Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard

RESOLVED DUPLICATE of bug 210269

Status

()

Core
Layout: Block and Inline
P2
critical
RESOLVED DUPLICATE of bug 210269
15 years ago
14 years ago

People

(Reporter: WD, Assigned: roc)

Tracking

({crash})

Trunk
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030506

On the Pinnacle Webboard, there's an icon to click to view a user's profile. 
This info comes up in a pop-up window.   The pop up will appear, but frequently
mozilla will crash immediately after that.

Reproducible: Sometimes

Steps to Reproduce:
1.Go to the URL for this bug
2.Click on the link in any of the posts to go to a user's profile.  (The image
with a person's profile and a question mark)
3.

Actual Results:  
Crash

Expected Results:  
No crash

TB19903233Q

Per IRC conversation:   Stack ends in nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3754]
(Reporter)

Comment 1

15 years ago
OS -> ALL, per IRC
OS: Windows 2000 → All

Comment 2

15 years ago
Talkback ID for Linux 2003051308 :

TB20062014M
(Reporter)

Comment 3

15 years ago
The fix for Bug 201767 seems to cause this...
There's another bug on the crashes caused by that fix that has significantly
more discussion, I think.
Not that I'm CC'ed on
Assignee: block-and-inline → roc+moz
Priority: -- → P2

Comment 6

15 years ago
The crash is in editor.

I checked out the file by date, talkback says we are crashing on the line marked
with =>

    if (!selection) { return NS_ERROR_NULL_POINTER; }
=>  nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection));

    selPrivate->StartBatchChanges();

I guess we can't actually crash on that line, can we?
I suspect we can only crash on the following line.

WD: Could you try to edit file mozilla/editor/libeditor/base/nsEditor.cpp
and add the following new line marked with * ?

    if (!selection) { return NS_ERROR_NULL_POINTER; }
    nsCOMPtr<nsISelectionPrivate>selPrivate(do_QueryInterface(selection));
*   if (!selPrivate) { return NS_ERROR_NULL_POINTER; }
    selPrivate->StartBatchChanges();

Does that fix your crash?


The first lines from the stack trace are:

0x00000000
nsEditor::DoTransaction()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp,
line 536]
nsEditor::DeleteNode()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/base/nsEditor.cpp,
line 1360]
nsTextEditRules::WillInsert()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 361]
nsTextEditRules::WillInsertText()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 526]
nsTextEditRules::WillDoAction()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsTextEditRules.cpp,
line 287]
nsPlaintextEditor::InsertText()
[/builds/client/linux22/seamonkey/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp,
line 998]
nsTextControlFrame::SetValue()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 3029]
nsTextControlFrame::InitEditor()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 1584]
nsTextControlFrame::Reflow()
[/builds/client/linux22/seamonkey/mozilla/layout/html/forms/src/nsTextControlFrame.cpp,
line 1935]
nsLineLayout::ReflowFrame()
[/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp,
line 1034]
nsInlineFrame::ReflowInlineFrame()
[/builds/client/linux22/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp,
line 735]

Comment 7

15 years ago
Ok, possibly the previous stack trace was something else, or an incorrectly
reported stack.

WD gave me TB ID 21041073 and some other IDs, which all crash here:

Access violation
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3609]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3497]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3442]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2546]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2192]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 862]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
544]
...
(Reporter)

Comment 8

15 years ago
Here's my console output up to the point where I crash:

Document http://webboard.pinnaclesys.com/read_messages.asp?WebboardID=1&ForumID=
704&SectionID=143&ThreadID=144921&ThreadStart=0&Pos=0&cntThread=50&lng=1 loaded
successfully
WEBSHELL+ = 4
WEBSHELL+ = 5
###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc
ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL
ist.cpp, line 1000
###!!! ASSERTION: We should not get in here if aContainer is in some _other_ doc
ument!: 'doc == mDocument', file f:/MOZILL~1/mozilla/content/base/src/nsContentL
ist.cpp, line 1000
(Reporter)

Comment 9

15 years ago
Created attachment 129606 [details]
Stack Trace from Visual Studio

Here is a stack trace from a Win32 Debug build.  The line that crashes is this
one:
http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsBlockFrame.cpp#3585
Summary: Crash in nsBlockFrame::DoReflowInlineFrames when rendering pop-up window on pinnacle webboard → Crash in [@ nsBlockFrame::DoReflowInlineFrames] when rendering pop-up window on pinnacle webboard
(Reporter)

Comment 10

15 years ago
Where the access violation occurs, here are some values:
aLine.mCurrent._mNext = 0x03c58003
aLine.mCurrent._mPrev = 0xcdcdcdcd

The inline function being called:
http://lxr.mozilla.org/seamonkey/source/layout/html/base/src/nsLineBox.h#1228
is failing because the mPrev pointer seems to be uninitialized
Blocks: 207365

Comment 11

14 years ago
-> All/All

I can repro this crash inside a handful of tries on OS X (Camino 082302 trunk &
moz 082403 trunk)
Hardware: PC → All
(Reporter)

Comment 12

14 years ago
Not sure about the exact dependency here, but the common theme is that the fix
for Bug 201767 is the culprit.

Luckily bug 217201 is seemingly much easier to reproduce than this one.
Depends on: 217201

Updated

14 years ago
Keywords: crash
I think we need to fix this for 1.5.  There are a bunch of bugs that are
regressions from bug 201767.  If necessary, we should probably back out the fix
(and perhaps replace it with an overflow list check in the place necessary to
fix that bug).
Flags: blocking1.5+
I'm very sure this is a duplicate of 217201.
OK, so my fix for bug 217201 changes this ... now it gives the SetAttr call
stack of bug 210269!

Comment 16

14 years ago
I can't reproduce the problem with 1.5b 2003082822 Linux i686 gcc-2.95.3 compiled.

Comment 17

14 years ago
And also does not crash for bug 217201 nor bug 210269 !

*** This bug has been marked as a duplicate of 210269 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Updated

14 years ago
Flags: blocking1.5+
Crash Signature: [@ nsBlockFrame::DoReflowInlineFrames]
You need to log in before you can comment on or make changes to this bug.