Display content shown below but with the commented lines uncommented. You should see a link that say "click me" and a text (not a link) that says "thanks". Click on the the "click me" link. It crashes and you get stack trace as shown below the content. OK, as I work-around replace the comments and use the original content as shown. Now you don't crash when you click on the "click me" link. But what is supposed to happen next is that the original "click me" link becomes the text "thanks" and a new "click me" link should appear where the old text "thanks" was. Instead you get one big link that says "click me thanks". That's bad of course but worse is if you press on the "click me" side of it you get the crash. Interestingly if you press on the "thanks" side of it you don't crash and the display changes to the original display as it should. By using this trick and always pressing on the right side of the composite link, everything appears to work for a while. But after repeated pressing of the link many many times, it eventually too gives the crash. Note: this script was attempted as a work-around for the bug 1646 that was blocking wallet. It would have been an acceptable work-around if it worked. So wallet is blocked until at least one of these two bugs is fixed. <HTML> <HEAD> <TITLE>Signons</TITLE> <SCRIPT> index_frame = 0; function loadSignons(){ top.frames[index_frame].document.open(); top.frames[index_frame].document.write( "<BODY>" + "<TABLE>" + "<TR>" + // "<TD>" + "Thanks....." + // "</TD>" + // "<TD>" + "<A ONCLICK=top.loadRejects(); HREF= >" + ".....Click me" + "</A>" + // "</TD>" + "</TR>" + "</TABLE>" + "</BODY>" ); top.frames[index_frame].document.close(); } function loadRejects(){ top.frames[index_frame].document.open(); top.frames[index_frame].document.write( "<BODY>" + "<TABLE>" + "<TR>" + // "<TD>" + "<A ONCLICK=top.loadSignons(); HREF= >" + "Click me....." + "</A>" + // "</TD>" + // "<TD>" + ".....Thanks" + // "</TD>" + "</TR>" + "</TABLE>" + "</BODY>" ); top.frames[index_frame].document.close(); } </SCRIPT> </HEAD> <FRAMESET ROWS = 25,25 onLoad=loadSignons()> <FRAME SRC=about:blank> <FRAME SRC=about:blank> </FRAMESET> <NOFRAMES> <BODY> <P> </BODY> </NOFRAMES> </HTML> nsGenericElement::GetParent(nsIContent * & 0x0277c2ec) line 708 + 24 bytes nsHTMLAnchorElement::GetParent(const nsHTMLAnchorElement * const 0x0277c2ec, nsIContent * & 0x0277c2ec) line 101 + 18 bytes nsCSSFrameConstructor::RecreateFramesForContent(nsIPresContext * 0x01334b30, nsIContent * 0x0277c2ec) line 5448 + 16 bytes nsCSSFrameConstructor::ContentStatesChanged(nsCSSFrameConstructor * const 0x01338820, nsIPresContext * 0x01334b30, nsIContent * 0x00000000, nsIContent * 0x0277c2ec) line 4678 + 16 bytes StyleSetImpl::ContentStatesChanged(StyleSetImpl * const 0x01338790, nsIPresContext * 0x01334b30, nsIContent * 0x0275b65c, nsIContent * 0x0277c2ec) line 854 PresShell::ContentStatesChanged(PresShell * const 0x013388b8, nsIDocument * 0x01333610, nsIContent * 0x0275b65c, nsIContent * 0x0277c2ec) line 1616 + 46 bytes nsDocument::ContentStatesChanged(nsDocument * const 0x01333610, nsIContent * 0x0275b65c, nsIContent * 0x0277c2ec) line 1475 nsEventStateManager::SetContentState(nsEventStateManager * const 0x02740790, nsIContent * 0x0275b65c, int 4) line 971 nsEventStateManager::GenerateMouseEnterExit(nsIPresContext & {...}, nsGUIEvent * 0x0012fcb0) line 370 nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02740790, nsIPresContext & {...}, nsGUIEvent * 0x0012fcb0, nsIFrame * 0x0275c3d0, nsEventStatus & nsEventStatus_eIgnore) line 109 PresShell::HandleEvent(PresShell * const 0x013388b4, nsIView * 0x026f3be0, nsGUIEvent * 0x0012fcb0, nsEventStatus & nsEventStatus_eIgnore) line 1993 + 39 bytes nsView::HandleEvent(nsView * const 0x026f3be0, nsGUIEvent * 0x0012fcb0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 831 nsView::HandleEvent(nsView * const 0x026f3230, nsGUIEvent * 0x0012fcb0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 818 nsView::HandleEvent(nsView * const 0x026f3160, nsGUIEvent * 0x0012fcb0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 818 nsView::HandleEvent(nsView * const 0x01338500, nsGUIEvent * 0x0012fcb0, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore) line 818 nsViewManager::DispatchEvent(nsViewManager * const 0x01338ec0, nsGUIEvent * 0x0012fcb0, nsEventStatus & nsEventStatus_eIgnore) line 1726 HandleEvent(nsGUIEvent * 0x0012fcb0) line 67 nsWindow::DispatchEvent(nsWindow * const 0x026f3304, nsGUIEvent * 0x0012fcb0, nsEventStatus & nsEventStatus_eIgnore) line 410 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fcb0) line 431 nsWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 2878 + 15 bytes ChildWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 3027 nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 1048734, long * 0x0012fe48) line 2229 + 24 bytes nsWindow::WindowProc(void * 0x0c610580, unsigned int 512, unsigned int 0, long 1048734) line 474 + 27 bytes USER32! 77e71250()

To eliminate html frame/sets from the equation, I rewrote this example: http://blueviper/frames/crash6580.html <HTML> <HEAD> <SCRIPT> var content = "<BODY><A ONCLICK=load() HREF=>Click me</A></BODY>" function load(){ document.open() document.write(content) document.close() } </SCRIPT> </HEAD> <BODY ONLOAD=load()></BODY> </HTML> This will crash with an identical stack trace. However, this crash is related to when the mouse pointer leaves the anchor in relation to when the document is destroyed and rewritten. To reproduce the crash you must: 1) Go to the above URL. 2) Click on the link. 3) Immediately move the mouse pointer off of the link, but keep it inside the document window. 4) Wait for the page to be destroyed, then rewritten. 5) Watch in exasperation as viewer crashes. If you leave the document window in step 3, the crash will not occur until the mouse re-enters the document window. If your computer is too fast to move the pointer before the document is redrawn (I certainly don't have that problem on my P166), set a breakpoint in CNavDTD::SetContentState. After you click on the link, this breakpoint will be hit. Move your mouse pointer off of the link, then continue execution (pres F5 to keep the mouse inside the document window). I set a few breakpoints, and found that the mouse pointer must be moved before the new document is written (before CNavDTD::BuildModel is called), or no crash will occur. In Steve's example, a new link is written into a different location, so the mouse pointer doesn't have to be moved to see the crash. Interestingly, I also noticed that on clicking the link, the document that is being document.written is actually parsed twice. (SetContentState is called, BuildModel is called with "<BODY><A...", BuildModel is called with "</HTML>", and then the cycle is repeated) This shouldn't be happening as far as I can tell... Since this entire bug revolves around code I know very little about (events, parsing, and javascript), it would be my pleasure to give it to somebody who fully understands the issues - any takers?

Opps, I wrote: ...set a breakpoint in CNavDTD::SetContentState... When I meant to write: ...set a breakpoint in nsEventStateManager::SetContentState... :)

Okay, I've checked it a fix for this. We now check to see if content has been removed from the document before we try to set its content state. However, this bug is indicative of a larger problem in that when a single piece of content is held onto after document destruction, not all of it external refs are still valid. In this case, the parent pointer is invalid. Still need to fix that. Removng blocker status and pushing to later milestone.

So the additional bug with bad parent pointers I mentioned was fixed by waterson@netscape.com a little while back. So this should be completely fixed now.

With the Dec 01 build (1999120108), this problem has been fixed.