Closed Bug 203041 Opened 22 years ago Closed 20 years ago

[FIX] M17rc2 - Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input)

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: schnozzy, Assigned: bryner)

References

(
URL
)

Details

(5 keywords, Whiteboard: fixed-aviary1.0)

Crash Data

Attachments

(3 files, 1 obsolete file)

backtrace
16.85 KB, text/plain
Details
click "OK" in the alert to trigger the crash
596 bytes, text/html
Details
patch updated to trunk
2.78 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
chofmann
: approval1.7+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4a) Gecko/20030418 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4a) Gecko/20030418 Click on 'attach files' to add nodes, then click on 'delete' to remove nodes. This works as long as 'delete' doesn't wrap around to the next line. If one makes the browser window small enough so that the 'delete' word wraps around underneath the 'file' form element, it will crash Mozilla 1.3 and 1.4a on windows, freebsd, and linux. Reproducible: Always Steps to Reproduce: 1.Click on attach file. 2.Resize the window so that delete is underneath the file element 3.click on delete Actual Results: Mozilla crashed entirely. Expected Results: Mozilla should not have disappeared. It should have behaved the same as when delete was at the end of the line. 1.2.1 on Windows doesn't appear to have this problem.
###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1050 Stack is: #0 0xdddddddd in ?? () #1 0x40ee6849 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x8506a80, aPresContext=0x87cfce0, aFrameManager=0x8524930, aContent=0x8791520, aFrame=0xbfffce64, aHint=0x0) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:11822 #2 0x40ff4d9d in StyleSetImpl::FindPrimaryFrameFor (this=0x86dc548, aPresContext=0x87cfce0, aFrameManager=0x8524930, aContent=0x8791520, aFrame=0xbfffce64, aHint=0x0) at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsStyleSet.cpp:1825 #3 0x40e33328 in FrameManager::GetPrimaryFrameFor (this=0x8524930, aContent=0x8791520, aResult=0xbfffce64) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsFrameManager.cpp:681 #4 0x40e7cc13 in PresShell::GetPrimaryFrameFor (this=0x8506b70, aContent=0x8791520, aResult=0xbfffce64) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsPresShell.cpp:5704 #5 0x41037c05 in nsGenericHTMLElement::GetPrimaryFrameFor (aContent=0x8791520, aDocument=0x8579328, aFlushContent=0) at /home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2619 #6 0x41037c3d in nsGenericHTMLElement::GetFormControlFrameFor (aContent=0x8791520, aDocument=0x8579328, aFlushContent=0) at /home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2632 #7 0x4103d95d in nsGenericHTMLElement::GetFormControlFrame (this=0x8791520, aFlushContent=0) at /home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsGenericHTMLElement.h:254 #8 0x4106170d in nsHTMLInputElement::GetValue (this=0x8791520, aValue=@0xbfffcf90) at /home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsHTMLInputElement.cpp:657 #9 0x41065df0 in nsHTMLInputElement::SaveState (this=0x8791520) at /home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsHTMLInputElement.cpp:2493 -- this is the request for a primary frame we always get as a form control is being removed from the doc... In particular, this tends to repopulate the primary frame map with the about-to-be-destroyed frame...
Assignee: dom_bugs → form
Status: UNCONFIRMED → NEW
Component: DOM Core → Layout: Form Controls
Ever confirmed: true
Keywords: crash, testcase
Here's a recent Talkback incident: Incident ID 19440535 Stack Signature 0x00000000 33c05baf Email Address aha@pinknet.cz Product ID MozillaTrunk Build ID 2003042308 Trigger Time 2003-04-23 15:14:07 Platform Win32 Operating System Windows NT 5.0 build 2195 Module URL visited User Comments B#203041 Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace 0x00000000 nsCSSFrameConstructor::FindFrameWithContent [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11670] nsCSSFrameConstructor::FindPrimaryFrameFor [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11847] StyleSetImpl::FindPrimaryFrameFor [c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1826] FrameManager::GetPrimaryFrameFor [c:/builds/seamonkey/mozilla/layout/html/base/src/nsFrameManager.cpp, line 683] PresShell::GetPrimaryFrameFor [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5705] nsGenericHTMLElement::GetPrimaryFrameFor [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2630] nsGenericHTMLElement::GetFormControlFrameFor [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2643] nsHTMLInputElement::GetValue [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 659] nsHTMLInputElement::SaveState [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 2497] nsGenericHTMLLeafFormElement::SetDocument [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 4278] nsHTMLInputElement::SetDocument [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1781] nsGenericElement::SetDocumentInChildrenOf [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1640] nsGenericElement::SetDocument [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1704] nsGenericHTMLElement::SetDocument [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1340] nsGenericHTMLContainerElement::RemoveChildAt [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3814] nsGenericElement::doRemoveChild [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 2892] nsHTMLTableCellElement::RemoveChild [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLTableCellElement.cpp, line 63] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025] XPC_WN_CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1285] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2836] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3529] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1082] nsJSEventListener::HandleEvent [c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183] nsEventListenerManager::HandleEventSubType [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1192] nsEventListenerManager::HandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1363] nsGenericElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1925] nsGenericHTMLElement::HandleDOMEventForAnchors [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1433] nsHTMLLinkElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLLinkElement.cpp, line 360] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6377] PresShell::HandleEventWithTarget [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6338] nsEventStateManager::CheckForAndDispatchClick [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2911] nsEventStateManager::PostHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1906] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6414] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6321] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2292] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 308] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2028] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 82] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1057] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1074] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5177] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5432] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4021] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1337] USER32.dll + 0x2a244 (0x77e3a244) USER32.dll + 0x45e5 (0x77e145e5) USER32.dll + 0xa792 (0x77e1a792) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 479] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1284] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1650] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1672] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77ea847c)
Summary: Removing nodes with line wraps can cause immediate crash of Mozilla → Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ]
*** Bug 204481 has been marked as a duplicate of this bug. ***
*** Bug 205415 has been marked as a duplicate of this bug. ***
*** Bug 192387 has been marked as a duplicate of this bug. ***
This is a regression from bug 152844 (credits to Andrew Schultz bug 207775). +nsFileControlFrame::Destroy(nsIPresContext* aPresContext) +{ + // Toss the value into the control from the anonymous content, which is about + // to get lost. + if (mTextContent) { + nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(mTextContent); + nsAutoString value; + input->GetValue(value); + + // Have it take the value, just like when input type=text goes away + nsCOMPtr<nsITextControlElement> fileInput = do_QueryInterface(mContent); + fileInput->TakeTextFrameValue(value); + } + return nsAreaFrame::Destroy(aPresContext); } If I remove "input->GetValue(value);" it does not crash. The crash is not on that line per se, it comes later, but this line seems to be the culprit.
Assignee: form → jkeiser
Keywords: regression
*** Bug 207775 has been marked as a duplicate of this bug. ***
*** Bug 204481 has been marked as a duplicate of this bug. ***
This comes up every so often... Basically, as I recall it, the GetValue calls GetPrimaryFrameFor, which puts a pointer to the form control frame back into the primary frame map (this code is running _after_ the frame has been removed from the map). Then the frame gets destroyed, and there is a stale pointer living in the primary frame map. Could you try manually removing the frame from the primary frame map after that GetValue() call and seeing whether that helps the crash?
That fixed one of the bugs while others still crashed. Instead, I found some code in nsTextControlFrame which does something similar and that fixed all the bugs. I will attach the patch after I clean it up a bit.
Attached patch Patch rev. 1 (obsolete) — Splinter Review
Don't know who I should ask for review - Boris?
Summary: Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ] → [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ]
Comment on attachment 125139 [details] [diff] [review] Patch rev. 1 That would be me. What is the actual root cause here? Is PreDestroy() not being called on the anonymous contents' frames?
Attachment #125139 - Flags: review?(jkeiser)
There was no nsFileControlFrame::PreDestroy() - the patch adds it in the same way as in nsTextControlFrame. I think Boris' comment 9 explains the situation.
What I'm trying to figure out is, why is it calling GetPrimaryFrameFor() at all? Since nsTextControlFrame has a PreDestroy, *that* should have been called, which would have given the value to the input type=file, which would have set mOwnsValue = PR_TRUE. I'll debug here. I just think there is a deeper problem with the order we destroy things.
*** Bug 210620 has been marked as a duplicate of this bug. ***
*** Bug 210895 has been marked as a duplicate of this bug. ***
*** Bug 212019 has been marked as a duplicate of this bug. ***
*** Bug 212561 has been marked as a duplicate of this bug. ***
*** Bug 214188 has been marked as a duplicate of this bug. ***
*** Bug 214255 has been marked as a duplicate of this bug. ***
Summary: [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ] → [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input)
*** Bug 218454 has been marked as a duplicate of this bug. ***
*** Bug 206839 has been marked as a duplicate of this bug. ***
*** Bug 223426 has been marked as a duplicate of this bug. ***
*** Bug 230990 has been marked as a duplicate of this bug. ***
URL is dead, updating with minimized testcase.
URL: http://mail.verbotenplanet.net/testca...http://bugzilla.mozilla.org/attachmen...
Perhaps we should just move removal from the primary frame map later (to where we currently have the assertion)? Or is there a problem that still having the frame in the primary frame map that late would cause?
*** Bug 231008 has been marked as a duplicate of this bug. ***
*** Bug 233614 has been marked as a duplicate of this bug. ***
*** Bug 234351 has been marked as a duplicate of this bug. ***
*** Bug 227111 has been marked as a duplicate of this bug. ***
*** Bug 238977 has been marked as a duplicate of this bug. ***
*** Bug 239463 has been marked as a duplicate of this bug. ***
Attached file backtrace
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7b) Gecko/20040412 Firefox/0.8.0+ This crash is still in.
Adding M17beta to summary and topcrash keyword for tracking since this is a topcrasher for Mozilla 1.7 Beta.
Keywords: topcrash
Summary: [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input) → [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - M17beta Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input)
I just crashed with the testcase (http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view) using Mozilla 1.7 RC1 on WinXP. Updated summary for tracking: M17beta -> M17rc1
Summary: [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - M17beta Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input) → [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - M17rc1 Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input)
*** Bug 242620 has been marked as a duplicate of this bug. ***
moving testcase over from dupe bug 242620
Actually, the alert is just a 'pause' immediately before the crash. Removed the alert from the test case and the browser will just crash.
anyone have any more thoughts on how to fix this?
Flags: blocking1.7?
I guess my crashs with recent trunk builds (not 1.7) are the same issue. See TB40744Q, TB40732E and more. But I never noticed it before, I wonder in spite of my heavy use. I only crash in Mail & News if I *drag* the vertical scrollbar (not if I click the up/down arrows) of the recipients list in a message window. Now this crash is the No. 1 topcrash of the trunk builds.
The attached patch might be bitrotted, but maybe still contains the solution or hints towards it. Please note that jkeiser is unlikely to do the review, so maybe someone else should be contacted...
(In reply to comment #41) > I only crash in Mail & News if I *drag* the vertical scrollbar > (not if I click the up/down arrows) of the recipients list in a message window. see bug 243189 comment 4: ... or If I use the keyboard to navigate through the whole list (down/up).
Reassigning to default owners (which right now is nobody@mozilla.org). Asa: Any idea who might be able to look at this?
Assignee: john → nobody
QA Contact: desale → core.layout.form-controls
*** Bug 243858 has been marked as a duplicate of this bug. ***
dbaron, bz: either of you able to take this bug? /be
(In reply to comment #43) These crashes are gone with the fix for bug 243203 for me (although I always had the stack signature nsCSSFrameConstructor::FindFrameWithContent). The testcase here still crashes. Sorry for the unnecessary spam.
Updating summary with M17rc2 since this testcase crashes for me too with Mozilla 1.7 rc2: Incident ID: 52751 Stack Signature 0x00000000 75613caa Email Address jay@mozilla.org Product ID Mozilla17 Build ID 2004051408 Trigger Time 2004-05-19 14:47:49.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module URL visited http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view User Comments Bug 203041 Since Last Crash sec Total Uptime sec Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace 0x00000000 GetNifOrSpecialSibling [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 400] nsCSSFrameConstructor::FindFrameWithContent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11022] nsCSSFrameConstructor::FindPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11088] nsFrameManager::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp, line 460] PresShell::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5389] nsGenericHTMLElement::GetPrimaryFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2189] nsGenericHTMLElement::GetFormControlFrameFor [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2199] nsHTMLButtonElement::HandleDOMEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLButtonElement.cpp, line 375] . . . The stack looks a lot like bug 238906, but still not sure if they're dups.
Summary: [FIX] Removing nodes with line wraps can cause immediate crash of Mozilla - M17rc1 Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input) → [FIX] M17rc2 - Removing nodes with line wraps can cause immediate crash of Mozilla - Trunk [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ][@ nsCSSFrameConstructor::FindFrameWithContent ] (crash on file input)
Attachment #125139 - Flags: review?(john)
Assignee: nobody → bryner
Attachment #125139 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #148920 - Flags: superreview?(roc)
Attachment #148920 - Flags: review?(bzbarsky)
Blocks: 238906
Comment on attachment 148920 [details] [diff] [review] patch updated to trunk r+sr=bzbarsky. The answer to comment 15 is that the textnode gets the frame _unconditionally_ during the GetValue call, since the frame is what knows whether it owns the value. So we end up calling GetPrimaryFrameFor after the frames have been removed from the primary frame map (that happens before we start destroying them). So this is exactly the right patch....
Attachment #148920 - Flags: superreview?(roc)
Attachment #148920 - Flags: superreview+
Attachment #148920 - Flags: review?(bzbarsky)
Attachment #148920 - Flags: review+
Flags: blocking1.7? → blocking1.7+
Attachment #148920 - Flags: approval1.7?
Comment on attachment 148920 [details] [diff] [review] patch updated to trunk a=chofmann for 1.7
Attachment #148920 - Flags: approval1.7? → approval1.7+
checked into trunk, 1.7 branch, and aviary branch.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
*** Bug 245973 has been marked as a duplicate of this bug. ***
*** Bug 251090 has been marked as a duplicate of this bug. ***
I've verified that all testcases in this bug no longer crash for me using build 2004-11-12-04 on Windows XP, Seamonkey trunk.
Status: RESOLVED → VERIFIED
*** Bug 255175 has been marked as a duplicate of this bug. ***
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Crash Signature: [@ 0x00000000 - nsCSSFrameConstructor::FindFrameWithContent ] [@ nsCSSFrameConstructor::FindFrameWithContent ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: