Closed Bug 15189 Opened 25 years ago Closed 25 years ago

EventStateManager crashes when document is changed during the processing of a DOM event

Categories

(Core :: Layout, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: morse, Assigned: joki)

Details

(Keywords: crash, Whiteboard: [nsbeta2+][dogfood-])

Following content displays a list. Change the selected item (i.e., select the second item) in the list. The browser will crash with the stacktrace shown below. This bug is not blocking anything right now, but it will cause the wallet editor to crash after bug 15170 is fixed. <HTML> <HEAD> <SCRIPT> function Changed() { dump("Got a change\n"); loadMain(); } function loadMain() { top.frames[0].document.open(); top.frames[0].document.write( "<FORM>" + "<TABLE>" + "<TR>" + "<TD>" + // "<SELECT ONCHANGE=\"setTimeout('top.Changed();',0)\">" + "<SELECT ONCHANGE=top.Changed();>" + "<option>first</option>" + "<option>second</option>" + "</SELECT>" + "</TD>" + "</TR>" + "</TABLE>" + "</FORM>" ); top.frames[0].document.close(); } </SCRIPT> </HEAD> <FRAMESET ROWS=*,1 BORDER=0 FRAMESPACING=0 onLoad=loadMain()> <FRAME SRC=about:blank NAME=main_frame SCROLLING=AUTO MARGINWIDTH=0 MARGINHEIGHT=0 NORESIZE> <FRAME SRC=about:blank NAME=dummy_frame SCROLLING=AUTO MARGINWIDTH=0 MARGINHEIGHT=0 NORESIZE> </FRAMESET> <NOFRAMES> <BODY> <P> </BODY> </NOFRAMES> </HTML> stacktrace: RAPTORHTML! const nsTextNode::`vftable'{for `nsIContent'} + 1 byte nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x029eab90, nsIPresContext & {...}, nsEvent * 0x0012f6a8, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 789 nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x029fa9b0, nsIContent * 0x029ff60c) line 1450 nsEventStateManager::SetContentState(nsEventStateManager * const 0x029fa9b0, nsIContent * 0x029ff60c, int 2) line 1339 nsHTMLInputElement::SetFocus(nsHTMLInputElement * const 0x029ff614, nsIPresContext * 0x0288bae0) line 477 nsEventStateManager::ChangeFocus(nsIContent * 0x029ff60c, int 1) line 996 nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x029fa9b0, nsIPresContext & {...}, nsGUIEvent * 0x0012fbc8, nsIFrame * 0x02a16450, nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x02959140) line 392 + 19 bytes PresShell::HandleEvent(PresShell * const 0x02958f64, nsIView * 0x02959140, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 2091 + 43 bytes nsView::HandleEvent(nsView * const 0x02959140, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828 nsView::HandleEvent(nsView * const 0x0295f3d0, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsView::HandleEvent(nsView * const 0x0295f460, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsView::HandleEvent(nsView * const 0x0289c4a0, nsGUIEvent * 0x0012fbc8, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsViewManager::DispatchEvent(nsViewManager * const 0x0289c530, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 1664 HandleEvent(nsGUIEvent * 0x0012fbc8) line 63 nsWindow::DispatchEvent(nsWindow * const 0x0295f244, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbc8) line 361 nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3226 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3444 nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 917559, long * 0x0012fde8) line 2448 + 24 bytes nsWindow::WindowProc(HWND__ * 0x00150496, unsigned int 513, unsigned int 1, long 917559) line 449 + 27 bytes USER32! 77e71268()
I should add that this is a regression that just started in the past week probably. It used to work before that.
Assignee: harishd → rods
Here is a new trace: nsComboboxControlFrame::SelectionChanged(nsComboboxControlFrame * const 0x011cbba0, int 1) line 1087 + 12 bytes nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const 0x011cbc18, int 1, int 0, int 1) line 996 + 23 bytes nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const 0x011cbc18, nsIPresContext * 0x011331d0) line 969 nsListControlFrame::MouseUp(nsIDOMEvent * 0x011cf330) line 1979 nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x0012f9d0, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 578 + 17 bytes nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x0012f9d0, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 794 nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x011baa90, nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x0012f9d0, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 789 nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x0012f9d0, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 796 + 39 bytes nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x011ca29c, nsIPresContext & {...}, nsEvent * 0x0012fcbc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 437 PresShell::HandleEvent(PresShell * const 0x01185dc4, nsIView * 0x011cd680, nsGUIEvent * 0x0012fcbc, nsEventStatus & nsEventStatus_eIgnore) line 2077 + 39 bytes nsView::HandleEvent(nsView * const 0x011cd680, nsGUIEvent * 0x0012fcbc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828 nsView::HandleEvent(nsView * const 0x011cc6c0, nsGUIEvent * 0x0012fcbc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsView::HandleEvent(nsView * const 0x011cc370, nsGUIEvent * 0x0012fcbc, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsViewManager::DispatchEvent(nsViewManager * const 0x011857c0, nsGUIEvent * 0x0012fcbc, nsEventStatus & nsEventStatus_eIgnore) line 1664 HandleEvent(nsGUIEvent * 0x0012fcbc) line 63 nsWindow::DispatchEvent(nsWindow * const 0x011cc754, nsGUIEvent * 0x0012fcbc, nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fcbc) line 361 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3226 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3444 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1507373, long * 0x0012fec8) line 2453 + 24 bytes nsWindow::WindowProc(void * 0x01c4088a, unsigned int 514, unsigned int 0, long 1507373) line 449 + 27 bytes USER32! 77e71250() Assigning bug to rods@netscape.com
I was surprised at the regression, I am not sure why this statred to fail. This may be the same bug I found today and have a fix for.
This should be fixed, could you test it and let me know? Thanks.
I'm pulling a new tree right now. Will let you know shortly if it is fixed.
Nope, still not fixed. Now I'm getting the same stack that harishd reported (yesterday I reported a different stack trace but I was using a build from a couple of days ago). Also if I use the alternate select statement (by changing the line that is commented out) I get the stack trace shown below. The alternate select statement was a work-around that pollmann gave me a while ago as a work-around for a related bug. nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f6fc, nsIDOMEvent * * 0x0012f5d4, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 776 + 33 bytes nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x029c4b90, nsIPresContext & {...}, nsEvent * 0x0012f6fc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 789 nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x029cee70, nsIContent * 0x029edb80) line 1506 nsEventStateManager::SetContentState(nsEventStateManager * const 0x029cee70, nsIContent * 0x029edb80, int 2) line 1395 nsHTMLSelectElement::SetFocus(nsHTMLSelectElement * const 0x029edb88, nsIPresContext * 0x02648b60) line 594 nsEventStateManager::ChangeFocus(nsIContent * 0x029edb80, int 1) line 1052 nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x029cee70, nsIPresContext & {...}, nsGUIEvent * 0x0012fbc8, nsIFrame * 0x029e0200, nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x02703cb0) line 449 + 19 bytes PresShell::HandleEvent(PresShell * const 0x026fd124, nsIView * 0x02703cb0, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 2091 + 43 bytes nsView::HandleEvent(nsView * const 0x02703cb0, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 828 nsView::HandleEvent(nsView * const 0x02703440, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsView::HandleEvent(nsView * const 0x027002b0, nsGUIEvent * 0x0012fbc8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsView::HandleEvent(nsView * const 0x026fd540, nsGUIEvent * 0x0012fbc8, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 813 nsViewManager::DispatchEvent(nsViewManager * const 0x026fd7f0, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 1664 HandleEvent(nsGUIEvent * 0x0012fbc8) line 63 nsWindow::DispatchEvent(nsWindow * const 0x02702174, nsGUIEvent * 0x0012fbc8, nsEventStatus & nsEventStatus_eIgnore) line 340 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbc8) line 361 nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3226 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3444 nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 983100, long * 0x0012fde8) line 2448 + 24 bytes nsWindow::WindowProc(HWND__ * 0x00060564, unsigned int 513, unsigned int 1, long 983100) line 449 + 27 bytes USER32! 77e71268()
Assignee: rods → joki
Severity: normal → critical
Summary: Browser crashes when item is selected → EventStateManager crashes when document is changed during the processing of a DOM event
Facinating bug. I have a minor fix in my tree that pushes the crash off into the EventStatemanager (I will check that in soon). If the document changes while you are processing a DOMEvent what should happen? Basically, now a listener is processing the event but the eventstatemanager and document and everything has changed so when it comes out of the listener call it crashes. I am going to reassign this to Tom, this is significant and he may already have a bug filed on this. Changing description and status and reassigning.
Summary: EventStateManager crashes when document is changed during the processing of a DOM event → [DOGFOOD]EventStateManager crashes when document is changed during the processing of a DOM event
This is still not working. And now that bug 15170 is fixed, this is preventing the wallet editor from working. With a current build, the stack trace is now different. Below are three stack traces. The first is for an assertion failure that appears when the item is selected. If the execution is resumed from that assertion failure, a hard crash occurs. That crash is different depending on whether or not the setTimeout is included on the select statement. These are the second and third stack traces. I. Debug Assertion: NTDLL! 77f76274() nsDebug::PreCondition(const char * 0x01951c54, const char * 0x01951c48, const char * 0x01951c14, int 424) line 262 + 13 bytes FrameManager::SetPrimaryFrameFor(FrameManager * const 0x024148b0, nsIContent * 0x00000000, nsIFrame * 0x00000000) line 424 + 32 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02933cb0) line 6734 DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029321f0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029322d0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02932cc0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931090) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029312f0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931850) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02931e20) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02930040) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x029303f0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x024250b0) line 6787 + 25 bytes DeletingFrameSubtree(nsIPresContext * 0x028edf10, nsIPresShell * 0x02414c90, nsIFrameManager * 0x024148b0, nsIFrame * 0x02425b00, nsIFrame * 0x02425b00) line 6787 + 25 bytes nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x02414da0, nsIPresContext * 0x028edf10, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 6997 + 35 bytes StyleSetImpl::ContentRemoved(StyleSetImpl * const 0x02414e40, nsIPresContext * 0x028edf10, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 963 PresShell::ContentRemoved(PresShell * const 0x02414c98, nsIDocument * 0x028ef3f0, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 1863 + 50 bytes nsDocument::ContentRemoved(nsDocument * const 0x028ef3f0, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 1589 nsHTMLDocument::ContentRemoved(nsHTMLDocument * const 0x028ef3f0, nsIContent * 0x00000000, nsIContent * 0x0292cdac, int 0) line 1094 nsDocument::Reset(nsIChannel * 0x02941a90, nsILoadGroup * 0x028ee7f0) line 799 nsHTMLDocument::Reset(nsIChannel * 0x02941a90, nsILoadGroup * 0x028ee7f0) line 322 + 16 bytes nsHTMLDocument::OpenCommon(nsIURI * 0x02941a20) line 1691 + 32 bytes nsHTMLDocument::Open(nsHTMLDocument * const 0x028ef4d0, JSContext * 0x028edbb0, long * 0x01f0af90, unsigned int 0) line 1781 + 18 bytes NSHTMLDocumentOpen(JSContext * 0x028edbb0, JSObject * 0x01f0d408, unsigned int 0, long * 0x01f0af90, long * 0x0012d9e0) line 1115 + 24 bytes js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 672 + 26 bytes js_Interpret(JSContext * 0x028edbb0, long * 0x0012e258) line 2247 + 15 bytes js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 688 + 13 bytes js_Interpret(JSContext * 0x028edbb0, long * 0x0012ea8c) line 2247 + 15 bytes js_Invoke(JSContext * 0x028edbb0, unsigned int 0, unsigned int 0) line 688 + 13 bytes js_Interpret(JSContext * 0x028edbb0, long * 0x0012f2c0) line 2247 + 15 bytes js_Invoke(JSContext * 0x028edbb0, unsigned int 1, unsigned int 2) line 688 + 13 bytes js_InternalCall(JSContext * 0x028edbb0, JSObject * 0x01f0d478, long 32560264, unsigned int 1, long * 0x0012f440, long * 0x0012f3f8) line 765 + 15 bytes JS_CallFunction(JSContext * 0x028edbb0, JSObject * 0x01f0d478, JSFunction * 0x02424280, unsigned int 1, long * 0x0012f440, long * 0x0012f3f8) line 2653 + 32 bytes nsJSContext::CallFunction(nsJSContext * const 0x028edd20, void * 0x01f0d478, void * 0x02424280, unsigned int 1, void * 0x0012f440, int * 0x0012f43c) line 231 + 39 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x0292d970) line 103 + 48 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012f698, nsIDOMEvent * * 0x0012f6c4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 971 + 21 bytes nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f698, nsIDOMEvent * * 0x0012f6c4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 794 nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0, nsIPresContext & {...}, nsEvent * 0x0012f698, nsIDOMEvent * * 0x0012f6c4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793 nsListControlFrame::SelectionChanged(nsIContent * 0x02422fa0) line 1780 + 45 bytes nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02932234, int 1, int 0, nsIContent * 0x02422fa0) line 1745 + 15 bytes nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const 0x02932344, int 1, int 0, int 1) line 996 nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const 0x02932344, nsIPresContext * 0x028edf10) line 974 nsListControlFrame::MouseUp(nsIDOMEvent * 0x0293ec40) line 2151 nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 578 + 17 bytes nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 794 nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0, nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793 nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 796 + 39 bytes nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x02930afc, nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 429 PresShell::HandleEvent(PresShell * const 0x02414c94, nsIView * 0x02934560, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 2164 + 39 bytes nsView::HandleEvent(nsView * const 0x02934560, nsGUIEvent * 0x0012fbcc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834 nsView::HandleEvent(nsView * const 0x02933440, nsGUIEvent * 0x0012fbcc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x02933750, nsGUIEvent * 0x0012fbcc, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsViewManager::DispatchEvent(nsViewManager * const 0x02415260, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 1739 HandleEvent(nsGUIEvent * 0x0012fbcc) line 63 nsWindow::DispatchEvent(nsWindow * const 0x02933304, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbcc) line 422 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3394 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3612 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1900578, long * 0x0012fdf4) line 2626 + 24 bytes nsWindow::WindowProc(HWND__ * 0x01810406, unsigned int 514, unsigned int 0, long 1900578) line 579 + 27 bytes US II. Crash without setTimeout: nsListControlFrame::SelectionChanged(nsIContent * 0x02422fa0) line 1793 + 18 bytes nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02932234, int 1, int 0, nsIContent * 0x02422fa0) line 1745 + 15 bytes nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const 0x02932344, int 1, int 0, int 1) line 996 nsComboboxControlFrame::ListWasSelected(nsComboboxControlFrame * const 0x02932344, nsIPresContext * 0x028edf10) line 974 nsListControlFrame::MouseUp(nsIDOMEvent * 0x0293ec40) line 2151 nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 578 + 17 bytes nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 794 nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x02422fa0, nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 2, nsEventStatus & nsEventStatus_eIgnore) line 793 nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x0012f8e4, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 796 + 39 bytes nsHTMLOptionElement::HandleDOMEvent(nsHTMLOptionElement * const 0x02930afc, nsIPresContext & {...}, nsEvent * 0x0012fbcc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 429 PresShell::HandleEvent(PresShell * const 0x02414c94, nsIView * 0x02934560, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 2164 + 39 bytes nsView::HandleEvent(nsView * const 0x02934560, nsGUIEvent * 0x0012fbcc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834 nsView::HandleEvent(nsView * const 0x02933440, nsGUIEvent * 0x0012fbcc, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x02933750, nsGUIEvent * 0x0012fbcc, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsViewManager::DispatchEvent(nsViewManager * const 0x02415260, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 1739 HandleEvent(nsGUIEvent * 0x0012fbcc) line 63 nsWindow::DispatchEvent(nsWindow * const 0x02933304, nsGUIEvent * 0x0012fbcc, nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbcc) line 422 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3394 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3612 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1900578, long * 0x0012fdf4) line 2626 + 24 bytes nsWindow::WindowProc(HWND__ * 0x01810406, unsigned int 514, unsigned int 0, long 1900578) line 579 + 27 bytes USER32! 77e71268() III. Crash with setTimeout: nsGenericElement::GetParent(nsIContent * & 0x00000000) line 723 + 24 bytes nsHTMLSelectElement::GetParent(const nsHTMLSelectElement * const 0x0242b920, nsIContent * & 0x00000000) line 165 + 18 bytes nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const 0x023c3bf0, nsIPresContext * 0x028cb0d0, nsIFrameManager * 0x023c4e40, nsIContent * 0x0242b920, nsIFrame * * 0x023c3668) line 8468 StyleSetImpl::FindPrimaryFrameFor(StyleSetImpl * const 0x023c3c90, nsIPresContext * 0x028cb0d0, nsIFrameManager * 0x023c4e40, nsIContent * 0x0242b920, nsIFrame * * 0x023c3668) line 1049 FrameManager::GetPrimaryFrameFor(FrameManager * const 0x023c4e40, nsIContent * 0x0242b920, nsIFrame * * 0x023c3668) line 412 PresShell::GetPrimaryFrameFor(const PresShell * const 0x023c3610, nsIContent * 0x0242b920, nsIFrame * * 0x023c3668) line 1965 + 32 bytes PresShell::HandleEvent(PresShell * const 0x023c3614, nsIView * 0x0243f390, nsGUIEvent * 0x0012fac8, nsEventStatus & nsEventStatus_eIgnore) line 2143 nsView::HandleEvent(nsView * const 0x0243f390, nsGUIEvent * 0x0012fac8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834 nsView::HandleEvent(nsView * const 0x0242c7f0, nsGUIEvent * 0x0012fac8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x0242c880, nsGUIEvent * 0x0012fac8, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x023c3110, nsGUIEvent * 0x0012fac8, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsViewManager::DispatchEvent(nsViewManager * const 0x023c1500, nsGUIEvent * 0x0012fac8, nsEventStatus & nsEventStatus_eIgnore) line 1739 HandleEvent(nsGUIEvent * 0x0012fac8) line 63 nsWindow::DispatchEvent(nsWindow * const 0x0242c6b4, nsGUIEvent * 0x0012fac8, nsEventStatus & nsEventStatus_eIgnore) line 401 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fac8) line 422 nsWindow::DispatchKeyEvent(unsigned int 132, unsigned short 116, unsigned int 116) line 2049 + 15 bytes nsWindow::OnKeyUp(unsigned int 116, unsigned int 63) line 2304 nsWindow::ProcessMessage(unsigned int 257, unsigned int 116, long -1069613055, long * 0x0012fdf4) line 2555 + 40 bytes nsWindow::WindowProc(HWND__ * 0x07b704ac, unsigned int 257, unsigned int 116, long -1069613055) line 579 + 27 bytes USER32! 77e71268()
Severity: critical → blocker
Summary: [DOGFOOD]EventStateManager crashes when document is changed during the processing of a DOM event → [DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Whiteboard: [PDT-]
Impt for beta, not for dogfood. Adding vidur per rickg.
Blocks: 17432
Blocks: 17907
Summary: [DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → [CRASH][DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Marking [CRASH].
Moving crash bugs into M13.
Target Milestone: M13 → M14
Mass-moving excess bugs to M14
Adding "crash" keyword to all known open crasher bugs.
Keywords: crash
bug 15170 is marked fixed. does the wallet editor crash now?
Sorry, I should have updated this report long ago. The wallet editor has been completely rewritten and is no longer affected by this bug.
Putting dogfood in the keyword field.
Keywords: dogfood
Summary: [CRASH][DOGFOOD][BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → [BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event
Summary: [BLOCKER]EventStateManager crashes when document is changed during the processing of a DOM event → EventStateManager crashes when document is changed during the processing of a DOM event
this is pdt- and I'm not going to get to it for M14. Moving.
Severity: blocker → major
Status: NEW → ASSIGNED
Target Milestone: M14 → M15
Mass-moving bugs out of M15 that I won't get to. Will refit individual milestones after moving them.
Target Milestone: M15 → M16
Added keyword nsbeta2.
Keywords: nsbeta2
Whiteboard: [PDT-]
Putting on [dogfood-] radar per last morse comment. But rickg, your thoughts on [nsbeta2+]?
Whiteboard: [NEED INFO][dogfood-]
I suggest that this needs to be fixed for beta2.
Putting on [nsbeta2+] radar.
Whiteboard: [NEED INFO][dogfood-] → [nsbeta2+][dogfood-]
Severity: major → critical
Okay, through the benefit of some changed I made a couple of weeks ago this was a cakewalk to fix now. Fixed.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
With the May 22 build, I don't get a crash when changing menu item in sample html. Marking verified fixed.
Status: RESOLVED → VERIFIED
No longer blocks: 17432
No longer blocks: 17907
You need to log in before you can comment on or make changes to this bug.