Closed Bug 256835 Opened 16 years ago Closed 16 years ago
[crash]ctrl+left cause crash in bugzilla [@ ns
Text Frame::Peek Offset ][@ ntdll .dll - ns Frame::Get Frame From Direction ]
go to any bug report. e.g. http://bugzilla.mozilla.org/show_bug.cgi?id=241023 use F7 to turn on caret browsing. put caret in "Requestee:" of "Flags: (Help!) Requestee: " press ctrl+left, caret goes to "^Requestee:" press ctrl+left again, caret goes to "^(Help!)" press ctrl+left again, caret goes to "^Flags:" press ctrl+left again, mozilla crash.
I'm testing my patch. I will post it tommorrow.
Status: NEW → ASSIGNED
1. change "do ... while(isBidiGhostFrame || !selectable)" to "for(;;)" because before isBidiGhostFrame's value is set, there's "continue;" 2. we should get out earlier, if we get (!isBidiGhostFrame && selectable) our "newFrame" may get changed by following code, we should just break out of the loop now.
This patch also fixed bug 256268, bug 241034, and bug 130889 (the second testcase of bug 130889 has a <hr> issue filed as bug 256833)
Attachment #157021 - Flags: review?(aaronleventhal) → review+
Bug 242835 should be also related. Adding crash signatures from Trunk (TB664701E) and FF093 (TB664717W, TB664692G).
Summary: [crash]ctrl+left cause crash in bugzilla → [crash]ctrl+left cause crash in bugzilla [@ nsTextFrame::PeekOffset ][@ ntdll.dll - nsFrame::GetFrameFromDirection ]
*** Bug 144610 has been marked as a duplicate of this bug. ***
*** Bug 242835 has been marked as a duplicate of this bug. ***
Attachment #157021 - Flags: superreview?(dbaron) → superreview?(jst)
Comment on attachment 157021 [details] [diff] [review] patch This changes this loop to not break out of the loop if we're at a bidi ghost frame, and I'm not sure that's the right thing to do... As this isn't code I normally work with I'm pushing this sr request over to dbaron.
Attachment #157021 - Flags: superreview?(jst) → superreview?(dbaron)
The change brings "while condition" ahead. Origin code uses "continue;", but "isBidiGhostFrame" isn't set yet. So we can't get loop as we need. 4027 if (nsLayoutAtoms::textFrame != newFrame->GetType()) 4028 continue; //we should NOT be getting stuck on the same piece of content on the same line. skip to next line. 4029 } 4030 isBidiGhostFrame = (newFrame->GetRect().IsEmpty() && 4031 (newFrame->GetStateBits() & NS_FRAME_IS_BIDI));
similar problem win xp home, firefox 0.97 - (sp 1 installed) using the yahoo mail web portal. create a message, select attachment, in the window (OS) select a file, prest ctrl c (copy) - mozila crashes. - neb radivojevic - QA Analyst
Neb, I can't reproduce your crash with Firefox 1.0PR 0.10.1. And I don't think it relates to this bug.
Comment on attachment 157021 [details] [diff] [review] patch sr=dbaron, although this code is a mystery to me (I'm assuming it's not a mystery to you), if you make the following changes: * move the declaration of isBidiGhostFrame to where it's first assigned (inside the loop) * move the declaration of selectable to the line before it's first used (inside the loop)
Attachment #157021 - Flags: superreview?(dbaron) → superreview+
Attachment #167088 - Flags: superreview?(dbaron) → superreview+
Checking in nsFrame.cpp; /cvsroot/mozilla/layout/html/base/src/nsFrame.cpp,v <-- nsFrame.cpp new revision: 3.529; previous revision: 3.528 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
*** Bug 256268 has been marked as a duplicate of this bug. ***
*** Bug 241034 has been marked as a duplicate of this bug. ***
*** Bug 130889 has been marked as a duplicate of this bug. ***
The patch for this bug caused bug 288789.
*** Bug 298316 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsTextFrame::PeekOffset ] [@ ntdll.dll - nsFrame::GetFrameFromDirection ]
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.