I was runing viewer on a RedHat 5.2 (Intel) Linux system. I built from the CVS on Wed Oct 27. I then went to the bugzilla query page and typed my email address into the Reporter entry box. Finally, I pressed the button to submit the query. After doing that viewer crashed with at the following place. layout/html/forms/src/nsFormFrame.cpp : line 741 nsFormFrame::ProcessAsURLEncoded 736 encoder = nsnull; 737 738 // collect and encode the data from the children controls 739 for (PRUint32 childX = 0; childX < numChildren; childX++) { 740 nsIFormControlFrame* child = (nsIFormControlFrame*) mFormControls.ElementAt(childX); 741 if (child && child->IsSuccessful(aFrame)) { 742 PRInt32 numValues = 0; 743 PRInt32 maxNumValues = child->GetMaxNumValues(); 744 if (0 >= maxNumValues) { 745 continue; (gdb) print child $1 = (nsIFormControlFrame *) 0x8351138 (gdb) print aFrame $2 = (nsIFormControlFrame *) 0x84e14b8 (gdb) call child->IsSuccessful(aFrame) Cannot access memory at address 0x2c. The problem seems to be in the inlined method. From nsListControlFrame.cpp : crash on line 1287. 1283 PRBool 1284 nsListControlFrame::IsSuccessful(nsIFormControlFrame* aSubmitter) 1285 { 1286 nsAutoString name; 1287 return (NS_CONTENT_ATTR_HAS_VALUE == GetName(&name)); <--- CRASH 1288 } It is crashing inside GetName(). From nsListControlFrame.cpp : crash on line 1359. 1354 nsListControlFrame::GetName(nsString* aResult) 1355 { 1356 nsresult result = NS_FORM_NOTOK; 1357 if (mContent) { 1358 nsIHTMLContent* formControl = nsnull; 1359 result = mContent->QueryInterface(nsCOMTypeInfo<nsIHTMLContent>::GetIID(),(void**)&formControl); 1360 if (NS_SUCCEEDED(result) && formControl) { 1361 nsHTMLValue value; 1362 result = formControl->GetHTMLAttribute(nsHTMLAtoms::name, value); 1363 if (NS_CONTENT_ATTR_HAS_VALUE == result) { 1364 if (eHTMLUnit_String == value.GetUnit()) { 1365 value.GetStringValue(*aResult); 1366 } 1367 } 1368 NS_RELEASE(formControl); 1369 } 1370 } 1371 return result; 1372 } Here is the stack trace: #0 0x40e446e8 in nsFormFrame::ProcessAsURLEncoded (this=0x81f6840, aFormProcessor=0x80b0d50, isPost=0, aData=@0xbfffecb0, aFrame=0x84e14b8) at ../../../../../layout/html/forms/src/nsFormFrame.cpp:741 #1 0x40e435d5 in nsFormFrame::OnSubmit (this=0x81f6840, aPresContext=0x8462f90, aFrame=0x84e1480) at ../../../../../layout/html/forms/src/nsFormFrame.cpp:505 #2 0x40e55afd in nsHTMLButtonControlFrame::MouseClicked (this=0x84e1480, aPresContext=0x8462f90) at ../../../../../layout/html/forms/src/nsHTMLButtonControlFrame.cpp:290 #3 0x40e4864e in nsGfxButtonControlFrame::HandleEvent (this=0x84e1480, aPresContext=@0x8462f90, aEvent=0xbfffed90, aEventStatus=@0xbffff1d8) at ../../../../../layout/html/forms/src/nsGfxButtonControlFrame.cpp:219 #4 0x40d27cbe in nsEventStateManager::CheckForAndDispatchClick ( this=0x8212578, aPresContext=@0x8462f90, aEvent=0xbffff2c8, aStatus=@0xbffff1d8) at ../../../../layout/events/src/nsEventStateManager.cpp:996 #5 0x40d26974 in nsEventStateManager::PostHandleEvent (this=0x8212578, aPresContext=@0x8462f90, aEvent=0xbffff2c8, aTargetFrame=0x84e1480, aStatus=@0xbffff1d8, aView=0x8356878) at ../../../../layout/events/src/nsEventStateManager.cpp:467 #6 0x40d73305 in PresShell::HandleEvent (this=0x846b1a8, aView=0x8356878, aEvent=0xbffff2c8, aEventStatus=@0xbffff1d8) at ../../../../../layout/html/base/src/nsPresShell.cpp:2214 #7 0x4108d7d7 in nsView::HandleEvent (this=0x8356878, event=0xbffff2c8, aEventFlags=8, aStatus=@0xbffff1d8, aHandled=@0xbffff17c) at ../../../view/src/nsView.cpp:833 #8 0x4108d769 in nsView::HandleEvent (this=0x821ad10, event=0xbffff2c8, aEventFlags=8, aStatus=@0xbffff1d8, aHandled=@0xbffff17c) at ../../../view/src/nsView.cpp:817 #9 0x4108d769 in nsView::HandleEvent (this=0x8208498, event=0xbffff2c8, aEventFlags=8, aStatus=@0xbffff1d8, aHandled=@0xbffff17c) at ../../../view/src/nsView.cpp:817 #10 0x4108d769 in nsView::HandleEvent (this=0x843a518, event=0xbffff2c8, aEventFlags=28, aStatus=@0xbffff1d8, aHandled=@0xbffff17c) at ../../../view/src/nsView.cpp:817 #11 0x410992b3 in nsViewManager::DispatchEvent (this=0x8442430, aEvent=0xbffff2c8, aStatus=@0xbffff1d8) at ../../../view/src/nsViewManager.cpp:1737 #12 0x4108b8f8 in HandleEvent (aEvent=0xbffff2c8) at ../../../view/src/nsView.cpp:62 #13 0x4057aa74 in nsWidget::DispatchEvent (this=0x821ad78, aEvent=0xbffff2c8, aStatus=@0xbffff270) at ../../../../widget/src/gtk/nsWidget.cpp:1277 #14 0x4057a80c in nsWidget::DispatchWindowEvent (this=0x821ad78, event=0xbffff2c8) at ../../../../widget/src/gtk/nsWidget.cpp:1188 #15 0x4057ab28 in nsWidget::DispatchMouseEvent (this=0x821ad78, aEvent=@0xbffff2c8) at ../../../../widget/src/gtk/nsWidget.cpp:1304 #16 0x4057bc7b in nsWidget::OnButtonReleaseSignal (this=0x821ad78, aGdkButtonEvent=0x81772f0) at ../../../../widget/src/gtk/nsWidget.cpp:1915 #17 0x4057c92e in nsWidget::ButtonReleaseSignal (aWidget=0x8238048, aGdkButtonEvent=0x81772f0, aData=0x821ad78) at ../../../../widget/src/gtk/nsWidget.cpp:2360 #18 0x402d4a99 in gtk_marshal_BOOL__POINTER (object=0x8238048, func=0x4057c850 <nsWidget::ButtonReleaseSignal(_GtkWidget *, _GdkEventButton *, void *)>, func_data=0x821ad78, args=0xbffff3e0) at gtkmarshal.c:30 #19 0x40299c52 in gtk_handlers_run (handlers=0x813feb0, signal=0xbffff39c, object=0x8238048, params=0xbffff3e0, after=0) at gtksignal.c:1909 #20 0x40299158 in gtk_signal_real_emit (object=0x8238048, signal_id=21, params=0xbffff3e0) at gtksignal.c:1469 #21 0x40297468 in gtk_signal_emit (object=0x8238048, signal_id=21) at gtksignal.c:552 #22 0x402cc110 in gtk_widget_event (widget=0x8238048, event=0x81772f0) at gtkwidget.c:2790 #23 0x4026c13d in gtk_propagate_event (widget=0x8238048, event=0x81772f0) at gtkmain.c:1296 #24 0x4026b472 in gtk_main_do_event (event=0x81772f0) at gtkmain.c:753 #25 0x40310ed6 in gdk_event_dispatch (source_data=0x0, current_time=0xbffff760, user_data=0x0) at gdkevents.c:2098 #26 0x4033cc8f in g_main_dispatch (current_time=0xbffff760) at gmain.c:652 #27 0x4033d277 in g_main_iterate (block=1, dispatch=1) at gmain.c:870 #28 0x4033d3f9 in g_main_run (loop=0x81bfe40) at gmain.c:928 #29 0x4026aedf in gtk_main () at gtkmain.c:475 #30 0x40564fb3 in nsAppShell::Run (this=0x809d280) at ../../../../widget/src/gtk/nsAppShell.cpp:388 #31 0x806fb9e in nsNativeViewerApp::Run (this=0x80add20) at ../../../../../../webshell/tests/viewer/unix/gtk/nsGtkMain.cpp:45 #32 0x806fe86 in main (argc=1, argv=0xbffff854) at ../../../../../../webshell/tests/viewer/unix/gtk/nsGtkMain.cpp:165

Eric -- one for you, me thinks.

Thanks for dejong for the analysis! *** This bug has been marked as a duplicate of 17431 ***

marking Verified as a dup.