:57:11 -0000 @@ -1038,23 +1038,26 @@ // Remove all properties associated with the frame nsCOMPtr<nsIPresContext> presContext; mPresShell->GetPresContext(getter_AddRefs(presContext)); RemoveAllPropertiesFor(presContext, aFrame); -#ifdef DEBUG + // This should be debugging code, but we're going to make it a runtime + // check since this probably happens in too many obscure places, leading + // to obscure crashes. if (mPrimaryFrameMap.ops) { nsCOMPtr<nsIContent> content; aFrame->GetContent(getter_AddRefs(content)); PrimaryFrameMapEntry *entry = NS_STATIC_CAST(PrimaryFrameMapEntry*, PL_DHashTableOperate(&mPrimaryFrameMap, content, PL_DHASH_LOOKUP)); - NS_ASSERTION(!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame, - "frame was not removed from primary frame map before " - "destruction or was readded to map after being removed"); + if (PL_DHASH_ENTRY_IS_BUSY(entry) && entry->frame == aFrame) { + NS_NOTREACHED("frame was not removed from primary frame map before " + "destruction or was readded to map after being removed"); + PL_DHashTableRawRemove(&mPrimaryFrameMap, entry); + } } -#endif return NS_OK; } nsresult FrameManager::RevokePostedEvents()
I don't know how the word "error" snuck into comment 31... And it looks like resetting the value should not be triggering a frame reconstruct, so we should not be reentering DoDeleteFrameSubtree..
Setting *type* should definitely trigger a frame reconstruct.
Right; that's why we're storing the value back in the content node in your stack in the first place.
I dont crash testing attachment 56971 [details]. build 2002122704, XP
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and <http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss bugs are of critical or possibly higher severity. Only changing open bugs to minimize unnecessary spam. Keywords to trigger this would be crash, topcrash, topcrash+, zt4newcrash, dataloss.
Severity: minor → critical
WFM (no crash), 2003-11-08-05 trunk Linux. (I have created bug 225103 for a strange effect when changing "type" in one of the testcases.)
WFM, 2004-02-08-08 trunk Windows XP. WFM, 2004-02-08-08 trunk Linux. -> WORKSFORME
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: