Closed Bug 273458 Opened 18 years ago Closed 18 years ago

crash in [@ nsHTMLReflowState::GetContainingBlockFor ] on CTRL+END

Categories

(Core :: DOM: CSS Object Model, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8alpha6

People

(Reporter: boofy_bloke, Assigned: bzbarsky)

References

Details

(Keywords: crash, regression, topcrash+)

Crash Data

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041203
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041203

Sometimes, and only sometimes, Composer crashes if I CTRL+END. I haven't found
any other pattern yet.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Found it. If the cursor is in a table and I CTRL+END then Mozilla crashes.
Confirming, moving to right component.  This is layout, actually.
Status: UNCONFIRMED → NEW
Component: Composer → Layout: View Rendering
Ever confirmed: true
Keywords: crash
Product: Mozilla Application Suite → Core
Version: unspecified → 1.0 Branch
Confirming, moving to right component.  This is layout, actually.
Version: 1.0 Branch → Trunk
nsHTMLReflowState::GetContainingBlockFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp,
line 390]
nsComputedDOMStyle::GetAbsoluteOffset 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2955]
nsComputedDOMStyle::GetOffsetWidthFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2937]
nsComputedDOMStyle::GetLeft 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 2882]
nsComputedDOMStyle::GetPropertyCSSValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/style/src/nsComputedDOMStyle.cpp,
line 323]
GetCSSFloatValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 70]
nsHTMLEditor::GetPositionAndDimensions 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 361]
nsHTMLEditor::ShowResizers 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,
line 381]
nsHTMLEditor::CheckSelectionStateForAnonymousButtons 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLAnonymousUtils.cpp,
line 293]
ResizerSelectionListener::NotifySelectionChanged 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/html/nsHTMLObjectResizer.cpp,
line 125]
nsTypedSelection::NotifySelectionListeners 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 7298]
nsSelection::NotifySelectionListeners 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 3023]
nsSelection::TakeFocus 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 2641]
nsSelection::HandleClick 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsSelection.cpp,
line 2418]
PresShell::CompleteMove 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 3249]
nsSelectionMoveCommands::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/editor/libeditor/base/nsEditorCommands.cpp,
line 609]
nsControllerCommandTable::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/commandhandler/src/nsControllerCommandTable.cpp,
line 192]
nsBaseCommandController::DoCommand 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/embedding/components/commandhandler/src/nsBaseCommandController.cpp,
line 132]
nsXBLPrototypeHandler::ExecuteHandler 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp,
line 353]
nsXBLWindowHandler::WalkHandlersInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowHandler.cpp,
line 305]
nsXBLWindowKeyHandler::WalkHandlers 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowKeyHandler.cpp,
line 197]
nsXBLWindowKeyHandler::KeyPress 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xbl/src/nsXBLWindowKeyHandler.cpp,
line 250]
DispatchToInterface 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 129]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1601]
nsWindowRoot::HandleChromeEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsWindowRoot.cpp,
line 227]
GlobalWindowImpl::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 939]
nsXULDocument::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1248]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2847]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2839]
nsXULElement::HandleChromeEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 3949]
GlobalWindowImpl::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 939]
nsDocument::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 3837]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 2030]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5944]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5804]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2354]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2131]
HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1078]
nsWindow::DispatchWindowEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1095]
nsWindow::DispatchKeyEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3004]
nsWindow::OnKeyDown 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3129]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3975]
nsWindow::WindowProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1356]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp,
line 216]
main1 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1330]
main 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1801]
WinMain 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1827]
WinMainCRTStartup()
kernel32.dll + 0x16d4f (0x7c816d4f)
Summary: crash on CTRL+END → crash in [@ nsHTMLReflowState::GetContainingBlockFor ] on CTRL+END
Assignee: composer → roc
QA Contact: ian
I was just about to file a bug on a crash in designMode='on' but the call stack
seems the same as this one.

Testcase:
http://www.pikey.me.uk/mozilla/test/designmode.html

Regression window:
Works: 2004-11-24 (Firefox trunk nightly)
Crashes: 2004-11-25 (Firefox trunk nightly)

Both Bug 209694 and Bug 263374 changed nsHTMLReflowState in that timeframe.

Should I file a separate bug or is this the same thing (sorry in advance for
the  spam if I should have done the former)?
Adding topcrash+ keyword.  This is at the top of the crash list for MozillaTrunk
builds and is easily reproducible.
Keywords: topcrash+
The 2004-11-25 windows trunk build of Mozilla also crashes. That is a build
without the patch from bug 209694, so the fix for that bug is not the cause of
this regression.
Keywords: regression
Attached file Backtrace
When I apply the patch from bug 263374 with a debug build from 2004-11-20, I
crash with the testcase
The first part of this backtrace is when loading the testcase.
The part with/after the assertion "!! ASSERTION: Must have frame to work with:
'aFrame'" is when I do the resize in the testcase.
*** Bug 274441 has been marked as a duplicate of this bug. ***
Blocks: 244834
Flags: blocking1.8a6?
CC-ing Boris. Boris, please look at comment 8 why I CC-ed you.
Blocks: 263374
Blocks: 275663
Yeah, this is my bug.... The computed style code needs null-checks.  I wonder why 
composer is even calling it in this case, though Will look into it.
Assignee: roc → general
Component: Layout: View Rendering → DOM: CSSOM
OS: Windows XP → All
Hardware: PC → All
Specifically, I will look when I get back...
Assignee: general → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha6
Attached patch PatchSplinter Review
Attachment #170263 - Flags: superreview?(dbaron)
Attachment #170263 - Flags: review?(dbaron)
Attachment #170263 - Flags: superreview+
Attachment #170263 - Flags: review+
Attachment #170263 - Flags: superreview?(dbaron)
Attachment #170263 - Flags: superreview+
Attachment #170263 - Flags: review?(dbaron)
Attachment #170263 - Flags: review+
Fix checked in for 1.8a6
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
*** Bug 277049 has been marked as a duplicate of this bug. ***
No longer blocks: 275663
*** Bug 275663 has been marked as a duplicate of this bug. ***
Flags: blocking1.8a6?
Boris, can you check again? I crashed in Composer after resizing a table and
doing Ctrl+End. I was just testing if this bug was fixed. Mozilla 1.8a6 build
2005010606 XP Pro SP2 here.

Talkback incident ID: TB2957025W
Also Talkback incident ID: 2957309
which was also received by talkback server.

Steps I did: 
1- Created a default 2x2 table in Composer 
2- clicked in the bottom-right cell (so that blinking caret and cell resizing
grippies get visible, rendered) 
3- Typed in Ctrl+End 
4- crashed

REOPENING

Ctrl+End is not a documented keyboard shortcut key in Composer nor in other
components (General, Navigator or Mail&News) for the Windows platform. 
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
That talkback incident  has no useful data... any chance of another one?

And yes, I'm sure that the crash with the stack in comment 4 is fixed.  The
crash in your talkback seems to have a totally different stack (inasmuch as I
can tell without symbols).  I just tried the URL in comment 5, resized the
table, hit Ctrl-end, no crash (current debug build with the patch in this bug).
 If you have a testcase that shows the problem, please attach it to this bug (or
file a separate bug, perhaps?).
OK.  With the steps in comment 18 I can reproduce a crash.  It's a different
crash from the one that has a stack in comment 4, which is what this bug was
reported on.  Re-resolving this bug; please file a new bug on that crash and
I'll look into it?
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
I've done some debugging on that crash.  It's a longstanding core editor bug;
I'm not sure why it never got noticed before.  I've filed it as bug 277306.
Blocks: 277306
the fix here fix the issue I saw in bug 277049 with resizing a table. tested
with 2005010606-trunk mozilla bits on Mac OS X 10.3.7.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050109

CTRL+END causes the cursor to disappear and something weird displays at the top
left of the page. Every keyboard function (menus, etc.) ceases to work.

If I click on the page with the mouse everything works as normal.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Sorry, that has nothing to do with this bug (which was about a crash in a
specific place).  Please file as separate bug on that.  That's an editor issue,
core or front end, not a CSSOM issue.
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
2005-01-05 was the last MozillaTrunk build to crash on this testcase (talkback
data), and I've also tested the testcases in comment 0, comment 1, and comment 18.

All work fine now using build 2005-01-28-04 on Windows XP Seamonkey trunk.

Verified FIXED.
Status: RESOLVED → VERIFIED
Big typo: I really meant to type 2005-01-04, as in 2005010406 as the last build
that crashed.  (A crash in 2005-01-05 would mean the patch didn't work, but as
it did, this is verified FIXED.)
Crash Signature: [@ nsHTMLReflowState::GetContainingBlockFor ]
You need to log in before you can comment on or make changes to this bug.