Closed
Bug 121368
Opened 23 years ago
Closed 23 years ago
Crash when loading a page containing search results M098 [@ nsTypedSelection::EndBatchChanges][@ nsContainerFrame::FinishReflowChild]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: vitrac, Assigned: alexsavulov)
References
()
Details
(Keywords: crash, testcase, topcrash)
Crash Data
Attachments
(5 files)
|
11.78 KB,
text/plain
|
Details | |
|
26.19 KB,
text/plain
|
Details | |
|
7.16 KB,
text/plain
|
Details | |
|
1018 bytes,
text/html
|
Details | |
|
1016 bytes,
patch
|
karnaze
:
review+
attinasi
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.7) Gecko/20011226
BuildID: 2001122614
On the Compaq support site, there is a search field where you can enter
search terms and validate with the "Go" button.
If I enter any search term and press "Go", the page starts to load, but
nothing is displayed and then the browser coredumps.
Reproducible: Always
Steps to Reproduce:
1. Load http://www.compaq.com/support/
2. Enter search term in the search box on the left
3. Press Go.
Actual Results: The browser crashes and dumps a core.
Expected Results: The browser should have loaded and displayed the search results.
This is a local build of the Mozilla 0.9.7 source code, on a
Solaris 7 system.
It was compiled with gcc 2.95.3, using the following options in configure :
--disable-xprint --disable-tests --disable-debug --enable-crypto
--enable-ultrasparc --enable-optimize="-O3" --without-jpeg
--without-zlib --without-png
|
Reporter | |
Comment 1•23 years ago
|
||
This contains a backtrace of the core and the full list of loaded libraries.
|
||
Comment 2•23 years ago
|
||
Also crashes on Linux 2002012121
|
||
Comment 3•23 years ago
|
||
This is also tru on w2k build ID 2002011703. TalkbackID= TB2003770G.
Reporter you can change OS => ALL and platform to ALL.
|
||
Comment 4•23 years ago
|
||
|
||
Updated•23 years ago
|
|
|
||
Comment 5•23 years ago
|
||
my win2k stack is a little bit different.
The SunOS stack is -> Layout, my win2k stack is -> selection (?)
Marc Attinasi/petersen@netscape.com : Please help :-)
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 8•23 years ago
|
||
*** Bug 121511 has been marked as a duplicate of this bug. ***
|
|
||
Comment 9•23 years ago
|
||
Talkback ID's on Windows 98, 0.9.7, Build ID: 2002012304: TB2038294G,
TB2038385X, and TB2038487G.
|
||
Comment 10•23 years ago
|
||
When I use the repro steps listed (on Win2K, Trunk build 2002012309) I get a
different stack. (attached).
Note: Stacks for incidents in comment #9 match the stack in comment #4.
|
|
||
Comment 11•23 years ago
|
||
Just tried the steps using build 2002012506 to reproduce my earlier crash. But
it didn't crash. Could this be due to jst's checkin in nsContainerFrame.cpp on
1/24 ?
Summary: Crash when loading a page containing search results → Crash when loading a page containing search results [@ nsTypedSelection::EndBatchChanges][@ nsContainerFrame::FinishReflowChild]
|
|
||
Comment 12•23 years ago
|
||
Worksforme now, Windows 98, 0.9.7, Build ID: 2002012503. Resolving as worksforme
on that basis and the previous comment, which also reported it working.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
|
||
Comment 13•23 years ago
|
||
*** Bug 122562 has been marked as a duplicate of this bug. ***
|
|
||
Comment 15•23 years ago
|
||
*** Bug 123255 has been marked as a duplicate of this bug. ***
|
|
||
Comment 16•23 years ago
|
||
This one is back as a topcrasher in M098. I can reproduce the crash every time
with reporter's steps.
Go to www.compaq.com, enter text in the search form and click 'Go' -> crash.
This one needs to get fixed. Nominating.
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
Summary: Crash when loading a page containing search results [@ nsTypedSelection::EndBatchChanges][@ nsContainerFrame::FinishReflowChild] → Crash when loading a page containing search results M098 [@ nsTypedSelection::EndBatchChanges][@ nsContainerFrame::FinishReflowChild]
Whiteboard: nsbeta
|
|
||
Comment 18•23 years ago
|
||
*** Bug 125699 has been marked as a duplicate of this bug. ***
|
||
Comment 19•23 years ago
|
||
Just tried repro steps listed above with build ID 20020214 on win2k and Linux,
can’t able to reproduce the crash.
Priority: -- → P2
|
|
||
Comment 20•23 years ago
|
||
*** Bug 125786 has been marked as a duplicate of this bug. ***
|
|
||
Comment 21•23 years ago
|
||
*** Bug 126597 has been marked as a duplicate of this bug. ***
|
||
Comment 22•23 years ago
|
||
This is the HTML code generated by Compaq's site, with the minimum code
required to crash Mozilla. This error is caused by a NOBR tag not being
closed, with some Javascript code nested in the "open" NOBR tag. I experienced
this crash on build 20020204 under Win2k and build 20011226 under Linux.
|
Assignee | |
Comment 24•23 years ago
|
||
this is the first patch that comes in my mind that fixes the crash. maybe i can
refine it a little bit and make it a little bit more tolerant
|
|
Assignee | |
Updated•23 years ago
|
Attachment #72175 -
Attachment is patch: true
|
|
Assignee | |
Comment 25•23 years ago
|
||
i will create another patch to also repair the crash
@nsTypedSelection::EndBatchChanges
(proper refcounting for a member pointer solves that)
|
|
Assignee | |
Comment 26•23 years ago
|
||
2 things:
1. i will open another bug for the nsTypedSelection problem
and
2. I had a talk with Marc Attinasi and decided not to try make this patch more
tolerant since the method ReframeConatainingBlock is supposed to be remioved in
the future by a better implementation
|
||
Comment 27•23 years ago
|
||
This may solve the crash, but is it a temporary fix? How is the reframe going to
occur?
|
||
Comment 28•23 years ago
|
||
Comment on attachment 72175 [details] [diff] [review]
proposed patch V1.0 - prevents nsCSSFrameConstructor::ReframeContainingBlock execute during reflow
sr=attinasi
Attachment #72175 -
Flags: superreview+
|
|
||
Updated•23 years ago
|
Attachment #72175 -
Flags: review+
|
|
Assignee | |
Comment 29•23 years ago
|
||
r= comes from Chris Karnaze
|
|
Assignee | |
Updated•23 years ago
|
Attachment #72175 -
Attachment description: proposed patch V1.0 → proposed patch V1.0 - prevents nsCSSFrameConstructor::ReframeContainingBlock execute during reflow
|
||
Comment 30•23 years ago
|
||
Comment on attachment 72175 [details] [diff] [review]
proposed patch V1.0 - prevents nsCSSFrameConstructor::ReframeContainingBlock execute during reflow
a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #72175 -
Flags: approval+
|
|
Assignee | |
Comment 31•23 years ago
|
||
fixed on trunk
Status: NEW → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
|
|
||
Comment 32•23 years ago
|
||
*** Bug 129989 has been marked as a duplicate of this bug. ***
|
|
||
Comment 33•23 years ago
|
||
*** Bug 130548 has been marked as a duplicate of this bug. ***
|
||
Comment 34•23 years ago
|
||
Yes, 0.9.9 on FreeBSD solves the problems I had.
Thanks.
|
|
||
Comment 35•23 years ago
|
||
Not seeing this one in M099 or Trunk talkback data. VERIFIED.
Status: RESOLVED → VERIFIED
|
||
Comment 36•23 years ago
|
||
Fixed for me on Linux in 0.9.9...
|
|
||
Comment 37•23 years ago
|
||
I think the nsTypedSelection bug is filed at
http://bugzilla.mozilla.org/show_bug.cgi?id=117695
|
||
Comment 38•22 years ago
|
||
kin: attachment 66095 [details] indicates that this is a crash caused by editor creating
content during reflow. So, if we ever _do_ fix the text control so that they can
create frames during creation, we can back out this fix. (Should we file a bug
on that?)
|
||
Updated•13 years ago
|
Crash Signature: [@ nsTypedSelection::EndBatchChanges]
[@ nsContainerFrame::FinishReflowChild]
You need to log in
before you can comment on or make changes to this bug.
Description
•