273458 - crash in [@ nsHTMLReflowState::GetContainingBlockFor ] on CTRL+END

Status: VERIFIED FIXED

(Core :: DOM: CSS Object Model, defect, P1)

Description

[Matti]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041203
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041203

Sometimes, and only sometimes, Composer crashes if I CTRL+END. I haven't found
any other pattern yet.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1

[Matti]

Found it. If the cursor is in a table and I CTRL+END then Mozilla crashes.

Comment 2

[Stephen Donner [:stephend] Not actively reading bugmail]

Confirming, moving to right component.  This is layout, actually.

Comment 3

[Stephen Donner [:stephend] Not actively reading bugmail]

Confirming, moving to right component.  This is layout, actually.

Comment 4

[Stephen Donner [:stephend] Not actively reading bugmail]

nsHTMLReflowState::GetContainingBlockFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp,
line 390]
nsComputedDOMStyle::GetAbsoluteOffset 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2955]
nsComputedDOMStyle::GetOffsetWidthFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2937]
nsComputedDOMStyle::GetLeft 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2882]
nsComputedDOMStyle::GetPropertyCSSValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 323]
GetCSSFloatValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 70]
nsHTMLEditor::GetPositionAndDimensions 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 361]
nsHTMLEditor::ShowResizers 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,
line 381]
nsHTMLEditor::CheckSelectionStateForAnonymousButtons 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 293]
ResizerSelectionListener::NotifySelectionChanged 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,
line 125]
nsTypedSelection::NotifySelectionListeners 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 7298]
nsSelection::NotifySelectionListeners 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 3023]
nsSelection::TakeFocus 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 2641]
nsSelection::HandleClick 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 2418]
PresShell::CompleteMove 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 3249]
nsSelectionMoveCommands::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/base/nsEditorCommands.cpp,
line 609]
nsControllerCommandTable::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/commandhandler/src/nsControllerCommandTable.cpp,
line 192]
nsBaseCommandController::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/commandhandler/src/nsBaseCommandController.cpp,
line 132]
nsXBLPrototypeHandler::ExecuteHandler 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp,
line 353]
nsXBLWindowHandler::WalkHandlersInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowHandler.cpp,
line 305]
nsXBLWindowKeyHandler::WalkHandlers 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowKeyHandler.cpp,
line 197]
nsXBLWindowKeyHandler::KeyPress 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowKeyHandler.cpp,
line 250]
DispatchToInterface 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 129]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1601]
nsWindowRoot::HandleChromeEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsWindowRoot.cpp,
line 227]
GlobalWindowImpl::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 939]
nsXULDocument::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1248]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2847]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleChromeEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3949]
GlobalWindowImpl::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 939]
nsDocument::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 3837]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2030]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5944]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5804]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2354]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2131]
HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1078]
nsWindow::DispatchWindowEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1095]
nsWindow::DispatchKeyEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3004]
nsWindow::OnKeyDown 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3129]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3975]
nsWindow::WindowProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1356]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp,
line 216]
main1 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1330]
main 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1801]
WinMain 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1827]
WinMainCRTStartup()
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 5

[PikeUK]

Attachment: Call stack with designMode crash

I was just about to file a bug on a crash in designMode='on' but the call stack
seems the same as this one.

Testcase:
http://www.pikey.me.uk/mozilla/test/designmode.html

Regression window:
Works: 2004-11-24 (Firefox trunk nightly)
Crashes: 2004-11-25 (Firefox trunk nightly)

Both Bug 209694 and Bug 263374 changed nsHTMLReflowState in that timeframe.

Should I file a separate bug or is this the same thing (sorry in advance for
the  spam if I should have done the former)?

Comment 6

[Jay Patel [:jay]]

Adding topcrash+ keyword.  This is at the top of the crash list for MozillaTrunk
builds and is easily reproducible.

Comment 7

[Martijn Wargers (dead)]

The 2004-11-25 windows trunk build of Mozilla also crashes. That is a build
without the patch from bug 209694, so the fix for that bug is not the cause of
this regression.

Comment 8

[Martijn Wargers (dead)]

Attachment: Backtrace

When I apply the patch from bug 263374 with a debug build from 2004-11-20, I
crash with the testcase
The first part of this backtrace is when loading the testcase.
The part with/after the assertion "!! ASSERTION: Must have frame to work with:
'aFrame'" is when I do the resize in the testcase.

Comment 9

[Stephen Donner [:stephend] Not actively reading bugmail]

*** Bug 274441 has been marked as a duplicate of this bug. ***

Comment 10

[Martijn Wargers (dead)]

CC-ing Boris. Boris, please look at comment 8 why I CC-ed you.

Comment 11

[Boris Zbarsky [:bzbarsky]]

Yeah, this is my bug.... The computed style code needs null-checks.  I wonder why 
composer is even calling it in this case, though Will look into it.

Comment 12

[Boris Zbarsky [:bzbarsky]]

Specifically, I will look when I get back...

Comment 13

[Boris Zbarsky [:bzbarsky]]

Attachment: Patch

Comment 14

[Boris Zbarsky [:bzbarsky]]

Fix checked in for 1.8a6

Comment 15

[Boris Zbarsky [:bzbarsky]]

*** Bug 277049 has been marked as a duplicate of this bug. ***

Comment 16

[timeless]

*** Bug 275663 has been marked as a duplicate of this bug. ***

Comment 17

[Gérard Talbot]

Boris, can you check again? I crashed in Composer after resizing a table and
doing Ctrl+End. I was just testing if this bug was fixed. Mozilla 1.8a6 build
2005010606 XP Pro SP2 here.

Talkback incident ID: TB2957025W

Comment 18

[Gérard Talbot]

Also Talkback incident ID: 2957309
which was also received by talkback server.

Steps I did: 
1- Created a default 2x2 table in Composer 
2- clicked in the bottom-right cell (so that blinking caret and cell resizing
grippies get visible, rendered) 
3- Typed in Ctrl+End 
4- crashed

REOPENING

Ctrl+End is not a documented keyboard shortcut key in Composer nor in other
components (General, Navigator or Mail&News) for the Windows platform. 

Comment 19

[Boris Zbarsky [:bzbarsky]]

That talkback incident  has no useful data... any chance of another one?

And yes, I'm sure that the crash with the stack in comment 4 is fixed.  The
crash in your talkback seems to have a totally different stack (inasmuch as I
can tell without symbols).  I just tried the URL in comment 5, resized the
table, hit Ctrl-end, no crash (current debug build with the patch in this bug).
 If you have a testcase that shows the problem, please attach it to this bug (or
file a separate bug, perhaps?).

Comment 20

[Boris Zbarsky [:bzbarsky]]

OK.  With the steps in comment 18 I can reproduce a crash.  It's a different
crash from the one that has a stack in comment 4, which is what this bug was
reported on.  Re-resolving this bug; please file a new bug on that crash and
I'll look into it?

Comment 21

[Boris Zbarsky [:bzbarsky]]

I've done some debugging on that crash.  It's a longstanding core editor bug;
I'm not sure why it never got noticed before.  I've filed it as bug 277306.

Comment 22

[sairuh (rarely reading bugmail)]

the fix here fix the issue I saw in bug 277049 with resizing a table. tested
with 2005010606-trunk mozilla bits on Mac OS X 10.3.7.

Comment 23

[Matti]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050109

CTRL+END causes the cursor to disappear and something weird displays at the top
left of the page. Every keyboard function (menus, etc.) ceases to work.

If I click on the page with the mouse everything works as normal.

Comment 24

[Boris Zbarsky [:bzbarsky]]

Sorry, that has nothing to do with this bug (which was about a crash in a
specific place).  Please file as separate bug on that.  That's an editor issue,
core or front end, not a CSSOM issue.

Comment 25

[Stephen Donner [:stephend] Not actively reading bugmail]

2005-01-05 was the last MozillaTrunk build to crash on this testcase (talkback
data), and I've also tested the testcases in comment 0, comment 1, and comment 18.

All work fine now using build 2005-01-28-04 on Windows XP Seamonkey trunk.

Verified FIXED.

Comment 26

[Stephen Donner [:stephend] Not actively reading bugmail]

Big typo: I really meant to type 2005-01-04, as in 2005010406 as the last build
that crashed.  (A crash in 2005-01-05 would mean the patch didn't work, but as
it did, this is verified FIXED.)