96561 - [CSS+Table] Crash entering www.zmspgda.republika.pl

Status: RESOLVED DUPLICATE of bug 113235

(Core :: Layout, defect, P1)

Description

[Jacek Piskozub]

Mozilla builds 2001081603 and CVS build (about 2001082216) - both on WindowsME -
crash every time entering the URL.

Comment 1

[Jacek Piskozub]

Talkback numbers:

TB34397494Q
TB34375384M

Comment 2

[Jacek Piskozub]

I've meda a testcase. It seems this happens only in quirks mode (changing
DOCTYPE to one rendered in strict/stadards mode heals the crash). What is needed
is the change of color of the link when hovered over:

A:link  { color:rgb(100,0,0); }
A:hover { color:rgb(0,100,0);   }

and a link inside a table with embedded HR and the link text in H1 (all the
elements seem necessary):

<TABLE>
<TR>
<TD VALIGN="middle" ALIGN="center">
<A HREF="http://foo">
<HR>
<H1>
Any text
</H1>
</A>
</TD>
</TR>
</TABLE>

Strange, isn't it?

Comment 3

[Jacek Piskozub]

Attachment: Hover over the upper link to crash Mozilla

Comment 4

[Jacek Piskozub]

Attachment: Same testcase but with DOCTYPE rendered in strict mode (no crash)

Comment 5

[Jacek Piskozub]

I'll risk -> Layout as this is a problem on the Table-CSS intersection.

Comment 6

[Doron Rosenberg (IBM)]

need talkback retrieval

Comment 7

[timeless]

.

Comment 8

[Jacek Piskozub]

Talkback # for the testcase crash

TB34421731E

Comment 9

[karnaze (gone)]

It looks like an inline or text frame has been deleted but is being 
de-referenced. Reassigning to waterson.

ApplyRenderingChangeToTree(nsIPresContext * 0x022cbde0, nsIFrame * 0x0119e844, 
nsIViewManager * 0x00000000) line 9688
nsCSSFrameConstructor::ProcessRestyledFrames(nsCSSFrameConstructor * const 
0x022cdc30, nsStyleChangeList & {...}, nsIPresContext * 0x022cbde0) line 9877 + 
15 bytes
nsCSSFrameConstructor::ContentStatesChanged(nsCSSFrameConstructor * const 
0x022cdc30, nsIPresContext * 0x022cbde0, nsIContent * 0x02ad4f60, nsIContent * 
0x00000000) line 9996
StyleSetImpl::ContentStatesChanged(StyleSetImpl * const 0x022cdf20, 
nsIPresContext * 0x022cbde0, nsIContent * 0x02ad4f60, nsIContent * 0x02ad32e0) 
line 1216
PresShell::ContentStatesChanged(PresShell * const 0x02302918, nsIDocument * 
0x022b2dc0, nsIContent * 0x02ad4f60, nsIContent * 0x02ad32e0) line 4933 + 49 
bytes
nsDocument::ContentStatesChanged(nsDocument * const 0x022b2dc0, nsIContent * 
0x02ad4f60, nsIContent * 0x02ad32e0) line 1594
nsEventStateManager::SetContentState(nsEventStateManager * const 0x02321128, 
nsIContent * 0x02ad4f60, int 4) line 3534
nsGenericHTMLElement::HandleDOMEventForAnchors(nsIContent * 0x02ad4f60, 
nsIPresContext * 0x022cbde0, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f0a4, 
unsigned int 2, nsEventStatus * 0x0012f1a0) line 1365
nsHTMLAnchorElement::HandleDOMEvent(nsHTMLAnchorElement * const 0x02ad4f60, 
nsIPresContext * 0x022cbde0, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f0a4, 
unsigned int 2, nsEventStatus * 0x0012f1a0) line 393
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x02ad4a90, 
nsIPresContext * 0x022cbde0, nsEvent * 0x0012f158, nsIDOMEvent * * 0x0012f0a4, 
unsigned int 1, nsEventStatus * 0x0012f1a0) line 1708 + 53 bytes
nsEventStateManager::GenerateMouseEnterExit(nsIPresContext * 0x022cbde0, 
nsGUIEvent * 0x0012fa00) line 2127
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02321128, 
nsIPresContext * 0x022cbde0, nsEvent * 0x0012fa00, nsIFrame * 0x0119eec0, 
nsEventStatus * 0x0012f8f4, nsIView * 0x023555e0) line 355
PresShell::HandleEventInternal(nsEvent * 0x0012fa00, nsIView * 0x023555e0, 
unsigned int 1, nsEventStatus * 0x0012f8f4) line 5645 + 43 bytes
PresShell::HandleEvent(PresShell * const 0x02302914, nsIView * 0x023555e0, 
nsGUIEvent * 0x0012fa00, nsEventStatus * 0x0012f8f4, int 0, int & 1) line 5576 + 
25 bytes
nsView::HandleEvent(nsView * const 0x023555e0, nsGUIEvent * 0x0012fa00, unsigned 
int 8, nsEventStatus * 0x0012f8f4, int 0, int & 1) line 377
nsView::HandleEvent(nsView * const 0x02355dd0, nsGUIEvent * 0x0012fa00, unsigned 
int 8, nsEventStatus * 0x0012f8f4, int 0, int & 1) line 350
nsView::HandleEvent(nsView * const 0x022cc500, nsGUIEvent * 0x0012fa00, unsigned 
int 28, nsEventStatus * 0x0012f8f4, int 1, int & 1) line 350
nsViewManager::DispatchEvent(nsViewManager * const 0x022cca70, nsGUIEvent * 
0x0012fa00, nsEventStatus * 0x0012f8f4) line 2056
HandleEvent(nsGUIEvent * 0x0012fa00) line 68
nsWindow::DispatchEvent(nsWindow * const 0x02355c94, nsGUIEvent * 0x0012fa00, 
nsEventStatus & nsEventStatus_eIgnore) line 728 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fa00) line 749
nsWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000 {x=??? 
y=???}) line 4262 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000 {x=??? 
y=???}) line 4514
nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 7864918, long * 
0x0012fe2c) line 3198 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x000a079e, unsigned int 512, unsigned int 0, long 
7864918) line 996 + 27 bytes
USER32! 77e148dc()
USER32! 77e14aa7()
USER32! 77e266fd()
main(int 1, char * * 0x006440e0) line 157 + 11 bytes
mainCRTStartup() line 338 + 17 bytes

Comment 10

[Adam Hauner]

WFM 2002032803/Win2K
Piskozub: Can you reproduce this bug with a latest build?

Comment 11

[karnaze (gone)]

I crashed with a 4/4/2 Win2k debug at the url. The test case worked.

IsCanvasFrame(nsIFrame * 0x0458a434) line 2411 + 39 bytes
nsCSSRendering::FindBackground(nsIPresContext * 0x04333d60, nsIFrame * 
0x0458a434, const nsStyleBackground * * 0x0012e5c0, int * 0x0012e5b8) line 2542 
+ 9 bytes
ApplyRenderingChangeToTree(nsIPresContext * 0x04333d60, nsIFrame * 0x0458a434, 
nsIViewManager * 0x00000000) line 9825 + 21 bytes
nsCSSFrameConstructor::ProcessRestyledFrames(nsCSSFrameConstructor * const 
0x040a8658, nsStyleChangeList & {...}, nsIPresContext * 0x04333d60) line 10022 + 
15 bytes
nsCSSFrameConstructor::ContentStatesChanged(nsCSSFrameConstructor * const 
0x040a8658, nsIPresContext * 0x04333d60, nsIContent * 0x04499c98, nsIContent * 
0x00000000, nsIAtom * 0x00000000 {???}) line 10176

Comment 12

[Adam Hauner]

Ah, I'm crashing now with 2002040903/Win2K on testcase, but I have to move
several times over both links -> TB5025999K, TB5026011W and TB5026064Q.

Comment 13

[karnaze (gone)]

I can't get the test case to fail no matter how many times I mouse over the 
links. The url fails easily.

Comment 14

[karnaze (gone)]

Taking the bug.

Comment 15

[karnaze (gone)]

Attachment: simple test case where mousing over the link causes a crash

Mousing over the link produces the following stack. 

nsCOMPtr<nsIBox>::assign_from_helper(const nsCOMPtr_helper & {...}, const nsID
& {...}) line 922 + 18 bytes
nsCOMPtr<nsIBox>::nsCOMPtr<nsIBox>(const nsQueryInterface & {...}) line 566
nsCSSFrameConstructor::StyleChangeReflow(nsIPresContext * 0x02ea39c0, nsIFrame
* 0x01abf604, nsIAtom * 0x00000000 {???}) line 10076
nsCSSFrameConstructor::ProcessRestyledFrames(nsCSSFrameConstructor * const
0x02ea4240, nsStyleChangeList & {...}, nsIPresContext * 0x02ea39c0) line 10213
nsCSSFrameConstructor::ContentStatesChanged(nsCSSFrameConstructor * const
0x02ea4240, nsIPresContext * 0x02ea39c0, nsIContent * 0x02f01b20, nsIContent *
0x00000000, int 4) line 10379
StyleSetImpl::ContentStatesChanged(StyleSetImpl * const 0x02ea4560,
nsIPresContext * 0x02ea39c0, nsIContent * 0x02f01b20, nsIContent * 0x00000000,
int 4) line 1563
PresShell::ContentStatesChanged(PresShell * const 0x02ebc188, nsIDocument *
0x02e7f450, nsIContent * 0x02f01b20, nsIContent * 0x00000000, int 4) line 5111
+ 53 bytes
nsDocument::ContentStatesChanged(nsDocument * const 0x02e7f450, nsIContent *
0x02f01b20, nsIContent * 0x00000000, int 4) line 2049
nsEventStateManager::SetContentState(nsEventStateManager * const 0x02ed61f8,
nsIContent * 0x02f014e0, int 4) line 3636

Comment 16

[karnaze (gone)]

The patch in bug 113235 fixes this by avoiding a reframe. 

Comment 17

[karnaze (gone)]

*** This bug has been marked as a duplicate of 113235 ***