[DOGFOOD] Crash on screen name submit in AIM

VERIFIED DUPLICATE of bug 20161

Status

()

P3
critical
VERIFIED DUPLICATE of bug 20161
19 years ago
19 years ago

People

(Reporter: amusil, Assigned: eric)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [PDT+]12/03/1999)

(Reporter)

Description

19 years ago
Repro:
- Wipe away your old profile and mozreg file
- Launch seamonkey and go to Tasks->Instant Messenger
- Put a screen name in the text field and click submit
- Result: crash on delete[] call

Crashes in nsBoxFrame::FlowChildren() on the call to "delete[] resized;".  It
appears that a previous call in that same function to ChildResized() modifies the
resize array incorrectly (writing off the end of the array).

This only shows up as an assertion in the debug builds, but crashes the release
bits.  I can repro this on Windows and Mac.
(Reporter)

Comment 1

19 years ago
Here's the stack trace:

_free_dbg_lk(void * 0x03978500, int 1) line 1033 + 60 bytes
_free_dbg(void * 0x03978500, int 1) line 970 + 13 bytes
operator delete(void * 0x03978500) line 49 + 16 bytes
nsBoxFrame::FlowChildren(nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
const nsHTMLReflowState & {...}, unsigned int & 0, nsRect & {...}) line 729 + 24
bytes
nsBoxFrame::Reflow(nsBoxFrame * const 0x037c14e0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 593
nsContainerFrame::ReflowChild(nsIFrame * 0x037c14e0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 637 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x037c03d0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 333
nsContainerFrame::ReflowChild(nsIFrame * 0x037c03d0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0,
unsigned int 0, unsigned int & 0) line 637 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x037c0700, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 527
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x0385f2f0,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...},
nsIRenderingContext & {...}) line 145
PresShell::ProcessReflowCommands(PresShell * const 0x0372af10) line 1650
PresShell::ExitReflowLock(PresShell * const 0x0372af10, int 1, int 1) line 709
PresShell::AttributeChanged(PresShell * const 0x0372af18, nsIDocument *
0x03700780, nsIContent * 0x0378aaa0, int 0, nsIAtom * 0x032ede70, int -1) line
2073
nsXULDocument::AttributeChanged(nsXULDocument * const 0x03700780, nsIContent *
0x0378aaa0, int 0, nsIAtom * 0x032ede70, int -1) line 1161
nsXULElement::SetAttribute(nsXULElement * const 0x0378aaa0, int 0, nsIAtom *
0x032ede70, const nsString & {...}, int 1) line 2148
nsXULElement::SetAttribute(nsXULElement * const 0x0378aab0, const nsString &
{...}, const nsString & {...}) line 1005 + 35 bytes
ElementSetAttribute(JSContext * 0x03702e90, JSObject * 0x02504b28, unsigned int
2, long * 0x024fed3c, long * 0x0012e3c0) line 259 + 26 bytes
js_Invoke(JSContext * 0x03702e90, unsigned int 2, unsigned int 0) line 673 + 26
bytes
js_Interpret(JSContext * 0x03702e90, long * 0x0012ec14) line 2245 + 15 bytes
js_Invoke(JSContext * 0x03702e90, unsigned int 0, unsigned int 0) line 689 + 13
bytes
js_Interpret(JSContext * 0x03702e90, long * 0x0012f424) line 2245 + 15 bytes
js_Invoke(JSContext * 0x03702e90, unsigned int 1, unsigned int 2) line 689 + 13
bytes
js_InternalCall(JSContext * 0x03702e90, JSObject * 0x02504998, long 38816160,
unsigned int 1, long * 0x0012f58c, long * 0x0012f544) line 766 + 15 bytes
JS_CallFunction(JSContext * 0x03702e90, JSObject * 0x02504998, JSFunction *
0x0379a0f0, unsigned int 1, long * 0x0012f58c, long * 0x0012f544) line 2732 + 32
bytes
nsJSContext::CallFunction(nsJSContext * const 0x03701030, void * 0x02504998,
void * 0x0379a0f0, unsigned int 1, void * 0x0012f58c, int * 0x0012f588) line 468
+ 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x038557f4) line 107 + 48 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012f814, nsIDOMEvent * * 0x0012f794, unsigned int 7, nsEventStatus &
nsEventStatus_eIgnore) line 630 + 21 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f814,
nsIDOMEvent * * 0x0012f794, unsigned int 1, nsEventStatus &
nsEventStatus_eIgnore) line 795
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0379a46c,
nsIPresContext & {...}, nsEvent * 0x0012f814, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 625 + 31 bytes
nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const
0x037d0490, nsIPresContext & {...}, nsMouseEvent * 0x0012fbd0, nsEventStatus &
nsEventStatus_eIgnore) line 1361 + 42 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x037d0490,
nsIPresContext & {...}, nsGUIEvent * 0x0012fbd0, nsIFrame * 0x037d1f60,
nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x03729300) line 627 + 24 bytes
PresShell::HandleEvent(PresShell * const 0x0372af14, nsIView * 0x03729300,
nsGUIEvent * 0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 2458 + 43
bytes
nsView::HandleEvent(nsView * const 0x03729300, nsGUIEvent * 0x0012fbd0, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 840
nsViewManager::DispatchEvent(nsViewManager * const 0x037294d0, nsGUIEvent *
0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 1724
HandleEvent(nsGUIEvent * 0x0012fbd0) line 69
nsWindow::DispatchEvent(nsWindow * const 0x037291c4, nsGUIEvent * 0x0012fbd0,
nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbd0) line 459
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3482 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line
3700
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 11468887, long *
0x0012fdfc) line 2760 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x07fa0190, unsigned int 514, unsigned int 0, long
11468887) line 625 + 27 bytes
USER32! 77e71820()

Updated

19 years ago
Whiteboard: [PDT+]

Comment 2

19 years ago
Putting on PDT+ radar.

Comment 3

19 years ago
So how are we looking on this bug?  What is the target fix date?
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
Whiteboard: [PDT+] → [PDT+]12/03/1999

Updated

19 years ago
Target Milestone: M12
(Reporter)

Comment 4

19 years ago
This looks like a dup of Bug 20161
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → DUPLICATE
(Assignee)

Comment 5

19 years ago
*** This bug has been marked as a duplicate of 20161 ***

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 6

19 years ago
Agreed. Marking as verified duplicate of 20161.
You need to log in before you can comment on or make changes to this bug.