Closed Bug 19967 Opened 26 years ago Closed 26 years ago

[DOGFOOD] Crash on screen name submit in AIM

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 20161

People

(Reporter: amusil, Assigned: eric)

Details

(Whiteboard: [PDT+]12/03/1999)

Repro: - Wipe away your old profile and mozreg file - Launch seamonkey and go to Tasks->Instant Messenger - Put a screen name in the text field and click submit - Result: crash on delete[] call Crashes in nsBoxFrame::FlowChildren() on the call to "delete[] resized;". It appears that a previous call in that same function to ChildResized() modifies the resize array incorrectly (writing off the end of the array). This only shows up as an assertion in the debug builds, but crashes the release bits. I can repro this on Windows and Mac.
Here's the stack trace: _free_dbg_lk(void * 0x03978500, int 1) line 1033 + 60 bytes _free_dbg(void * 0x03978500, int 1) line 970 + 13 bytes operator delete(void * 0x03978500) line 49 + 16 bytes nsBoxFrame::FlowChildren(nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, nsRect & {...}) line 729 + 24 bytes nsBoxFrame::Reflow(nsBoxFrame * const 0x037c14e0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 593 nsContainerFrame::ReflowChild(nsIFrame * 0x037c14e0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 637 + 31 bytes RootFrame::Reflow(RootFrame * const 0x037c03d0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 333 nsContainerFrame::ReflowChild(nsIFrame * 0x037c03d0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 637 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x037c0700, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 527 nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x0385f2f0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 145 PresShell::ProcessReflowCommands(PresShell * const 0x0372af10) line 1650 PresShell::ExitReflowLock(PresShell * const 0x0372af10, int 1, int 1) line 709 PresShell::AttributeChanged(PresShell * const 0x0372af18, nsIDocument * 0x03700780, nsIContent * 0x0378aaa0, int 0, nsIAtom * 0x032ede70, int -1) line 2073 nsXULDocument::AttributeChanged(nsXULDocument * const 0x03700780, nsIContent * 0x0378aaa0, int 0, nsIAtom * 0x032ede70, int -1) line 1161 nsXULElement::SetAttribute(nsXULElement * const 0x0378aaa0, int 0, nsIAtom * 0x032ede70, const nsString & {...}, int 1) line 2148 nsXULElement::SetAttribute(nsXULElement * const 0x0378aab0, const nsString & {...}, const nsString & {...}) line 1005 + 35 bytes ElementSetAttribute(JSContext * 0x03702e90, JSObject * 0x02504b28, unsigned int 2, long * 0x024fed3c, long * 0x0012e3c0) line 259 + 26 bytes js_Invoke(JSContext * 0x03702e90, unsigned int 2, unsigned int 0) line 673 + 26 bytes js_Interpret(JSContext * 0x03702e90, long * 0x0012ec14) line 2245 + 15 bytes js_Invoke(JSContext * 0x03702e90, unsigned int 0, unsigned int 0) line 689 + 13 bytes js_Interpret(JSContext * 0x03702e90, long * 0x0012f424) line 2245 + 15 bytes js_Invoke(JSContext * 0x03702e90, unsigned int 1, unsigned int 2) line 689 + 13 bytes js_InternalCall(JSContext * 0x03702e90, JSObject * 0x02504998, long 38816160, unsigned int 1, long * 0x0012f58c, long * 0x0012f544) line 766 + 15 bytes JS_CallFunction(JSContext * 0x03702e90, JSObject * 0x02504998, JSFunction * 0x0379a0f0, unsigned int 1, long * 0x0012f58c, long * 0x0012f544) line 2732 + 32 bytes nsJSContext::CallFunction(nsJSContext * const 0x03701030, void * 0x02504998, void * 0x0379a0f0, unsigned int 1, void * 0x0012f58c, int * 0x0012f588) line 468 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x038557f4) line 107 + 48 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012f814, nsIDOMEvent * * 0x0012f794, unsigned int 7, nsEventStatus & nsEventStatus_eIgnore) line 630 + 21 bytes nsGenericElement::HandleDOMEvent(nsIPresContext & {...}, nsEvent * 0x0012f814, nsIDOMEvent * * 0x0012f794, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 795 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0379a46c, nsIPresContext & {...}, nsEvent * 0x0012f814, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 625 + 31 bytes nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const 0x037d0490, nsIPresContext & {...}, nsMouseEvent * 0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 1361 + 42 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x037d0490, nsIPresContext & {...}, nsGUIEvent * 0x0012fbd0, nsIFrame * 0x037d1f60, nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x03729300) line 627 + 24 bytes PresShell::HandleEvent(PresShell * const 0x0372af14, nsIView * 0x03729300, nsGUIEvent * 0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 2458 + 43 bytes nsView::HandleEvent(nsView * const 0x03729300, nsGUIEvent * 0x0012fbd0, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 840 nsViewManager::DispatchEvent(nsViewManager * const 0x037294d0, nsGUIEvent * 0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 1724 HandleEvent(nsGUIEvent * 0x0012fbd0) line 69 nsWindow::DispatchEvent(nsWindow * const 0x037291c4, nsGUIEvent * 0x0012fbd0, nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbd0) line 459 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3482 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3700 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 11468887, long * 0x0012fdfc) line 2760 + 24 bytes nsWindow::WindowProc(HWND__ * 0x07fa0190, unsigned int 514, unsigned int 0, long 11468887) line 625 + 27 bytes USER32! 77e71820()
Whiteboard: [PDT+]
Putting on PDT+ radar.
So how are we looking on this bug? What is the target fix date?
Status: NEW → ASSIGNED
Whiteboard: [PDT+] → [PDT+]12/03/1999
Target Milestone: M12
This looks like a dup of Bug 20161
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → DUPLICATE
*** This bug has been marked as a duplicate of 20161 ***
Status: RESOLVED → VERIFIED
Agreed. Marking as verified duplicate of 20161.
You need to log in before you can comment on or make changes to this bug.