M098 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]

VERIFIED FIXED in mozilla1.0

Status

()

P1
critical
VERIFIED FIXED
17 years ago
17 years ago

People

(Reporter: greer, Assigned: alexsavulov)

Tracking

({crash, topcrash+})

Trunk
mozilla1.0
x86
All
crash, topcrash+
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch][adt1], crash signature, URL)

Attachments

(5 attachments, 2 obsolete attachments)

(Reporter)

Description

17 years ago
The PlaceFrameView signature shows up in talkback for all of the recent releases
and Trunk, but in small enough numbers that it hasn't been seen. (Currently N620
has 4 incidents, M095, 36 incidents, Trunk ,6) The top frames of the stack look
similar to that of bug 81905, but comments don't point distinctly to the
password manager.

Here's the stack from N620 data:

        PlaceFrameView
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line
2554]
         nsBlockFrame::PostPlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 4101]
         nsBlockFrame::PlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3972]
         nsBlockFrame::DoReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3433]
         nsBlockFrame::DoReflowInlineFramesMalloc
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3263]
         nsBlockFrame::ReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3224]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2375]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]
         nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
345]
         nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2973]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2261]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]
         nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
345]
         nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2973]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2261]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]

Here are the comments across all releases:
N610 :       10
37268259 http://topcat.switchinc.org.8080/proxy.pac waiting for full text article
37269006 www.eco-furniture.com clicked on one of the products in the lawn and
garden section
37318937  I was opening mail when program failed.
37320432  Reloading web page
37371824 www.douglascollege.bc.ca Click on link
37375266 http://www.ishaah.com/Smile.htm reading my e-mail
37379707 www.webtrendslive.com checking html tracking  reports on the websites
homepage
M094 :       11
37066956 http://webcompare.internet.com/webbasics/webbasics_2.html mozilla tried
to read memory location 0x000000... was runni
ng VERY slowly prior to this error. Last page was a link from cbs.sportsline.com
to the fantasy section.
37052016 www.cbssportsline.com
M095 :       36
37376526 fantasy.sportsline.com just clicked on my fantasy team link  might have
clicked twice...
37018266 http://football221.fantasy.sportsline.com/mp/ when looking at all the
picke in my league in cbs fantasy football.I ha
ve crashed many times on theis site since mozilla 0.9.4
37114953 http://members4.fantasy.sportsline.com/home? trying to enter the site.
 Everytime I try on my laptop  it crashes.  Ho
me PC is fine  just the laptop.
37325324  Using tabbed layout.  Went to cbs.sportsline.com (my second tab) and
clicked fantasy. Crash!  error in gkslayout...o
r something
37181660 football258.fantasy.sportsline.com Was pulling up a draft list of free
agents for my fantasy football pool.  As an as
ide  the 'Back' button does not work on cnn.com.
37063743 http://ici.planet-multiplayer.de/phpBB Just loaded the page.
(Reporter)

Updated

17 years ago
Keywords: crash, topcrash

Comment 1

17 years ago
I don't understand why you think this is password manager.  But it indeed looks 
like the same stack trace as in bug 81905 (which I'm not cc'd on) and that one 
too is marked password manager.  And Chris Waterson has that bug.

So reassigning this one to Waterson.
Assignee: morse → waterson
(Reporter)

Comment 2

17 years ago
This one has become a major crasher on M095 (28 incidents) and N620 (481 
incidents). I will attach the comments below to help find a reproducible case. 
Adding qawanted keyword.
Keywords: qawanted
(Reporter)

Comment 3

17 years ago
Created attachment 57794 [details]
Talkback comments from M095 and N620

Comment 4

17 years ago
Adding  [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] to summary, since that is
the stack signature for this crash on MacOS.  The stack looks similar and the
websites are the same as in bug 109996 (which I am about to mark a dup of this
bug).  Here is the info from that bug for Mac crashes with Netscape 6.20:

 Count   Offset    Real Signature
[ 13   .__ptr_glue ed499dd6 - nsBlockFrame::PostPlaceLine() ]
 
     Crash date range: 2001-11-06 to 2001-11-12
     Min/Max Seconds since last crash: 61 - 18381
     Min/Max Runtime: 9513 - 72520
     Keyword List :  
     Count   Platform List 
     10   MacOS version 9.2.1  
     2   MacOS version 9.1  
     1   MacOS version 9.0  
 
     Count   Build Id List 
     13   2001102217
 
     No of Unique Users         6
 
 Stack trace(Frame) 

	 .__ptr_glue  
	 nsBlockFrame::PostPlaceLine()
[nsBlockFrame.cpp  line 4100] 
	 nsBlockFrame::PlaceLine()
[nsBlockFrame.cpp  line 3968] 
	 nsBlockFrame::DoReflowInlineFrames()
[nsBlockFrame.cpp  line 3430] 
	 nsBlockFrame::DoReflowInlineFramesMalloc()
[nsBlockFrame.cpp  line 3260] 
	 nsBlockFrame::ReflowInlineFrames()
[nsBlockFrame.cpp  line 3220] 
	 nsBlockFrame::ReflowLine()
[nsBlockFrame.cpp  line 2374] 
	 nsBlockFrame::ReflowDirtyLines()
[nsBlockFrame.cpp  line 2044] 
	 nsBlockFrame::Reflow()
[nsBlockFrame.cpp  line 798]  
 
COMMENTS/URLs:

     (37873973)	URL: cbs.sportline.com
     (37629077)	URL: www.cbs.sportsline.com
     (37629077)	Comments: Picking up a Free Agent on my fantesy football team

Summary: M095 N620 Trunk crash [@ PlaceFrameView] → M095 N620 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]

Comment 5

17 years ago
*** Bug 109996 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 6

17 years ago
This crash still shows in the latest releases and milestones. Changing summary. 
current problem links: www.cbssportsline.com   and  www.wheresgeorge.com. 
Summary: M095 N620 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] → M097 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]

Comment 7

17 years ago
Is this a Mac-only crash? Stacks make it look that way...
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.8
(Reporter)

Comment 8

17 years ago
Created attachment 62817 [details]
Platforms showing this signature in recent releases

This attachment is a rough breakdown of platforms that are returning crashes at
the PlaceFrameView signature (from a snapshot of Talkback data 12/26). It is
almost entirely Windows.

Updated

17 years ago
Target Milestone: mozilla0.9.8 → mozilla0.9.9

Comment 9

17 years ago
This is not showing up in recent builds (according to
<http://ftp.mozilla.org/pub/data/crash-data>); marking WORKSFORME.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → WORKSFORME

Comment 10

17 years ago
Since Chris isn't seeing this in the crash reports anymore and I tried all the
links on this page with Win XP build 2002012903, marking Verified
Status: RESOLVED → VERIFIED

Comment 11

17 years ago
I convinced a friend to start using Mozilla and he loves it, however he is
definitely seeing this crash at www.wheresgeorge.com .  He says it crashes after
he's entered in a few bills, so you'd possibly need to have a WG account and log
in to reproduce this.

Build:  Mozilla 0.9.8 (2002020406), also seen routinely on 0.9.7
OS   :  Windows 2000

He has submitted many talkbacks on it, most recently TB2686276K .

I brought this up in #mozillazine, and endico took a look at the TB report, and
reported that the first two lines were:

PlaceFrameView
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2813]
nsBlockFrame::PostPlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 4360]

Not sure if that's relevant.  The consensus was that I should report it here in
this bug.  I've now told you everything I know :)

Reopen?
 
(Reporter)

Comment 12

17 years ago
Created attachment 68875 [details]
Stack of Incident #2686276

The stack from the incident listed in the previous comment looks the same as
the original stack, I'm attaching it for reference to the new line numbers.
(Reporter)

Comment 13

17 years ago
So far five unique users have crashed on M098 with this signature. However, 
all of the comments point to the wheresgeorge site (all unique users). Which 
makes me wonder if the site has the problem. 

(2710709) - 2002020409: Windows NT  5.0 build 2195 Had just selected the site 
from my bookmark list URL: http://www.wheresgeorge.com
(2693842) - 2002020409: Windows NT  5.0 build 2195 clicking on to another 
section of the site URL: www.wheresgeorge.com
(2686276) - 2002020409: Windows NT  5.0 build 2195 Just trying to access the 
page. It bombed immediately after I hit return on typing the URL. None of the 
page rendered. URL:http://www.wheresgeorge.com

Updating to M098 and reopening (tentatively) to see if this one begins to show 
up in large numbers with this release. There are currently only 2 incidents 
reported against the trunk. 
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
Summary: M097 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] → M098 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
(Reporter)

Comment 14

17 years ago
It seems I am able to reproduce this one at will (currently). 
Using Trunk build 2002020610, I went to www.wheresgeorge.com, entered 10 bills.
clicked around. Finally clicked on "This site is owned by www.wheresgeorge.com" 
(at the bottom of a page) and got the PlaceFramView crash.

Following that, I restarted the browser and clicked on the history bar's down 
arrow, selected the wheresgeorge site and I crash every time (3 times so far), 
before the page even begins to load. 

Comment 15

17 years ago
nominating topcrash bugs for nsbeta1. 
Keywords: nsbeta1
Reassigning to Alex.
Assignee: waterson → alexsavulov
Status: REOPENED → NEW
Keywords: nsbeta1 → nsbeta1+
Target Milestone: mozilla0.9.9 → mozilla1.0
(Assignee)

Comment 17

17 years ago
CANNOT REPRODUCE ON W2000. ANYONE PLEASE POST EXACT STEPS TO REPRODUCE,
OHTERWISE CANNOT FIX
*** Bug 128937 has been marked as a duplicate of this bug. ***
Alex: try http://mozilla.statesoftware.com/ This URL crashes in PlaceFrameView
in bug 128937

Comment 20

17 years ago
Someone is still crashing at www.wheresgeorge.com...I see a couple of incidents
from 3/2.  And why is the component still password mananger?  Is that correct? 
I would think this was some sort of layout bug.

Here are just a few urls I found from recent incidents:
www.rediff.com 
http://www.wheresgeorge.com 
wannabe.gathering.org/tg - looks like you need an account for this page.  
bmwe30.net - customize link is mentioned in the comment.

I tried to reproduce at the first 2 sites, but wasn't able to.
(Reporter)

Comment 21

17 years ago
I went back to wheresgeorge.com with M098 on W2K and simply clicked on the 
www.wheresgeorge.com link at the bottom. It opened a new window, so I clicked 
on the same link in the new window. After 4-5 times I got the crash @ 
PlaceFrameView. Incident #3738786
(Reporter)

Comment 22

17 years ago
Trunk also crashes with these steps.

Updated

17 years ago
Component: Password Manager → Layout
(Reporter)

Comment 23

17 years ago
Created attachment 72976 [details]
Stack of incident 3750819 (build 2002030606)

  That previous comment was a bit laconic. I was able to crash with the steps I
listed in comment #21 using the Trunk build 2002030606. This crash ended at
nsBlockFrame::GetTopBlockChild but with a similar stack.
 
  Interesting behavior, as I reproduced this crash the number of windows that I
 opened before crashing became fewer. The first crash took 4-5 times of
clicking on the link, the next crash occurred after clicking only two times,
the third came after simply submitting the URL (I never got to the page).
(Assignee)

Comment 24

17 years ago
After a talk with REPORTER (greer@netscape.com) we discovered that the bug is
reproductible only if using a profile that was generated with a previous NS or
MOZ build. On the machine where the crash was reproductible with an old profile,
with a new profile the crash was not reproductible. Switching back to the old
profile, causes mozilla to crash during the test again. However, I was unable to
reproduce the crash even using old profiles created with NS61, NS62 and NS621. I
will have to download and try the 096, 097, 098 builds too. 

If not reproductible, I suggest removing the keyword nsbeta1+.
(Assignee)

Comment 25

17 years ago
replacing nsbeta1+ with nsbeta1

this crash is hardly reproductible. there are two incidents reported by
greer@netscape.com (3750819 and 4016427) that are produced reliably with build
2002030306 with an old profile that has been generated with an older version of
mozilla (greer thinks that it was a netscape distribution). since we spoke last
week there were no incidents with similar stack signatures reported (except the
two reported by greer)
Keywords: nsbeta1+ → nsbeta1

Comment 26

17 years ago
nsbeata1-. Remove the minus to renominate if this can be reproduced. Since the 
crash seems to occur when using old profiles, it really doesn't sound like a 
layout bug.
Keywords: nsbeta1 → nsbeta1-

Comment 27

17 years ago
This shouldn't be qawanted.  Looks like Tom Greer has reproducible steps and the
investigation led to having this bug be seen only on older profiles.

That could be an issue if a lot of folks are running into this since I'm sure
folks will have profiles created by older builds.

Is there a way to get a debug build onto Greer's system and run it through his
profile?


Keywords: qawanted
(Reporter)

Comment 28

17 years ago
Lisa, It's my machine at home that is crashing and I need to get some tools for
it from the office. Working on that.
(Reporter)

Comment 29

17 years ago
Lisa, recently I have seen this crash happen almost at will using these steps: 

1. Goto www.realgm.com
2. click on Player Profiles
3. click on a team
4. click on a player
5. If you haven't crashed yet, try using the "back" button a few times and 
repeat the process.

I have crashed at least once at each of steps 1-3 and got the steps from a user 
who got to step 4. 

Could you please have some of your QA folks take a stab at reproducing this one 
in house?
(Reporter)

Comment 30

17 years ago
Looking at one of my crashes in Talkback the value of aFrame is NULL at the time
of the crash. A null check before dereferencing should fix this one.

>snip<
2783 static void
2784 PlaceFrameView(nsIPresContext* aPresContext,
2785                  nsIFrame*       aFrame)
2786 {
2787 nsIView*  view;

** Check aFrame Here **

2788 aFrame->GetView(aPresContext, &view);
2789 if (view)
2790 nsContainerFrame::SyncFrameViewAfterReflow(aPresContext, aFrame, view, nsnull);

I haven't been successful at building the code at home, but I would gladly test
this one if I could get a build with the patch.
Whiteboard: [patch]
(Assignee)

Comment 31

17 years ago
Created attachment 78460 [details] [diff] [review]
nullcheck patch

added null check in the loop condition
(Assignee)

Updated

17 years ago
Keywords: nsbeta1- → nsbeta1

Comment 32

17 years ago
Comment on attachment 78460 [details] [diff] [review]
nullcheck patch

sr=attinasi - but please put in an ASSERTION so that we can see if the child
count gets out of whack (which is what is happening if |frame| is null).
Attachment #78460 - Flags: superreview+
(Assignee)

Comment 33

17 years ago
Created attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch
Attachment #78460 - Attachment is obsolete: true
(Assignee)

Updated

17 years ago
Attachment #78464 - Flags: superreview+
(Assignee)

Comment 34

17 years ago
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch


transfered sr=
nsbeta1+
Keywords: nsbeta1 → nsbeta1+
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch

r=kmcclusk@netscape.com
Attachment #78464 - Flags: review+
(Reporter)

Updated

17 years ago
Keywords: topcrash → topcrash+
Whiteboard: [patch] → [patch][adt1]

Comment 37

17 years ago
Since it is always the case that i < aLine->GetChildCount(), change the 
assertion to:

   NS_ASSERTION(frame, "Child count bigger than the number of linked 
frames!!!"); 
(Assignee)

Comment 38

17 years ago
chris:

marc ment to have the assertion beeing self-explanatory that's why it has that
complicated form, but yes, you're right so is simpler.
Isn't that assertion going to fire all the time since you've gotten the next
sibling but haven't incremented i yet?  Shouldn't it be:
  NS_ASSERTION(line->GetChildCount() == i + 1 || frame, "...");
which would also be simpler.

Have you investigated why the child count is being set incorrectly?
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch

I didn't mean "all the time" literally.  It should only fire every time the
line is the last line of a block.
Attachment #78464 - Flags: needs-work+
(Assignee)

Comment 41

17 years ago
Created attachment 78480 [details] [diff] [review]
revised patch


right, it has to be i+1 == blah blah

i cannot reproduce this bug so i cannot say what the hack is happening there.
all this is based on talkback and the reporters observations on a machine that
he has and where the bug is reproductible. so far there were all kinds of URL's

involved and we cannot localize the bug.
Attachment #78464 - Attachment is obsolete: true
(Assignee)

Updated

17 years ago
Attachment #78480 - Flags: superreview+
Attachment #78480 - Flags: review+
Could you put a newline before the text of the assertion so that it all wraps
before 80 characters?

Comment 43

17 years ago
tpreston - pls try greer's comments in comment 29 to see if you can reproduce
this.  Will help once the patch gets checked in for verifications.

Comment 44

17 years ago
adding adt1.0.0 nomination
Keywords: adt1.0.0

Comment 45

17 years ago
adt1.0.0+
Keywords: adt1.0.0 → adt1.0.0+
(Reporter)

Comment 46

17 years ago
I have tested two optimized builds from Alexandru on my machine at home (which
crashes on this bug). One build w/o the patched crashed at step 2 in comment #29. 

The build with the patch has repeadtedly handled all the steps in #21 and #29
without crashing.
Comment on attachment 78480 [details] [diff] [review]
revised patch

a=rjesup@wgate.com for drivers.  Please check into both trunk and branch.
Attachment #78480 - Flags: approval+

Updated

17 years ago
Blocks: 136392

Comment 48

17 years ago
Using Step 29: Win XP build 2002040903 (crashes when just trying to reach
www.realgm.com URL Talkback incident:  5048123  

Using Step 29: Win 2k build 2002041003 (crashes when I get to player and click
on Kobe Bryant) Talkback incident:  5048365

Will check other platforms
I wasn't able to reproduce a crash, but I did manage to see an assertion which
is probably related:

#2  0x40267955 in nsDebug::Assertion (aStr=0x42a01ed8 "running past end", 
    aExpr=0x42a01ec2 "mCurrent != mListLink", 
    aFile=0x42a01da0 "/builds/trunk/mozilla/layout/html/base/src/nsLineBox.h", 
    aLine=537) at /builds/trunk/mozilla/xpcom/glue/nsDebug.cpp:291
#3  0x4299c0df in nsLineList_iterator::operator-> (this=0xbfffa848)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.h:537
#4  0x4277f604 in nsBlockFrame::ReflowLine (this=0x41ecd04c, 
    aState=@0xbfffac00, aLine={mCurrent = 0x41ee0954, mListLink = 0x41ecd088}, 
    aKeepReflowGoing=0xbfffa9e8, aDamageDirtyArea=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2553
#5  0x4277e7d4 in nsBlockFrame::ReflowDirtyLines (this=0x41ecd04c, 
    aState=@0xbfffac00)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2250
#6  0x4277b5ea in nsBlockFrame::Reflow (this=0x41ecd04c, 
    aPresContext=0x42bb2c70, aMetrics=@0xbfffb0e0, aReflowState=@0xbfffb020, 
    aStatus=@0xbfffc354)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844

The cause of the assertion was that ReflowDirtyLines had passed a line to
ReflowLine that was no longer in the line list, but had prev and next pointers
indicating that it thought it was the only line in the line list (same list
link, but that link didn't point back to it).  The line list thought it had 5
lines, and aState.mLineNumber was 3.
Of those 5 lines (I actually missed the first), the first, third, and fifth were
blocks.  The second had a single child, and the fourth had 2, and all the
sibling linkage seemed to be correct.

The line being reflowed, which was not in the list, had a child count of 2 and
its first child had 5 siblings after (so there were four siblings following not
on the line), but none of these frames were the same.  In fact, their block
parent (which should have been the |this| block) was in fact a
(great-)*5-grandchild of the |this| block, and the chain went through the first
child of the |this| block (the child of the first line).
Recording which lines have already been reflown makes it look like the mLines
list was somehow entirely replaced in the middle of reflowing the children.
(Assignee)

Comment 52

17 years ago
fixed on trunk and 1.0.0 branch

in order to verify you must check the change in the source file 

/cvsroot/mozilla/layout/html/base/src/nsBlockFrame.cpp

in the method 

nsBlockFrame::PostPlaceLine(...

Status: NEW → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED
The real problem here is that frames are being destroyed while they're in the
middle of being reflowed.  While we may be lucky enough to be able to work
around it with a single null check in this case, that's unlikely to work in
general.  We shouldn't have to protect against this.  Here's the stack showing
the real problem:

#3  0x40ca7adb in nsObjectFrame::Destroy (this=0x435c984c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:633
#4  0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435c9764)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#5  0x40c53177 in nsBlockFrame::Destroy (this=0x435c9728, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#6  0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435c95f8)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#7  0x40c53177 in nsBlockFrame::Destroy (this=0x435c95bc, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#8  0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9590, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#9  0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c955c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#10 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9478, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#11 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9444, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#12 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d49e4, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#13 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d49b0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#14 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9324, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#15 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c92f0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#16 0x40d694f6 in nsTableFrame::Destroy (this=0x435c92f0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableFrame.cpp:318
#17 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c914c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#18 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9118, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#19 0x40d7e8bc in nsTableOuterFrame::Destroy (this=0x435c9118, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:83
#20 0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435d40b8)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#21 0x40c53177 in nsBlockFrame::Destroy (this=0x435d407c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#22 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d4050, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#23 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d401c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#24 0x40de75e3 in nsFrameList::DestroyFrame (this=0x435c76a8, 
    aPresContext=0x4307b6f0, aFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:217
#25 0x40d83c18 in nsTableRowFrame::RemoveFrame (this=0x435c7674, 
    aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aListName=0x0, 
    aOldFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableRowFrame.cpp:334
#26 0x40c7d669 in FrameManager::RemoveFrame (this=0x435b5658, 
    aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aParentFrame=0x435c7674, 
    aListName=0x0, aOldFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp:1014
#27 0x40d3dd0b in nsCSSFrameConstructor::ContentRemoved (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435ce310, aChild=0x435ce3e8, 
    aIndexInContainer=1, aInContentReplaced=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:9587
#28 0x40d3ba42 in nsCSSFrameConstructor::ContentReplaced (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435ce310, aOldChild=0x435ce3e8, 
    aNewChild=0x435ce3e8, aIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8917
#29 0x40d498d4 in nsCSSFrameConstructor::WipeContainingBlock (this=0x43093910, 
    aPresContext=0x4307b6f0, aState=@0xbfff5e34, aBlockContent=0x435ce3e8, 
    aFrame=0x4364fa8c, aFrameList=0x436500a4)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:13686
#30 0x40d395da in nsCSSFrameConstructor::ContentAppended (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8266
#31 0x42567cf1 in StyleSetImpl::ContentAppended (this=0x430937d0, 
    aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/base/src/nsStyleSet.cpp:1520
#32 0x40cc6a3e in PresShell::ContentAppended (this=0x4357ff60, 
    aDocument=0x4307b960, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:5160
#33 0x424e4bda in nsDocument::ContentAppended (this=0x4307b960, 
    aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/base/src/nsDocument.cpp:1893
#34 0x4238ab0d in nsHTMLDocument::ContentAppended (this=0x4307b960, 
    aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1335
#35 0x42381f6c in HTMLContentSink::NotifyAppend (this=0x430b2198, 
    aContainer=0x435c7f38, aStartIndex=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:4819
#36 0x42378197 in SinkContext::FlushTags (this=0x4308add0, aNotify=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2184
#37 0x423834f1 in HTMLContentSink::FlushPendingNotifications (this=0x430b2198)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:5268
#38 0x4238b26a in nsHTMLDocument::FlushPendingNotifications (this=0x4307b960, 
    aFlushReflows=0, aUpdateViews=0)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1486
#39 0x424dc50b in nsContentList::GetLength (this=0x43625d48, 
    aLength=0xbfff64c0, aDoFlush=1)
    at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:392
#40 0x424dc88f in nsContentList::GetLength (this=0x43625d48, 
    aLength=0xbfff64c0)
    at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:475
#41 0x40cb100c in nsPluginInstanceOwner::EnsureCachedAttrParamArrays (
    this=0x43593cf0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2809
#42 0x40cada5a in nsPluginInstanceOwner::GetAttributes (this=0x43593cf0, 
    n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2071
#43 0x427d9641 in nsPluginInstancePeerImpl::GetAttributes (this=0x43623480, 
    n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginInstancePeer.cpp:345
#44 0x428a30a2 in JavaPluginInstance5::Initialize ()
   from /usr/java/jdk1.3.1/jre/plugin/i386/ns600/libjavaplugin_oji.so
#45 0x427cf7b4 in nsPluginHostImpl::SetUpPluginInstance (this=0x840fff0, 
    aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, 
    aOwner=0x43593cf0)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3932
#46 0x427ce2f5 in nsPluginHostImpl::InstantiateEmbededPlugin (this=0x840fff0, 
    aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, 
    aOwner=0x43593cf0)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3447
#47 0x40caa3a9 in nsObjectFrame::InstantiatePlugin (this=0x435c984c, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, 
    aPluginHost=0x840fff4, aMimetype=0x40ee4090 "application/x-java-vm", 
    aURI=0x435be698)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1242
#48 0x40ca95f9 in nsObjectFrame::Reflow (this=0x435c984c, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, 
    aStatus=@0xbfff70b0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1048
#49 0x40ca1cc8 in nsLineLayout::ReflowFrame (this=0xbfff7190, 
    aFrame=0x435c984c, aNextRCFrame=0xbfff7b1c, aReflowStatus=@0xbfff70b0, 
    aMetrics=0x0, aPushedFrame=@0xbfff70ac)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineLayout.cpp:1088
#50 0x40c5b03c in nsBlockFrame::ReflowInlineFrame (this=0x435c9728, 
    aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine=
      {mCurrent = 0x435c9920, mListLink = 0x435c9764}, aFrame=0x435c984c, 
    aLineReflowStatus=0xbfff711f "")
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3700
#51 0x40c5ac6c in nsBlockFrame::DoReflowInlineFrames (this=0x435c9728, 
    aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine=
      {mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", 
    aUpdateMaximumWidth=0, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3582
#52 0x40c5a9dc in nsBlockFrame::DoReflowInlineFramesAuto (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", 
    aUpdateMaximumWidth=0, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3505
#53 0x40c5a7b8 in nsBlockFrame::ReflowInlineFrames (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0, aUpdateMaximumWidth=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3451
#54 0x40c588a2 in nsBlockFrame::ReflowLine (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2614
#55 0x40c57804 in nsBlockFrame::ReflowDirtyLines (this=0x435c9728, 
    aState=@0xbfff7aa0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2253
#56 0x40c545ea in nsBlockFrame::Reflow (this=0x435c9728, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff8168, aReflowState=@0xbfff7eb0, 
    aStatus=@0xbfff8024)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844

... (through tons of block, table, gfxscroll, etc. reflow)

#137 0x40ce9023 in ViewportFrame::Reflow (this=0x43646424, 
    aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, 
    aReflowState=@0xbfffe580, aStatus=@0xbfffe648)
    at /builds/trunk/mozilla/layout/html/base/src/nsViewportFrame.cpp:587
#138 0x40c89806 in nsHTMLReflowCommand::Dispatch (this=0x435a9758, 
    aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, aMaxSize=@0xbfffe730, 
    aRendContext=@0x435ce058)
    at /builds/trunk/mozilla/layout/html/base/src/nsHTMLReflowCommand.cpp:216
#139 0x40cc9814 in PresShell::ProcessReflowCommand (this=0x4357ff60, 
    aQueue=@0x4357ffb0, aAccumulateTime=1, aDesiredSize=@0xbfffe750, 
    aMaxSize=@0xbfffe730, aRenderingContext=@0x435ce058)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6287
#140 0x40cc9a98 in PresShell::ProcessReflowCommands (this=0x4357ff60, 
    aInterruptible=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6342
#141 0x40e99e80 in ReflowEvent::HandleEvent (this=0x435aa158)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6196
#142 0x40cc9556 in HandlePLEvent (aEvent=0x435aa158)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6212
#143 0x402222e0 in PL_HandleEvent (self=0x435aa158)
    at /builds/trunk/mozilla/xpcom/threads/plevent.c:596
#144 0x40222a51 in PL_ProcessEventsBeforeID (aSelf=0x811a1b8, aID=7389)
    at /builds/trunk/mozilla/xpcom/threads/plevent.c:1270

... (main event loop, main, etc.)

Reopening because the fact that this doesn't crash with your null check is
merely at the mercy of what the allocator decides to recycle, and thus this bug
could come back any time, or could easily still be present on other machines. 
With my patches in bug 114219 and bug 114221 to fill pres-shell-freed memory
with 0xdd, we crash quite hard in other places.  (This is quite easy to
reproduce with those patches in my tree, by loading the URL
http://www.realgm.com/src_roster.php?team=Philadelphia and clicking on one of
the players.)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 54

17 years ago
I appreciate the fact that we're trying to track down a bug that nobody can
reproduce (and so spackle is appropriate), but I agree with dbaron: we should be
looking more deeply for causes.
(Assignee)

Comment 55

17 years ago
remarking as fixed.

for David Baron's proposal to fix the real issue that caused the crash I opened
bug 136927.
Status: REOPENED → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED

Comment 56

17 years ago
Verified fix checked into lxr.mozilla.org and no crash Mac OS X build 2002041105
and linux build 2002041105 (windows build hosed, will check that tomorrow.) 
Marking verified though
Status: RESOLVED → VERIFIED

Updated

17 years ago
Keywords: fixed1.0.0
Crash Signature: [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
You need to log in before you can comment on or make changes to this bug.