Stephen P. Morse Reporter
	Description • 26 years ago

The content shown below displays a single drop-down list.  If that list is
selected, browser will crash.  Stack trace at time of crash is shown after
the content.

Note: this was originally reported as a side comment in bug report 3286.  But
the stack traces are different so this is now being reported as a separate bug.
Furthermore, the crash in report 3286 is on startup and only on linux (not
win32).  This bug occurs when element is selected and occurs on win32 (not
tested on linux).  So they definitely are two separate bugs.

CONTENT:
--------

<HTML>
  <HEAD>
    <SCRIPT>
      function loadMain() {
        top.frames[0].document.open();
        top.frames[0].document.write(
          "<FORM>" +
            "<TABLE>" +
              "<TR>" +
                "<TD>" +
                  "<SELECT ONCHANGE=top.loadMain();> </SELECT>" +
                "</TD>" +
              "</TR>" +
            "</TABLE>" +
          "</FORM>"
        );
        top.frames[0].document.close();
      }
    </SCRIPT>
  </HEAD>

<FRAMESET ROWS=*,1
         BORDER=0
         FRAMESPACING=0
         onLoad=loadMain()>
  <FRAME SRC=about:blank
        NAME=main_frame
        SCROLLING=AUTO
        MARGINWIDTH=0
        MARGINHEIGHT=0
        NORESIZE>
  <FRAME SRC=about:blank
        NAME=dummy_frame
        SCROLLING=AUTO
        MARGINWIDTH=0
        MARGINHEIGHT=0
        NORESIZE>
</FRAMESET>

  <NOFRAMES>
    <BODY> <P> </BODY>
  </NOFRAMES>
</HTML>

stack trace:
------------

nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012fa5c,
nsIDOMEvent * * 0x0012fa10, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 750 + 33 bytes
nsHTMLSelectElement::HandleDOMEvent(nsHTMLSelectElement * const 0x01377cfc,
nsIPresContext & {...}, nsEvent * 0x0012fa5c, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 460
nsSelectControlFrame::MouseClicked(nsIPresContext * 0x0130ff30) line 999
nsFormControlFrame::HandleEvent(nsFormControlFrame * const 0x013c66b0,
nsIPresContext & {...}, nsGUIEvent * 0x0012fdd0, nsEventStatus &
nsEventStatus_eIgnore) line 686
PresShell::HandleEvent(PresShell * const 0x013753a4, nsIView * 0x013c7db0,
nsGUIEvent * 0x0012fdd0, nsEventStatus & nsEventStatus_eIgnore) line 1448 + 33
bytes
nsView::HandleEvent(nsView * const 0x013c7db0, nsGUIEvent * 0x0012fdd0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore) line 825
nsView::HandleEvent(nsView * const 0x01377630, nsGUIEvent * 0x0012fdd0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore) line 808
nsView::HandleEvent(nsView * const 0x01376240, nsGUIEvent * 0x0012fdd0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore) line 808
nsView::HandleEvent(nsView * const 0x01376ef0, nsGUIEvent * 0x0012fdd0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore) line 808
nsScrollingView::HandleEvent(nsScrollingView * const 0x01376ef0, nsGUIEvent *
0x0012fdd0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 810
nsView::HandleEvent(nsView * const 0x0132fcc0, nsGUIEvent * 0x0012fdd0, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore) line 808
nsViewManager::DispatchEvent(nsViewManager * const 0x0132fa00, nsGUIEvent *
0x0012fdd0, nsEventStatus & nsEventStatus_eIgnore) line 978
HandleEvent(nsGUIEvent * 0x0012fdd0) line 64
nsWindow::DispatchEvent(nsWindow * const 0x013c8130, nsGUIEvent * 0x0012fdd0,
nsEventStatus & nsEventStatus_eIgnore) line 358 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fdd0) line 374
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 1855 +
15 bytes
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 786452, long *
0x0012fef4) line 1394 + 24 bytes
nsWindow::WindowProc(void * 0x00a80282, unsigned int 514, unsigned int 0, long
786452) line 417 + 27 bytes
US

	mjudge
	Comment 1 • 26 years ago

I will take a look at this, but it looks like a Pixley bug.

	Greg Kostello
	Comment 2 • 26 years ago

This seems to be a crasher in nsSelectControlFrame. Reassigning to Chris Karnaze

	Greg Kostello
	Comment 3 • 26 years ago

(Ignore Last Comment)

The crasher is actually in HandleDOMEvent, but the start point is when a mouse
down occurs in a nsFormControlFrame. It appears that the parent pointer is
refering to garbage.

	karnaze (gone)
	Comment 4 • 26 years ago

The crash occurs because the <SELECT>'s ONCHANGE=top.loadMain() destroys the
existing document in the top frame (I assume) including the single
nsHTMLTableCellElement (I verified). Then before the nsHTMLSelectElement is
destroyed it gets a mouse up event and its mInner's mParent is referenced. But
its mInner's mParent is the nsHTMLTableCellElement that was destroyed, so it
crashes.

Tom, I'm reassigning this to you because you surely have more insight on what is
going on than I do.

I gave Steve a workaround - to include at least one <OPTION> inside the
<SELECT>. Why this works in light of my comments above, I have no clue.

	Stephen P. Morse Reporter
	Comment 5 • 26 years ago

Tom,

The workaround is inappropriate for my actual application so I do need a fix for
this and ASAP.  It is one of several blocking problems in the walled
development.

	joki (gone) Assignee
	Comment 6 • 26 years ago

Unfortunately I'm not sure if I can give you a fix right away.  This crash
stems from a more serious problem that we're working to fix.  I can possibly
give you a better workaround, though.

Try replacing

"<SELECT ONCHANGE=top.loadMain();> </SELECT>" +

with

"<SELECT ONCHANGE=\"setTimeout('top.loadMain();', 0)\"> </SELECT>" +

The addition the quotes is just because they really should be there anyway.
But the general concept is just to prevent immediate processing of the script,
pushing it back to the top of the stack with a zero length timeout.

	Stephen P. Morse Reporter
	Comment 7 • 26 years ago

The workaround using the timeout is acceptable for me and I am no longer blocked
on this.

	Paul MacQuiddy
	Comment 8 • 26 years ago

per leger, assigning QA contacts to all open bugs without QA contacts according
to list at http://bugzilla.mozilla.org/describecomponents.cgi?product=Browser

	joki (gone) Assignee
	Comment 9 • 26 years ago

I have a couple other bugs with this same basic problem.  Duping them together.
Setting fix for M5.

	joki (gone) Assignee
	Comment 10 • 26 years ago

I have a couple other bugs with this same basic problem.  Duping them together.
Setting fix for M5.

	joki (gone) Assignee
	Comment 11 • 26 years ago

*** Bug 3950 has been marked as a duplicate of this bug. ***

	joki (gone) Assignee
	Comment 12 • 26 years ago

*** Bug 4092 has been marked as a duplicate of this bug. ***

	joki (gone) Assignee
	Comment 13 • 26 years ago

Not making these for M5

	joki (gone) Assignee
	Comment 14 • 26 years ago

Moving out to M7

	Chris Petersen
	Comment 15 • 25 years ago

With the June 28th Build (1999062809), I can't reproduce the crash descricbed
using the test provided. This problem may have been fixed.

	Kevin Berkheiser
	Comment 17 • 25 years ago

M7 on Win98 does not seem to crash either.

	joki (gone) Assignee
	Comment 18 • 25 years ago

Far to major to fix in the next four days.

	joki (gone) Assignee
	Comment 19 • 25 years ago

This isn't gonna make M9

	chris hofmann
	Comment 20 • 25 years ago

sounds to hairy for m10. -> m11.  let me know if something is in hand

	saari (gone)
	Comment 21 • 25 years ago

Can't reproduce on Mac. Can we get this tested on other platforms? Marking
worksforme to get people's attention.

	Stephen P. Morse Reporter
	Comment 22 • 25 years ago

It's working for me now as well (on win32).

	Chris Petersen
	Comment 23 • 25 years ago

With Oct 1 build, the problem is not occuring.