Closed Bug 204915 Opened 21 years ago Closed 21 years ago

Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard

Categories

(Core :: Layout: Block and Inline, defect, P2)

Product:
Core
Component:
Layout: Block and Inline
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 210269

People

(Reporter: wd, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Stack Trace from Visual Studio
6.64 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506

On the Pinnacle Webboard, there's an icon to click to view a user's profile. 
This info comes up in a pop-up window.   The pop up will appear, but frequently
mozilla will crash immediately after that.

Reproducible: Sometimes

Steps to Reproduce:
1.Go to the URL for this bug
2.Click on the link in any of the posts to go to a user's profile.  (The image
with a person's profile and a question mark)
3.

Actual Results:  
Crash

Expected Results:  
No crash

TB19903233Q

Per IRC conversation:   Stack ends in nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3754]
OS -> ALL, per IRC
OS: Windows 2000 → All
Talkback ID for Linux 2003051308 :

TB20062014M
The fix for Bug 201767 seems to cause this...
There's another bug on the crashes caused by that fix that has significantly
more discussion, I think.
Not that I'm CC'ed on
Assignee: block-and-inline → roc+moz
Priority: -- → P2
The crash is in editor.

I checked out the file by date, talkback says we are crashing on the line marked
with =>

    if (!selection) { return NS_ERROR_NULL_POINTER; }
=>  nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection));

    selPrivate->StartBatchChanges();

I guess we can't actually crash on that line, can we?
I suspect we can only crash on the following line.

WD: Could you try to edit file mozilla/editor/libeditor/base/nsEditor.cpp
and add the following new line marked with * ?

    if (!selection) { return NS_ERROR_NULL_POINTER; }
    nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection));
*   if (!selPrivate) { return NS_ERROR_NULL_POINTER; }
    selPrivate->StartBatchChanges();

Does that fix your crash?


The first lines from the stack trace are:

0x00000000
nsEditor::DoTransaction()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp,
line 536]
nsEditor::DeleteNode()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp,
line 1360]
nsTextEditRules::WillInsert()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 361]
nsTextEditRules::WillInsertText()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 526]
nsTextEditRules::WillDoAction()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 287]
nsPlaintextEditor::InsertText()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp,
line 998]
nsTextControlFrame::SetValue()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 3029]
nsTextControlFrame::InitEditor()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 1584]
nsTextControlFrame::Reflow()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 1935]
nsLineLayout::ReflowFrame()
[/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp,
line 1034]
nsInlineFrame::ReflowInlineFrame()
[/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp,
line 735]

Ok, possibly the previous stack trace was something else, or an incorrectly
reported stack.

WD gave me TB ID 21041073 and some other IDs, which all crash here:

Access violation
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3609]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3497]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3442]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2546]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2192]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 862]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
544]
...

Here's my console output up to the point where I crash:

Document http://webboard.pinnaclesys.com/read_messages.asp?WebboardID=1&ForumID=
704&SectionID=143&ThreadID=144921&ThreadStart=0&Pos=0&cntThread=50&lng=1 loaded
successfully
WEBSHELL+ = 4
WEBSHELL+ = 5
###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc
ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL
ist.cpp, line 1000
###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc
ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL
ist.cpp, line 1000
Here is a stack trace from a Win32 Debug build.  The line that crashes is this
one:
http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsBlockFrame.cpp#3585
Summary: Crash in nsBlockFrame::DoReflowInlineFrames when rendering pop-up window on pinnacle webboard → Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard
Where the access violation occurs, here are some values:
aLine.mCurrent._mNext = 0x03c58003
aLine.mCurrent._mPrev = 0xcdcdcdcd

The inline function being called:
http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsLineBox.h#1228
is failing because the mPrev pointer seems to be uninitialized
-> All/All

I can repro this crash inside a handful of tries on OS X (Camino 082302 trunk &
moz 082403 trunk)
Hardware: PC → All
Not sure about the exact dependency here, but the common theme is that the fix
for Bug 201767 is the culprit.

Luckily bug 217201 is seemingly much easier to reproduce than this one.
Depends on: 217201
Keywords: crash
I think we need to fix this for 1.5.  There are a bunch of bugs that are
regressions from bug 201767.  If necessary, we should probably back out the fix
(and perhaps replace it with an overflow list check in the place necessary to
fix that bug).
Flags: blocking1.5+
I'm very sure this is a duplicate of 217201.
OK, so my fix for bug 217201 changes this ... now it gives the SetAttr call
stack of bug 210269!
I can't reproduce the problem with 1.5b 2003082822 Linux i686 gcc-2.95.3 compiled.
And also does not crash for bug 217201 nor bug 210269 !


*** This bug has been marked as a duplicate of 210269 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.5+
Crash Signature: [@ nsBlockFrame::DoReflowInlineFrames]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: