Closed
Bug 206403
Opened 22 years ago
Closed 20 years ago
crash after attempt to open "www.tomshardware.com" from location pull-down list [@ nsBlockReflowState::RecoverFloaters][@ nsBlockFrame::SlideLine]
Categories
(Core :: Layout: Block and Inline, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: robertlaferla, Unassigned)
References
()
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
|
7.62 KB,
text/plain; charset=UTF-8
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519
Browser crashed after attempt to open "www.tomshardware.com" from location
pull-down list. See call stack below...
Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.
GKLAYOUT! 6152002a()
GKLAYOUT! 6152011b()
GKLAYOUT! 61519a60()
GKLAYOUT! 6151334d()
GKLAYOUT! 61552b13()
GKLAYOUT! 6151334d()
GKLAYOUT! 61550f1d()
GKLAYOUT! 61551919()
GKLAYOUT! 6151334d()
GKLAYOUT! 6154d0fc()
GKLAYOUT! 6154e8d6()
GKLAYOUT! 6154e575()
GKLAYOUT! 6154e3e3()
GKLAYOUT! 6151334d()
GKLAYOUT! 615469da()
GKLAYOUT! 615462e1()
GKLAYOUT! 615452b7()
GKLAYOUT! 6151334d()
GKLAYOUT! 61541f97()
GKLAYOUT! 61542956()
GKLAYOUT! 61542375()
GKLAYOUT! 61542355()
GKLAYOUT! 615422cb()
GKLAYOUT! 61542fc9()
GKLAYOUT! 61520ddf()
GKLAYOUT! 6151d3ae()
GKLAYOUT! 615203e4()
GKLAYOUT! 615201d6()
GKLAYOUT! 61521d4a()
GKLAYOUT! 616a6ce2()
GKLAYOUT! 616a6adf()
GKLAYOUT! 616a69dd()
GKLAYOUT! 61521c43()
GKLAYOUT! 6151c011()
GKLAYOUT! 6151be6f()
GKLAYOUT! 6151bcf8()
GKLAYOUT! 6151bbdc()
GKLAYOUT! 6151ad78()
GKLAYOUT! 6151a920()
GKLAYOUT! 61519a60()
GKLAYOUT! 6151334d()
GKLAYOUT! 61552b13()
GKLAYOUT! 6151334d()
GKLAYOUT! 61551616()
GKLAYOUT! 615513ec()
GKLAYOUT! 61551901()
GKLAYOUT! 6151334d()
GKLAYOUT! 6154ecb8()
GKLAYOUT! 6154e5bd()
GKLAYOUT! 6154e3e3()
GKLAYOUT! 6151334d()
GKLAYOUT! 615469da()
GKLAYOUT! 615462e1()
GKLAYOUT! 615452b7()
GKLAYOUT! 6151334d()
GKLAYOUT! 61541f97()
GKLAYOUT! 61542956()
GKLAYOUT! 61542375()
GKLAYOUT! 61542355()
GKLAYOUT! 615422cb()
GKLAYOUT! 61542fc9()
GKLAYOUT! 61520ddf()
GKLAYOUT! 6151b851()
GKLAYOUT! 6151ac24()
GKLAYOUT! 6151a920()
GKLAYOUT! 61519a60()
GKLAYOUT! 6151334d()
GKLAYOUT! 61552b13()
GKLAYOUT! 6151334d()
GKLAYOUT! 61551616()
GKLAYOUT! 615513ec()
GKLAYOUT! 61551901()
GKLAYOUT! 6151334d()
GKLAYOUT! 6154ecb8()
GKLAYOUT! 6154e5bd()
GKLAYOUT! 6154e3e3()
GKLAYOUT! 6151334d()
GKLAYOUT! 615469da()
GKLAYOUT! 615462e1()
GKLAYOUT! 615452b7()
GKLAYOUT! 6151334d()
GKLAYOUT! 61541f97()
GKLAYOUT! 61542956()
GKLAYOUT! 61542375()
GKLAYOUT! 61542355()
GKLAYOUT! 615422cb()
GKLAYOUT! 61542fc9()
GKLAYOUT! 61520ddf()
GKLAYOUT! 6151d3ae()
GKLAYOUT! 615203e4()
GKLAYOUT! 615201d6()
GKLAYOUT! 61521d4a()
GKLAYOUT! 6151c011()
GKLAYOUT! 6151be6f()
GKLAYOUT! 6151bcf8()
GKLAYOUT! 6151bbdc()
GKLAYOUT! 6151ae38()
GKLAYOUT! 6151a920()
GKLAYOUT! 61519a60()
GKLAYOUT! 61520ddf()
GKLAYOUT! 6151b851()
GKLAYOUT! 6151ac24()
GKLAYOUT! 6151a920()
GKLAYOUT! 61519a60()
GKLAYOUT! 6151334d()
GKLAYOUT! 616a95e6()
GKLAYOUT! 6157aada()
GKLAYOUT! 6157a811()
GKLAYOUT! 6155bb6f()
GKLAYOUT! 6155bb6f()
GKLAYOUT! 616b351f()
GKLAYOUT! 616b354a()
GKLAYOUT! 6155bb6f()
GKLAYOUT! 616b2dcf()
GKLAYOUT! 6151334d()
GKLAYOUT! 616a9b41()
GKLAYOUT! 61506007()
GKLAYOUT! 6150d335()
GKLAYOUT! 6150d128()
XPCOM! 61e6bb44()
SETUPAPI! 778b0c24()
|
||
Comment 1•22 years ago
|
||
Do you have a Talkback ID or a stack with symbols ?
|
Reporter | |
Comment 2•22 years ago
|
||
Yes, it's TB20261878G.
|
||
Updated•22 years ago
|
Keywords: crash,
stackwanted
Whiteboard: TB20261878G
|
||
Comment 3•22 years ago
|
||
WFM on 2003051008 WinXP.
|
|
Reporter | |
Comment 4•22 years ago
|
||
Works for me too but that's not the point. It crashed with the stack trace
included in the original bug report. I also included a talkbalk id too.
Keywords: stackwanted
|
|
||
Comment 5•22 years ago
|
||
Incident ID 20261878
Stack Signature nsBlockReflowState::RecoverFloaters 8c56f7a2
Product ID MozillaTrunk
Build ID 2003051904
Trigger Time 2003-05-20 01:42:54
Platform Win32
Operating System Windows NT 5.0 build 2195
Module gklayout.dll
URL visited http://www.tomshardware.com
User Comments
Trigger Reason Access violation
Source File Name
c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp
Trigger Line No. 519
Stack Trace
nsBlockReflowState::RecoverFloaters
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp, line 519]
nsBlockReflowState::RecoverStateFrom
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp, line 610]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2340]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 958]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableCellFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 919]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableRowFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1051]
nsTableRowFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1472]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableRowGroupFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 442]
nsTableRowGroupFrame::IR_TargetIsMe
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1546]
nsTableRowGroupFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1406]
nsTableRowGroupFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1320]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3008]
nsTableFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2735]
nsTableFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2004]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableOuterFrame::OuterReflowChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1336]
nsTableOuterFrame::IR_InnerTableReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1733]
nsTableOuterFrame::IR_TargetIsInnerTableFrame
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1494]
nsTableOuterFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1484]
nsTableOuterFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1447]
nsTableOuterFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1977]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
544]
nsBlockFrame::ReflowFloater
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 5310]
nsBlockReflowState::FlowAndPlaceFloater
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp, line 880]
nsBlockReflowState::AddFloater
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowState.cpp, line 686]
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1097]
nsInlineFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 737]
nsInlineFrame::ReflowFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 546]
nsInlineFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 459]
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1032]
nsBlockFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3882]
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3710]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3612]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3557]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2633]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2308]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 958]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableCellFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 919]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableRowFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1310]
nsTableRowFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1197]
nsTableRowFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1464]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableRowGroupFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1740]
nsTableRowGroupFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1411]
nsTableRowGroupFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1320]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3008]
nsTableFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2735]
nsTableFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2004]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 961]
nsTableOuterFrame::OuterReflowChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1336]
nsTableOuterFrame::IR_InnerTableReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1733]
nsTableOuterFrame::IR_TargetIsInnerTableFrame
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1494]
nsTableOuterFrame::IR_TargetIsChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1484]
nsTableOuterFrame::IncrementalReflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1447]
nsTableOuterFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1977]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
544]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3322]
Assignee: general → block-and-inline
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout: Block & Inline
Ever confirmed: true
QA Contact: general → ian
Whiteboard: TB20261878G
It only happens sometimes. My guess is that it's something to do with the ad
banner, when certain banner is loaded, browser crashed. I may have something to
do with plugins. Just my guess... i think the same thing happen to mail.com too
- bug 217294
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030823 Mozilla
Firebird/0.6.1+
|
||
Updated•22 years ago
|
Flags: blocking1.5?
|
|
||
Comment 7•22 years ago
|
||
Confirm for Windows, cannot reproduce under Linux so it really could be plugin
problem.
But for example I have it under Linux, i tried two builds: official 1.4b and
20030910. Both whith the same plugins: Shockwave Flash 6.0 r79 and Blackdown
Java-Linux Java(TM) Plug-in1.4.1
|
|
||
Comment 11•22 years ago
|
||
I don't think it's caused by plugins anymore, at least not flash plugin. I took
out flash plugin and still able to reproduce the crash.
I found out there is something interest through. I saved the page using IE and
Opera, and open the saved page with Firebird, I couldn't reproduce the crash.
Maybe firebird crash when it try to render incomplete html?
Any idea? It's really strange...
I will continue my observation in the meanwhile.
|
||
Comment 12•22 years ago
|
||
This is the #13 topcrash. Boris or Dbaron, can you spare some cycles to look
into this for 1.5?
|
||
Comment 13•22 years ago
|
||
looks like this might be ranked #13 and higher on recent daily trunk builds...
nsBlockReflowState::RecoverFloaters
13(30) 11( 26) 16( 14) 32(6) 55( 4) 37( 4) 91( 1) 85( 1)
|
|
||
Comment 14•22 years ago
|
||
I can reproduce this bug with Build 2003090604 under Windows XP. Mozilla crashes
only if HTTP 1.1 or Keep-Alive is enabled. Loading the site from file does not
crash Mozilla. My Talkback ID is TB23397783M.
|
|
||
Updated•22 years ago
|
Summary: Browser crashed after attempt to open "www.tomshardware.com" from location pull-down list. → crash after attempt to open "www.tomshardware.com" from location pull-down list [@ nsBlockReflowState::RecoverFloaters]
|
||
Comment 15•22 years ago
|
||
I see a few asserts
###!!! ASSERTION: all the skipped content tokens did not get handled:
'mSkippedContent.GetSize() == 0', file
e:/moz_src/mozilla/htmlparser/src/CNavDTD.cpp, line
1002
|
|
||
Comment 16•22 years ago
|
||
Wow, I almost can reproduce the crash every time I visit the site now. Maybe
it's just my luck.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030903
Firebird/0.6.1+
|
|
||
Comment 17•22 years ago
|
||
ah, maybe it's because I enabled pinelining, that's why more crashes...
|
|
||
Comment 18•22 years ago
|
||
*** Bug 218893 has been marked as a duplicate of this bug. ***
|
|
||
Updated•22 years ago
|
Summary: crash after attempt to open "www.tomshardware.com" from location pull-down list [@ nsBlockReflowState::RecoverFloaters] → crash after attempt to open "www.tomshardware.com" from location pull-down list [@ nsBlockReflowState::RecoverFloaters][@ nsBlockFrame::SlideLine]
|
|
||
Comment 20•22 years ago
|
||
I just got another thought. Will this be a table re-adjusting problem? Every
time my firebird crash, the page rendering stop at the word "Latest Hard
News"(can anyone confirm that?). See... mozilla renders part of the table while
the html is not completely loaded, when the rest of the html is loaded from the
internet, mozilla re-ajust the size of the table, and maybe in the process, it
encounter some kind of error or overflow and clash. That's why it can't be
reproduced when loading on file.
This idea came from bug 217369, which probably not really related, but i think
these 2 bugs are both about table rendering. If we can solve one of these, maybe
both bugs will go away. I am not an expert, so it's just my guess, again.
|
|
||
Comment 21•22 years ago
|
||
not showing up near the top of topcrashers and no fix in site so not going to
block 1.5 for this.
Flags: blocking1.5? → blocking1.5-
|
|
||
Comment 22•22 years ago
|
||
Can anyone reproduce the bug with the latest builds?
I can't reproduce it anymore.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20030923
Firebird/0.7+ (aebrahim)
|
|
||
Comment 23•22 years ago
|
||
Still crashing. This is quite bad because it's populer site.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030916
|
|
||
Comment 24•22 years ago
|
||
Please test it with later version, that's an old version you are using. I think
it has been fixed somehow, it doesn't crash my firebird anymore. Can anyone
confirm this? Thanks
I am using
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031001
Firebird/0.7+ (aebrahim)
|
|
||
Comment 25•22 years ago
|
||
I really think this bug is gone, maybe someone should close this bug please? or
if someone can still reproduce the crash, please tell. Thanks =)
|
|
||
Comment 26•22 years ago
|
||
I see this one too.
I'm using Mozilla-1.4.1 in Fedora core, which sadly means I have no symbol
information. However, I caught one crash in the debugger (harder than it
sounds, since the crashes are not very common - it's likely timing-related or
depends on the banner ad of the moment).
I get:
Program received signal SIGSEGV, Segmentation fault.
0x40b74ca9 in ?? ()
0x40b74ca9: mov %edx,0x4(%ecx)
0x40b74cac: mov %eax,0x8(%ecx)
0x40b74caf: push %eax
0x40b74cb0: lea 0x28(%esi),%eax
0x40b74cb3: push %eax
0x40b74cb4: push %ecx
0x40b74cb5: mov 0x8(%ebp),%eax
0x40b74cb8: pushl 0xc(%eax)
0x40b74cbb: call 0x40c916c4
0x40b74cc0: mov 0x4c(%esi),%esi
where %ecx is 0x40cdaa48 - which is a valid pointer, but
points to the unreadable code segment rather than to any
writable area.
In fact, that pointer seems to be the start of a function:
(gdb) x/10i 0x40cdaa48
0x40cdaa48: push %ebp
0x40cdaa49: mov %esp,%ebp
0x40cdaa4b: push %edi
0x40cdaa4c: push %esi
0x40cdaa4d: sub $0x10,%esp
0x40cdaa50: mov 0x8(%ebp),%esi
0x40cdaa53: xor %eax,%eax
0x40cdaa55: cmpl $0x0,0xc(%esi)
0x40cdaa59: sete %al
0x40cdaa5c: cmp 0x14(%ebp),%eax
The faulting eip is, according to /proc/<pid>/maps in libgklayout.so:
40afc000-40f20000 /usr/lib/mozilla-1.4.1/components/libgklayout.so
Looking through the assembly code, it looks like the function that causes the
fault starts at 0x40b74bac, for what it's worth. I don't see any interesting
constant strings anywhere closeby, so there's nothing interesting to look at..
The stacks in comment 5 and comment 19 both suggest memory corruption of some
sort (I'd guess accessing freed memory):
comment 5's crash is at:
aLine->mFirstChild->QueryInterface(kBlockFrameCID, (void**)&kid);
and comment 19's crash is at:
nsPoint p = kid->GetPosition();
(where it's the first access of |kid|, which was assigned a few lines up as:
nsIFrame* kid = aLine->mFirstChild; )
I haven't identified the function causing the crash in the previous comment, but
it looks like it has only one virtual function call, to the 0th function in the
vtable (probably QueryInterface), whose out parameter it null-checks and then
propagates the return value.
The crash in comment 26 is in
nsBlockReflowState::RecoverFloaters(nsLineList_iterator, int)
849b7: 8b 51 04 mov 0x4(%ecx),%edx
849ba: 01 7e 2c add %edi,0x2c(%esi)
849bd: 01 7e 3c add %edi,0x3c(%esi)
849c0: 89 55 e4 mov %edx,0xffffffe4(%ebp)
849c3: 8b 41 08 mov 0x8(%ecx),%eax
849c6: 89 45 e8 mov %eax,0xffffffe8(%ebp)
849c9: 01 f8 add %edi,%eax
849cb: 89 51 04 mov %edx,0x4(%ecx)
849ce: 89 41 08 mov %eax,0x8(%ecx)
so this crash is a bit different. (It's the variable |floater| that's garbage
-- a pointer to code instead of data.)
is the code:
fc->mRegion.y += aDeltaY;
fc->mCombinedArea.y += aDeltaY;
nsPoint p;
floater->GetOrigin(p);
floater->MoveTo(mPresContext, p.x, p.y + aDeltaY);
(both function calls are inlined)
The two lines:
> so this crash is a bit different. (It's the variable |floater| that's garbage
> -- a pointer to code instead of data.)
should have been at the end of my previous comment, not in the middle.
|
|
||
Comment 30•21 years ago
|
||
Unable to reproduce this with the latest version of Mozilla & Flash Player
(Mozilla 1.6 and Player 7). Confirmed on Win 2k/ XP/ Mac OX X.
|
|
||
Comment 31•20 years ago
|
||
0 crashes in latest Talkback data. Marking this WFM, but please reopen if
anyone is able to reproduce this with a recent nightly.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
|
||
Updated•14 years ago
|
Crash Signature: [@ nsBlockReflowState::RecoverFloaters]
[@ nsBlockFrame::SlideLine]
You need to log in
before you can comment on or make changes to this bug.
Description
•