Closed Bug 256835 Opened 16 years ago Closed 16 years ago

[crash]ctrl+left cause crash in bugzilla [@ nsTextFrame::PeekOffset ][@ ntdll.dll - nsFrame::GetFrameFromDirection ]

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: ginnchen+exoracle, Assigned: ginnchen+exoracle)

References

Details

(Keywords: access, crash)

Crash Data

Attachments

(2 files)

go to any bug report.
e.g. http://bugzilla.mozilla.org/show_bug.cgi?id=241023

use F7 to turn on caret browsing.

put caret in "Requestee:" of "Flags: (Help!)  Requestee: "
press ctrl+left, caret goes to "^Requestee:"
press ctrl+left again, caret goes to "^(Help!)"
press ctrl+left again, caret goes to "^Flags:"
press ctrl+left again, mozilla crash.
I'm testing my patch. I will post it tommorrow.
Status: NEW → ASSIGNED
Attached patch patchSplinter Review
1. change "do ... while(isBidiGhostFrame || !selectable)" to "for(;;)"
because before isBidiGhostFrame's value is set, there's "continue;"

2. we should get out earlier, if we get (!isBidiGhostFrame && selectable)
our "newFrame" may get changed by following code, we should just break out of
the loop now.
Attachment #157021 - Flags: review?(aaronleventhal)
This patch also fixed bug 256268, bug 241034, and bug 130889
(the second testcase of bug 130889 has a <hr> issue filed as bug 256833)
Attachment #157021 - Flags: review?(aaronleventhal) → review+
Attachment #157021 - Flags: superreview?(dbaron)
Bug 242835 should be also related.
Adding crash signatures from Trunk (TB664701E) and FF093 (TB664717W, TB664692G).
Summary: [crash]ctrl+left cause crash in bugzilla → [crash]ctrl+left cause crash in bugzilla [@ nsTextFrame::PeekOffset ][@ ntdll.dll - nsFrame::GetFrameFromDirection ]
confirmed, this patch will also fix bug 144610, bug 242835
*** Bug 144610 has been marked as a duplicate of this bug. ***
*** Bug 242835 has been marked as a duplicate of this bug. ***
Attachment #157021 - Flags: superreview?(dbaron) → superreview?(jst)
Comment on attachment 157021 [details] [diff] [review]
patch

This changes this loop to not break out of the loop if we're at a bidi ghost
frame, and I'm not sure that's the right thing to do... As this isn't code I
normally work with I'm pushing this sr request over to dbaron.
Attachment #157021 - Flags: superreview?(jst) → superreview?(dbaron)
The change brings "while condition" ahead.

Origin code uses "continue;", but "isBidiGhostFrame" isn't set yet.
So we can't get loop as we need.
4027     if (nsLayoutAtoms::textFrame != newFrame->GetType())
4028       continue;  //we should NOT be getting stuck on the same piece of 
content on the same line. skip to next line.
4029   }
4030   isBidiGhostFrame = (newFrame->GetRect().IsEmpty() &&
4031                       (newFrame->GetStateBits() & NS_FRAME_IS_BIDI));
similar problem

win xp home, firefox 0.97 - (sp 1 installed)

using the yahoo mail web portal. create a message, select attachment, in the
window (OS) select a file, prest ctrl c (copy) - mozila crashes.

- neb radivojevic - 
QA Analyst

Neb, 
I can't reproduce your crash with Firefox 1.0PR 0.10.1.
And I don't think it relates to this bug.
Comment on attachment 157021 [details] [diff] [review]
patch

sr=dbaron, although this code is a mystery to me (I'm assuming it's not a
mystery to you), if you make the following changes:

 * move the declaration of isBidiGhostFrame to where it's first assigned
(inside the loop)
 * move the declaration of selectable to the line before it's first used
(inside the loop)
Attachment #157021 - Flags: superreview?(dbaron) → superreview+
Attachment #167088 - Flags: superreview?(dbaron)
Attachment #167088 - Flags: superreview?(dbaron) → superreview+
Checking in nsFrame.cpp;
/cvsroot/mozilla/layout/html/base/src/nsFrame.cpp,v  <--  nsFrame.cpp
new revision: 3.529; previous revision: 3.528
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
*** Bug 256268 has been marked as a duplicate of this bug. ***
*** Bug 241034 has been marked as a duplicate of this bug. ***
*** Bug 130889 has been marked as a duplicate of this bug. ***
The patch for this bug caused bug 288789.
*** Bug 298316 has been marked as a duplicate of this bug. ***
Depends on: 330815
Crash Signature: [@ nsTextFrame::PeekOffset ] [@ ntdll.dll - nsFrame::GetFrameFromDirection ]
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.