Closed
Bug 265973
Opened 20 years ago
Closed 20 years ago
Crash [@ nsContainerFrame::PaintChild ]
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: robert.strong.bugs, Unassigned)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 The soon to be attached simplified testcase causes a crash @ nsContainerFrame::PaintChild. TB1511445X Reproducible: Always Steps to Reproduce: 1. Open testcase 2. 3. Actual Results: Crash or hang Expected Results: No crash or hang UA's affected: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041023 http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1511445X Stack Signature nsContainerFrame::PaintChild 72399cb9 Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 245
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
Adding keywords crash and testcase
|
||
Comment 3•20 years ago
|
||
Confirming bug; crashes for me using build 2004-10-25-05 on Windows XP.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 4•20 years ago
|
||
This worksforme with a current trunk build on Linux...
|
||
Comment 5•20 years ago
|
||
On a debug build with source from this morning (20041025 11:30am pdt) I crash on windows XP. Different spot than in comment 0 though, I crash on a null kid in GetFrameFromLine: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/html/base/src/nsBlockFrame.cpp&rev=3.667#6054 (excuse the blame, I couldn't figure out how to make a regular lxr source link version-specific.)
|
||
Comment 6•20 years ago
|
||
*** Bug 265902 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 7•20 years ago
|
||
|
|
Reporter | |
Comment 9•20 years ago
|
||
Testcase still crashes for me using winxp pro sp2 and 20041112 The latest talkback is TB1913013X but it hasn't been processed on the server as of this post.
|
|
Reporter | |
Comment 10•20 years ago
|
||
Adding URL of http://exchangecode.com/crashbugs/265973.html which contains the original testcase, the testcase from bug 265902 that was duped to this bug and three additional testcases that I have not reported due to believing these are probably this same bug. Each testcase is URL encoded in the page itself. These all crash for me with winxp pro sp2 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041112. I also verified that the original testcase causes a crash with a debug build from today on winxp pro sp2. Since this bug already has a testcase along with the testcase from bug 265902 and I may update this page with additional testcases I am not attaching this file to the bug.
|
||
Comment 11•20 years ago
|
||
The additional testcases at the URL crash 2005-02-1614 under winxp
|
|
||
Comment 12•20 years ago
|
||
This and the similiar line layout crashes will happen as soons as
aLine->GetChildCount() is to large. We will point beyond the last kid. If it is
off by one, we will crash in Paintchild otherwise, directly in PaintLine.
static inline void PaintLine
nsIFrame* kid = aLine->mFirstChild;
PRInt32 n = aLine->GetChildCount();
while (--n >= 0) {
aFrame->PaintChild(aPresContext, aRenderingContext, aDirtyRect, kid,
aWhichLayer);
kid = kid->GetNextSibling();
}
http://lxr.mozilla.org/seamonkey/search?string=--n+%3E shows similiar places
|
||
Comment 13•20 years ago
|
||
This works for me in 20050323 build, but crashes in 20050318 build. This might yet be another bug that has been fixed by the fix for bug 263825. Robert, you might want to recheck all your crasher bugs you have filed. I'm getting already pretty tired of testing all the crasher bugs that seem to be fixed by the fix for bug 263825 :) One of the testcases in the url seems to cause a freeze still, but that one uses Java and is likely to be unrelated. Probably better to file a new bug on that.
Sorry Martijn, I'll try not to fix too many bugs at once in the future :-)
|
|
Reporter | |
Comment 15•20 years ago
|
||
(In reply to comment #13) > Robert, you might want to recheck all your crasher bugs you have filed. I'm > getting already pretty tired of testing all the crasher bugs that seem to be > fixed by the fix for bug 263825 :) Not a problem. I prefer to verify with a debug build and should have the time within the next day or two. (In reply to comment #14) > Sorry Martijn, I'll try not to fix too many bugs at once in the future :-) Don't you dare! :)
|
|
Reporter | |
Comment 16•20 years ago
|
||
It would appear that the checkin for bug 263825 has fixed this.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
|
||
Comment 17•20 years ago
|
||
*** Bug 287721 has been marked as a duplicate of this bug. ***
|
||
Comment 18•16 years ago
|
||
layout/base/crashtests/265973-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ nsContainerFrame::PaintChild ]
|
||
Updated•6 years ago
|
Product: Core → Core Graveyard
|
|
Assignee | |
Updated•6 years ago
|
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•