if you go to http://www.detonation.org/mozilla-crash-testcase.html and hit the "quickpost" link Mozilla crashes. This happens on builds 2001110503 and 2001110603 for me. #mozillazine reported that it works on 2001100303. The testcase is a form consisting at least two <input> inside a form. It is initially on position -300 -300 and should be moved to inside the screen when hitting the link. However if you remove one of the two <input> the crash goes away and everything works fine. Same is when you remove the value attribute of the first input but then both fields are initialized with the value of the second one. Talkback of crash: TB37641687G

confirming with win2k build 20011106.. Stack Trace: CallQueryInterface(nsIFrame * 0x047dfa84, nsIFormControlFrame * * 0x0012ca84) line 270 + 19 bytes nsGenericHTMLElement::GetPrimaryFrame(nsIHTMLContent * 0x03dea050, nsIFormControlFrame * & 0x00000000, int 0, int 0) line 3143 + 13 bytes nsHTMLInputElement::SetValueSecure(nsHTMLInputElement * const 0x03dea050, const nsAString & {...}, int 1) line 520 + 17 bytes nsHTMLInputElement::SetValue(nsHTMLInputElement * const 0x03dea07c, const nsAString & {...}) line 484 nsHTMLInputElement::RestoreState(nsHTMLInputElement * const 0x03dea074, nsIPresContext * 0x03b04848, nsIPresState * 0x03d732e0) line 2011 nsFormControlHelper::RestoreContentState(nsIFrame * 0x047e024c, nsIPresContext * 0x03b04848, nsIPresState * 0x03d732e0) line 1077 nsGfxTextControlFrame2::RestoreState(nsGfxTextControlFrame2 * const 0x047e02d8, nsIPresContext * 0x03b04848, nsIPresState * 0x03d732e0) line 3511 + 23 bytes FrameManager::RestoreFrameStateFor(FrameManager * const 0x03e7db70, nsIPresContext * 0x03b04848, nsIFrame * 0x047e024c, nsILayoutHistoryState * 0x03ea5cd0, nsIStatefulFrame::SpecialStateID eNoID) line 2218 + 25 bytes FrameManager::RestoreFrameState(FrameManager * const 0x03e7db70, nsIPresContext * 0x03b04848, nsIFrame * 0x047e024c, nsILayoutHistoryState * 0x03ea5cd0) line 2232 + 29 bytes nsCSSFrameConstructor::InitAndRestoreFrame(nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame * 0x047df828, nsIStyleContext * 0x047e0218, nsIFrame * 0x00000000, nsIFrame * 0x047e024c) line 6517 nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame * 0x047df828, nsIAtom * 0x00f8b700, int 3, nsIStyleContext * 0x047e0218, nsFrameItems & {...}) line 4745 nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame * 0x047df828, nsIAtom * 0x00f8b700, int 3, nsIStyleContext * 0x047e0218, nsFrameItems & {...}, int 0) line 7031 + 49 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dea050, nsIFrame * 0x047df828, nsFrameItems & {...}) line 6945 + 56 bytes nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame * 0x047df828, int 1, nsFrameItems & {...}, int 0, nsTableCreator * 0x00000000) line 11572 + 66 bytes nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame * 0x047df600, nsIAtom * 0x00f8ce28, int 3, nsIStyleContext * 0x047df790, nsFrameItems & {...}) line 4779 + 41 bytes nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame * 0x047df600, nsIAtom * 0x00f8ce28, int 3, nsIStyleContext * 0x047df790, nsFrameItems & {...}, int 0) line 7031 + 49 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03dd9980, nsIFrame * 0x047df600, nsFrameItems & {...}) line 6945 + 56 bytes nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03adcf20, nsIFrame * 0x047df600, int 1, nsFrameItems & {...}, int 1, nsTableCreator * 0x00000000) line 11572 + 66 bytes nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, const nsStyleDisplay * 0x047df524, nsIContent * 0x03adcf20, nsIFrame * 0x047dda0c, nsIStyleContext * 0x047df4f0, nsFrameItems & {...}) line 6130 nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03adcf20, nsIFrame * 0x047dda0c, nsIAtom * 0x00f8c7c8, int 3, nsIStyleContext * 0x047df4f0, nsFrameItems & {...}, int 0) line 7074 + 45 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03df3520, nsIPresContext * 0x03b04848, nsFrameConstructorState & {...}, nsIContent * 0x03adcf20, nsIFrame * 0x047dda0c, nsFrameItems & {...}) line 6945 + 56 bytes nsCSSFrameConstructor::ContentInserted(nsCSSFrameConstructor * const 0x03c19850, nsIPresContext * 0x03b04848, nsIContent * 0x03b58de0, nsIContent * 0x03adcf20, int 5, nsILayoutHistoryState * 0x03ea5cd0) line 8679 nsCSSFrameConstructor::RecreateFramesForContent(nsIPresContext * 0x03b04848, nsIContent * 0x03adcf20, int 1, nsIStyleRule * 0x03dd990c, nsIStyleContext * 0x047df4f0) line 11430 + 45 bytes nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 0x03c19850, nsIPresContext * 0x03b04848, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 10057 + 38 bytes StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x03c052f0, nsIPresContext * 0x03b04848, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 1456 PresShell::AttributeChanged(PresShell * const 0x03df3528, nsIDocument * 0x03dee058, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 5094 + 61 bytes nsDocument::AttributeChanged(nsDocument * const 0x03dee058, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 1785 + 36 bytes nsHTMLDocument::AttributeChanged(nsHTMLDocument * const 0x03dee058, nsIContent * 0x03adcf20, int 0, nsIAtom * 0x00f8f988, int 1, int 6) line 1252 nsDOMCSSAttributeDeclaration::RemoveProperty(nsDOMCSSAttributeDeclaration * const 0x03ae7550, const nsAString & {...}, nsAString & {...}) line 219 CallSetProperty(nsDOMCSSDeclaration * 0x03ae7550, const nsAString & {...}, const nsAString & {...}) line 225 + 23 bytes nsDOMCSSDeclaration::SetTop(nsDOMCSSDeclaration * const 0x03ae7554, const nsAString & {...}) line 357 + 39 bytes XPTC_InvokeByIndex(nsISupports * 0x03ae7554, unsigned int 226, unsigned int 1, nsXPTCVariant * 0x0012e218) line 154 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_SETTER) line 2009 + 42 bytes XPCWrappedNative::SetAttribute(XPCCallContext & {...}) line 1828 + 14 bytes XPC_WN_GetterSetter(JSContext * 0x0378aaa0, JSObject * 0x03b87288, unsigned int 1, long * 0x03d83878, long * 0x0012e500) line 1290 + 12 bytes js_Invoke(JSContext * 0x0378aaa0, unsigned int 1, unsigned int 2) line 832 + 23 bytes js_InternalInvoke(JSContext * 0x0378aaa0, JSObject * 0x03b87288, long 62419664, unsigned int 0, unsigned int 1, long * 0x0012f32c, long * 0x0012f32c) line 924 + 20 bytes js_SetProperty(JSContext * 0x0378aaa0, JSObject * 0x03b87288, long 15826824, long * 0x0012f32c) line 2590 + 47 bytes js_Interpret(JSContext * 0x0378aaa0, long * 0x0012f54c) line 2634 + 1939 bytes js_Execute(JSContext * 0x0378aaa0, JSObject * 0x03ac78e8, JSScript * 0x03df6c58, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f54c) line 1012 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x0378aaa0, JSObject * 0x03ac78e8, JSPrincipals * 0x03df13d8, const unsigned short * 0x0012f688, unsigned int 16, const char * 0x00000000, unsigned int 0, long * 0x0012f54c) line 3368 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03adab90, const nsAString & {...}, void * 0x03ac78e8, nsIPrincipal * 0x03df13d4, const char * 0x00000000, unsigned int 0, const char * 0x00000000, nsAString & {...}, int * 0x0012f74c) line 653 + 85 bytes nsJSThunk::EvaluateScript() line 260 + 64 bytes nsJSChannel::AsyncOpen(nsJSChannel * const 0x03e3f8e0, nsIStreamListener * 0x03e3e538, nsISupports * 0x00000000) line 576 + 11 bytes nsDocumentOpenInfo::Open(nsIChannel * 0x03e3f8e0, int 1, nsISupports * 0x03ab4358) line 198 + 18 bytes nsURILoader::OpenURIVia(nsURILoader * const 0x00fbd180, nsIChannel * 0x03e3f8e0, int 1, nsISupports * 0x03ab4358, unsigned int 0) line 548 + 20 bytes nsURILoader::OpenURI(nsURILoader * const 0x00fbd180, nsIChannel * 0x03e3f8e0, int 1, nsISupports * 0x03ab4358) line 510 nsDocShell::DoChannelLoad(nsIChannel * 0x03e3f8e0, nsIURILoader * 0x00fbd180) line 4455 + 39 bytes nsDocShell::DoURILoad(nsIURI * 0x03e87e20, nsIURI * 0x047c4200, nsISupports * 0x03df13c8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 4239 + 38 bytes nsDocShell::InternalLoad(nsDocShell * const 0x03ab4358, nsIURI * 0x03e87e20, nsIURI * 0x047c4200, nsISupports * 0x00000000, int 1, const unsigned short * 0x0012fc10, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned int 2097153, nsISHEntry * 0x00000000) line 4054 + 39 bytes nsWebShell::HandleLinkClickEvent(nsIContent * 0x03b5b490, nsLinkVerb eLinkVerb_Replace, const unsigned short * 0x03e0d210, const unsigned short * 0x100d1150 gCommonEmptyBuffer, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 807 + 80 bytes OnLinkClickEvent::HandleEvent() line 655 HandlePLEvent(OnLinkClickEvent * 0x03adc9e8) line 669 PL_HandleEvent(PLEvent * 0x03adc9e8) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00e59428) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x002203c8, unsigned int 49380, unsigned int 0, long 15045672) line 1071 + 9 bytes USER32! 77e02e98() USER32! 77e030e0() USER32! 77e05824() nsAppShellService::Run(nsAppShellService * const 0x00e56f10) line 303 main1(int 2, char * * 0x003526f0, nsISupports * 0x00000000) line 1304 + 32 bytes main(int 2, char * * 0x003526f0) line 1630 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87d08()

jkeiser, is this yours? CallQueryInterface is not null-safe... I see this on Linux too.

Yeah, I think that's me. Didn't know it wasn't null-safe. I'll go through the code I changed and see if anything else does that. Thanks!

Hmm. Much like the Transformers, there's more than meets the eye here. This is not a null problem at all. The strange thing is, aSource looks like this when I print it in GDB: $2 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = 0, y = 0, width = 1406, height = 380} , mContent = 0x0, mStyleContext = 0x0, mParent = 0x86fcd40, mNextSibling = 0x86dee90, mState = 2160345124} Since CallQueryInterface() is doing aSource->QueryInterface(), I am thinking the problem lies in the fact that the nsISupports vptr is null! I am not sure how to interpret this. Could this mean the frame was deleted and someone hung on to it? The mParent and mNextSibling pointers seem to be valid (I can follow them and they have vptrs and all that). Given that this worked on the 3rd, I am unsure whether this was caused by my checkin(s). CC'ing people who might have an idea (or at least have an idea who would have an idea).

Looks like nsIPresShell::GetPrimaryFrameFor() is handing back a pointer to a deleted frame, we've seen that before, and I think there are open bugs on it already. Typically if a vptr is bad (null or garbage) it means the underlying object has been deleted. And since frames (nsIFrame's) aren't refcounted it's kinda hard to say where this problem comes from. John, did you change the destructor or any ::Destroy() methods? IIRC that's where we make sure frames that are destroyed are removed from the nsIContent->nsIFrame maps.

OK, for now I am thinking the problem just looks like it's 34297 breakage because of where it shows up, but the real problem is when it's getting deleted. My changes haven't messed with that stuff (only added to Destroy() and ~, not deleted). I've heard there have been bug reports like this in the preceding months too. To rods with love.

this is probably what I'm getting as well. This game, which plays fine in ie or ns, crashes mz when opened. http://www6.ewebcity.com/nakedchaos/keyboarder.html

I am going to send this over to kin. Here is what I know by setting breakpoints in the constructor and destructor of GfxText. When they get removed and destroyed, in nsFrame::Destroy the ClearFrameRefs is NOT being called for either of the GfxText frames. if ((mState & NS_FRAME_EXTERNAL_REFERENCE) || (mState & NS_FRAME_SELECTED_CONTENT)) { if (shell) { shell->ClearFrameRefs(this); } } What is strange is that it doesn't crash until after the GfxText is created the second tmie (when it is being moved). I't also doesn't crash with one text control and some other form control. It seems that it takes to text controls to crash.

this is what I said in the first comment. Repeat: if you remove the value attribute of the first textfield the crash does not happen but both fields are initialized with the value of the second field.

I'm seeing a similar crash with recent MozillaTrunk builds and Mozilla 0.9.6. Adding topcrash keyword and M096 & Trunk [@ nsGenericHTMLElement::GetPrimaryFrame] to summary. Here is the latest info from MozillaTrunk Talkback data: nsGenericHTMLElement::GetPrimaryFrame 13 BBID range: 38486432 - 38805101 Min/Max Seconds since last crash: 605 - 79756 Min/Max Runtime: 605 - 347005 Crash data range: 2001-11-25 to 2001-12-02 Build ID range: 2001112210 to 2001120211 Keyword List : Stack Trace: nsGenericHTMLElement::GetPrimaryFrame [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp line 2799] nsHTMLInputElement::SetValueSecure [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp line 521] nsHTMLInputElement::SetValue [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp line 476] nsHTMLInputElement::RestoreState [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp line 2033] nsFormControlHelper::RestoreContentState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp line 1080] nsGfxTextControlFrame2::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp line 3527] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp line 2220] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp line 2236] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6480] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 4722] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7001] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6911] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11678] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5602] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7005] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6911] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11678] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5602] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7005] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6911] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11678] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5602] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7005] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6972] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6911] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11678] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5602] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7005] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6911] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11678] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5602] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7005] nsCSSFrameConstructor::CreateTreeWidgetContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 12705] nsXULTreeGroupFrame::GetFirstTreeBox [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeGroupFrame.cpp line 326] nsTreeLayout::LazyRowCreator [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp line 362] nsTreeLayout::LazyRowCreator [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp line 373] nsXULTreeOuterGroupFrame::ReflowFinished [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp line 1351] PresShell::HandlePostedReflowCallbacks [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 4947] PresShell::ProcessReflowCommands [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6185] PresShell::FlushPendingNotifications [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5041] nsXULTreeOuterGroupFrame::InternalPositionChanged [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp line 809] nsXULTreeOuterGroupFrame::PositionChanged [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp line 669] nsSliderFrame::SetCurrentPosition [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp line 816] nsSliderFrame::HandleEvent [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp line 596] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5871] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5779] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 385] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp line 1914] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 83] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 849] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 866] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4424] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4674] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 3390] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 1114] USER32.DLL + 0x2e98 (0x77e12e98) USER32.DLL + 0x30e0 (0x77e130e0) USER32.DLL + 0x5824 (0x77e15824) nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 303] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1285] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1602] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1620] WinMainCRTStartup() KERNEL32.DLL + 0x17d08 (0x77e97d08) Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/content/src/nsGenericHTMLElement.cpp line : 2799 (38805101) Comments: creating an address list (38673103) Comments: working with addressing fields of mail/news composition. I've always experienced random instability with this Mozilla component. I sense it's with LDAP auto-complete. (38660341) URL: http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW (38617494) Comments: Composed a message in HTML format (with images) added several recipients started to change some of the recipients from "To:" to "Cc:" (38578773) URL: http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW (38578773) Comments: http://bugzilla.mozilla.org/show_bug.cgi?id=108704 (38566916) URL: http://www.detonation.org/cgi-bin/onit/forumclient.cgi?FORUMID=10&FID=56981#NEW (38554498) Comments: send a big email with attached file while writing another email (38522292) Comments: aaargghhhh!!! (38487518) Comments: Scrolling the recipient list in a message composition window... THIS HAS HAPPENED REPEATEDLY Here's the comments from M096 data as well: Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/content/src/nsGenericHTMLElement.cpp line : 2804 (38777884) Comments: I was editing message filtering rule. (38773860) Comments: I was adding receipients to an email message (38716872) Comments: cutting an email address from web page and about to paste into the email client (38638817) Comments: Failed to create a mail filter (38627709) Comments: composing an email - specifically using my mouse wheel to scroll up on the list of email recepiants for review after keying them in (To: and Cc: area) (38610598) Comments: composing email (addressing) (38598472) Comments: trying to add more than one rule to a single message filter (38598435) Comments: attempting to add more than one rule to a message filter (38583779) Comments: clicked on the more button to add to a filter (38582138) Comments: composing an email... (38578365) Comments: Adding a new rule (first and only rule) to the mail client's message filter. (38569467) Comments: Composing an email. At particular time of failure I was scrolling through list of people that I planned sending the message to. I had 5 addresses in my distribution list. (38561245) Comments: auto completion of e-mail addresses. Addresses were both LDAPand local address book (38556409) Comments: send EMAIL! (38554808) Comments: Adding e-mail addresses to a mail. One e-mail address was suddenly not display (the field was blank) and when I clicked on that field Mozilla crashed. (38543270) Comments: I was scrolling in the address list of a mail message I was composing. (38530056) URL: http://www.centrobank.com (38530056) Comments: dhtml (38508026) Comments: mailnews. sending a message to several recipients. Got an error message (dialog box) for one of them saying the recipients mailbox quota had been exceeded (recipient on same ISP). Dismissed the dialog and then clicked on message window and got a crash. (38501039) Comments: Changing and adding email recipients (38498541) Comments: clicking in mailfilters and an then twice the up arrow in the criteriaselector (38488089) URL: www.overture.com (38474459) Comments: Entering a Filter-Rule in the Mail-Client (38462627) Comments: Creating a list in the address book. It was a long list. I was dragging and dropping the addresses. When I clicked OK it died. (38405871) Comments: I was generating an email-filter rule. after pressing the more button I tried to scroll down -> mozilla died [:(] (38367039) Comments: Scrolling down the recipients list in a message compose window. Almost reproducible. Cannot find the exact way to reproduce it. (38365867) Comments: I renamed a mail folder (freshmeat to osdn) then warning occured that correspondent filter will be updated then afterwards I wanted to edit the filter renamed it and wanted to add another criteria (MORE) then strange date has been displayed as (38365867) Comments: subject then in 1 sec crash

*** Bug 114329 has been marked as a duplicate of this bug. ***

*** Bug 114403 has been marked as a duplicate of this bug. ***

Here's a recent incident on the MozillaTrunk if it helps: Incident ID 272145 Stack Signature nsGenericHTMLElement::GetPrimaryFrame ed8e0c95 Trigger Time 2001-12-10 01:44:37 Email Address URL visited User Comments Build ID 2001120509 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Access violation Stack Trace nsGenericHTMLElement::GetPrimaryFrame [d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp, line 2794] nsHTMLInputElement::SetValueSecure [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp, line 521] nsHTMLInputElement::SetValue [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp, line 476] nsHTMLInputElement::RestoreState [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp, line 2037] nsFormControlHelper::RestoreContentState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp, line 1080] nsGfxTextControlFrame2::RestoreState [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp, line 3527] FrameManager::RestoreFrameStateFor [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2220] FrameManager::RestoreFrameState [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 2236] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6514] nsCSSFrameConstructor::ConstructFrameByTag [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 4723] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7035] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6945] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11729] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5618] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7039] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6945] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11729] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5618] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7039] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6945] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11729] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5618] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7039] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7006] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6945] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11729] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5618] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7039] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6945] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 11729] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 5618] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7039] nsCSSFrameConstructor::CreateTreeWidgetContent [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 12756] nsXULTreeGroupFrame::GetFirstTreeBox [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeGroupFrame.cpp, line 326] nsTreeLayout::LazyRowCreator [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp, line 362] nsTreeLayout::LazyRowCreator [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsTreeLayout.cpp, line 373] nsXULTreeOuterGroupFrame::ReflowFinished [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp, line 1351] PresShell::HandlePostedReflowCallbacks [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4947] PresShell::ProcessReflowCommands [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6185] PresShell::FlushPendingNotifications [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5041] nsXULTreeOuterGroupFrame::InternalPositionChanged [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp, line 809] nsXULTreeOuterGroupFrame::PositionChanged [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsXULTreeOuterGroupFrame.cpp, line 669] nsSliderFrame::SetCurrentPosition [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp, line 816] nsSliderFrame::HandleEvent [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSliderFrame.cpp, line 596] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5871] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5779] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 387] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1914] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 849] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 866] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4424] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4674] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3390] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 1114] KERNEL32.DLL + 0x363b (0xbff7363b) KERNEL32.DLL + 0x245af (0xbff945af) 0x00688bfe This continues to be topcrasher for M096 and there are a few incidents with recent MozillaTrunk builds as well. Adding qawanted to see if we can reproduce with any builds after 12/5 (which is the last build Talkback currently shows this crashing with). This bug is also missing a target milestone...

I believe this was fixed by dbaron a week ago or so, can someone still reproduce this?

madhur: see if you can reproduce this with any build after 12/5. if not, we can mark this fixed according to jst's comment #15. i'm not sure if i'm allowed to change the target milestone or not...but since this was just fixed recently, i'm going to make it mozilla0.9.7.

Even if this isn't fixed yet, it most likely won't be fixed for mozilla0.9.7, moving to mozilla0.9.8 to avoid having this hold mozilla0.9.7 from being released.

from the testcase it seems like this bug is fixed. Does not crash anymore when hitting "Quickpost". This is on a 2001121306 Linux.

The bug jst mentioned in comment 15 was bug 114220, fixed in 2001-12-11 builds or later.

WFM on win2k build : 2001-12-17-06trunk redhatlinux 7.1 build : 2001-20-01-08trunk macos9.1 build : 2001-20-01-06trunk I do not get any crash. We can go ahead and mark this fixed.

ok *** This bug has been marked as a duplicate of 114220 ***