Closed Bug 204915 Opened 22 years ago Closed 21 years ago

Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard

Categories

(Core :: Layout: Block and Inline, defect, P2)

Product:
Core
Component:
Layout: Block and Inline
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 210269

People

(Reporter: wd, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Stack Trace from Visual Studio
6.64 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506 On the Pinnacle Webboard, there's an icon to click to view a user's profile. This info comes up in a pop-up window. The pop up will appear, but frequently mozilla will crash immediately after that. Reproducible: Sometimes Steps to Reproduce: 1.Go to the URL for this bug 2.Click on the link in any of the posts to go to a user's profile. (The image with a person's profile and a question mark) 3. Actual Results: Crash Expected Results: No crash TB19903233Q Per IRC conversation: Stack ends in nsBlockFrame::DoReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3754]
OS -> ALL, per IRC
OS: Windows 2000 → All
Talkback ID for Linux 2003051308 : TB20062014M
The fix for Bug 201767 seems to cause this...
There's another bug on the crashes caused by that fix that has significantly more discussion, I think.
Not that I'm CC'ed on
Assignee: block-and-inline → roc+moz
Priority: -- → P2
The crash is in editor. I checked out the file by date, talkback says we are crashing on the line marked with => if (!selection) { return NS_ERROR_NULL_POINTER; } => nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection)); selPrivate->StartBatchChanges(); I guess we can't actually crash on that line, can we? I suspect we can only crash on the following line. WD: Could you try to edit file mozilla/editor/libeditor/base/nsEditor.cpp and add the following new line marked with * ? if (!selection) { return NS_ERROR_NULL_POINTER; } nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection)); * if (!selPrivate) { return NS_ERROR_NULL_POINTER; } selPrivate->StartBatchChanges(); Does that fix your crash? The first lines from the stack trace are: 0x00000000 nsEditor::DoTransaction() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp, line 536] nsEditor::DeleteNode() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp, line 1360] nsTextEditRules::WillInsert() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp, line 361] nsTextEditRules::WillInsertText() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp, line 526] nsTextEditRules::WillDoAction() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp, line 287] nsPlaintextEditor::InsertText() [/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp, line 998] nsTextControlFrame::SetValue() [/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp, line 3029] nsTextControlFrame::InitEditor() [/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp, line 1584] nsTextControlFrame::Reflow() [/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp, line 1935] nsLineLayout::ReflowFrame() [/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1034] nsInlineFrame::ReflowInlineFrame() [/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 735]
Ok, possibly the previous stack trace was something else, or an incorrectly reported stack. WD gave me TB ID 21041073 and some other IDs, which all crash here: Access violation nsBlockFrame::DoReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3609] nsBlockFrame::DoReflowInlineFramesAuto [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3497] nsBlockFrame::ReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3442] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2546] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2192] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 862] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 544] ...
Here's my console output up to the point where I crash: Document http://webboard.pinnaclesys.com/read_messages.asp?WebboardID=1&ForumID= 704&SectionID=143&ThreadID=144921&ThreadStart=0&Pos=0&cntThread=50&lng=1 loaded successfully WEBSHELL+ = 4 WEBSHELL+ = 5 ###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL ist.cpp, line 1000 ###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL ist.cpp, line 1000
Here is a stack trace from a Win32 Debug build. The line that crashes is this one: http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsBlockFrame.cpp#3585
Summary: Crash in nsBlockFrame::DoReflowInlineFrames when rendering pop-up window on pinnacle webboard → Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard
Where the access violation occurs, here are some values: aLine.mCurrent._mNext = 0x03c58003 aLine.mCurrent._mPrev = 0xcdcdcdcd The inline function being called: http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsLineBox.h#1228 is failing because the mPrev pointer seems to be uninitialized
-> All/All I can repro this crash inside a handful of tries on OS X (Camino 082302 trunk & moz 082403 trunk)
Hardware: PC → All
Not sure about the exact dependency here, but the common theme is that the fix for Bug 201767 is the culprit. Luckily bug 217201 is seemingly much easier to reproduce than this one.
Depends on: 217201
Keywords: crash
I think we need to fix this for 1.5. There are a bunch of bugs that are regressions from bug 201767. If necessary, we should probably back out the fix (and perhaps replace it with an overflow list check in the place necessary to fix that bug).
Flags: blocking1.5+
I'm very sure this is a duplicate of 217201.
OK, so my fix for bug 217201 changes this ... now it gives the SetAttr call stack of bug 210269!
I can't reproduce the problem with 1.5b 2003082822 Linux i686 gcc-2.95.3 compiled.
And also does not crash for bug 217201 nor bug 210269 !
*** This bug has been marked as a duplicate of 210269 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.5+
Crash Signature: [@ nsBlockFrame::DoReflowInlineFrames]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: