Closed Bug 28084 Opened 25 years ago Closed 25 years ago

Mozzilla Crashs on www.zdnet.com

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jmbelo, Assigned: buster)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [PDT+] 2/21)

Attachments

(1 file)

min test case: continued link inside of span in a block in a table
448 bytes, text/html
Details 
Hi!
If you go to this page
http://www.zdnet.com/pcweek/stories/news/0,4153,2439261,00.html and press in
'by my colleague Mary Jo Foley' to go to
http://www.zdnet.com/pcweek/stories/news/0,4153,2436920,00.html mozilla crashes
whith the following error 'The instruction at "0x0158cded" referenced memory at
"0xffffff". The memory could not be "read"', nevertheless if you go directly to
the page it works ok.

NT 4.0, Build ID: 2000211516

hope it helps

joao
It migth got something to do with this JAVASCRIT
<!--
function submit_it ()
{
	if (document.zdform.db[2].selected)
  	{
		document.directform.Utext.value = document.zdform.Utext.value;
		document.directform.submit();
	}
  	else
  	{
		if (document.zdform.db[1].selected)
		{
			document.zdform.Uch.value = '';
		}
	document.zdform.submit();
	}
 }
//-->

reproduced with 20000216 debug build on NT.  updating component to layout, 
since other bugs in this area seem to live in this component.

the assert is:
failed to remove frame 'result' in file
mozilla\layout\html\base\src\nsContainerFrame.cpp line 802

stack trace:

NTDLL! 77f76274()
nsDebug::Assertion(const char * 0x01e30b4c, const char * 0x01e30b44, const char 
* 0x01e30b08, int 802) line 189 + 13 bytes
nsContainerFrame::DeleteChildsNextInFlow(nsIPresContext * 0x038c2cf0, nsIFrame 
* 0x029e0a80) line 802 + 32 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x029e0a80, nsIFrame * * 0x0012993c, 
unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1161
nsInlineFrame::ReflowInlineFrame(nsIPresContext * 0x038c2cf0, const 
nsHTMLReflowState & {...}, nsInlineFrame::InlineReflowState & {...}, nsIFrame * 
0x029e0a80, unsigned int & 0) line 504 + 26 bytes
nsInlineFrame::ReflowFrames(nsIPresContext * 0x038c2cf0, const 
nsHTMLReflowState & {...}, nsInlineFrame::InlineReflowState & {...}, 
nsHTMLReflowMetrics & {...}, unsigned int & 0) line 383 + 28 bytes
nsInlineFrame::Reflow(nsInlineFrame * const 0x029e0998, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 259 + 28 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x029e0998, nsIFrame * * 0x0012a8bc, 
unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 992
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineBox * 0x03950630, nsIFrame * 0x029e0998, unsigned char * 
0x00129b58) line 3970 + 32 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineBox * 0x03950630, int * 0x0012a400, unsigned char * 0x0012a274, 
int 1) line 3854 + 28 bytes
nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineBox * 
0x03950630, int * 0x0012a400, unsigned char * 0x0012a274, int 1) line 3795 + 38 
bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox * 
0x03950630, int * 0x0012a400, int 1) line 3740 + 28 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x03950630, 
int * 0x0012a400, int 1) line 2886
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2622 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x029e0950, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1566 + 15 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x029e0950, const nsRect & {...}, 
int 1, int 240, int 0, nsMargin & {...}, unsigned int & 0) line 449 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 
0x039535f0, int * 0x0012aef0) line 3498 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x039535f0, 
int * 0x0012aef0, int 1) line 2811 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2622 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x029e014c, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1566 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x029e014c, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x029e00f0, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 693
nsContainerFrame::ReflowChild(nsIFrame * 0x029e00f0, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
nsTableRowFrame::IR_TargetIsChild(nsTableRowFrame * const 0x029e00a8, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, RowReflowState & 
{...}, unsigned int & 0, nsIFrame * 0x029e00f0) line 1231 + 52 bytes
nsTableRowFrame::IncrementalReflow(nsTableRowFrame * const 0x029e00a8, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, RowReflowState & 
{...}, unsigned int & 0) line 1115 + 35 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x029e00a8, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1367 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x029e00a8, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
nsTableRowGroupFrame::IR_TargetIsChild(nsTableRowGroupFrame * const 0x029e0068, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, RowGroupReflowState & 
{...}, unsigned int & 0, nsIFrame * 0x029e00a8) line 1528 + 45 bytes
nsTableRowGroupFrame::IncrementalReflow(nsTableRowGroupFrame * const 
0x029e0068, nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, 
RowGroupReflowState & {...}, unsigned int & 0) line 1177 + 35 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x029e0068, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, const 
nsHTMLReflowState & {...}, unsigned int & 0) line 1078 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x029e0068, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
nsTableFrame::IR_TargetIsChild(nsTableFrame * const 0x029dfffc, nsIPresContext 
* 0x038c2cf0, nsHTMLReflowMetrics & {...}, InnerTableReflowState & {...}, 
unsigned int & 0, nsIFrame * 0x029e0068) line 2689 + 44 bytes
nsTableFrame::IncrementalReflow(nsTableFrame * const 0x029dfffc, nsIPresContext 
* 0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 2485 + 41 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x029dfffc, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1533 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x029dfffc, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 3, unsigned int & 0) line 638 + 31 bytes
nsTableOuterFrame::IR_InnerTableReflow(nsTableOuterFrame * const 0x029dffa8, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, OuterTableReflowState 
& {...}, unsigned int & 0) line 703 + 40 bytes
nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsTableOuterFrame * const 
0x029dffa8, nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, 
OuterTableReflowState & {...}, unsigned int & 0) line 476 + 31 bytes
nsTableOuterFrame::IR_TargetIsChild(nsTableOuterFrame * const 0x029dffa8, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, OuterTableReflowState 
& {...}, unsigned int & 0, nsIFrame * 0x029dfffc) line 443 + 31 bytes
nsTableOuterFrame::IncrementalReflow(nsTableOuterFrame * const 0x029dffa8, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, OuterTableReflowState 
& {...}, unsigned int & 0) line 423 + 35 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x029dffa8, nsIPresContext 
* 0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 936 + 31 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x029dffa8, const nsRect & {...}, 
int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 449 + 45 bytes
nsBlockFrame::ReflowFloater(nsBlockReflowState & {...}, nsPlaceholderFrame * 
0x02a11710, nsRect & {...}, nsMargin & {...}, nsMargin & {...}) line 5198 + 44 
bytes
nsBlockReflowState::AddFloater(nsLineLayout & {...}, nsPlaceholderFrame * 
0x02a11710, int 0) line 5292
nsLineLayout::AddFloater(nsPlaceholderFrame * 0x02a11710) line 563
nsLineLayout::ReflowFrame(nsIFrame * 0x02a11710, nsIFrame * * 0x0012d7f0, 
unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1009
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineBox * 0x0398b930, nsIFrame * 0x02a11710, unsigned char * 
0x0012ca8c) line 3970 + 32 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & 
{...}, nsLineBox * 0x0398b930, int * 0x0012d334, unsigned char * 0x0012d1a8, 
int 0) line 3854 + 28 bytes
nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineBox * 
0x0398b930, int * 0x0012d334, unsigned char * 0x0012d1a8, int 0) line 3795 + 38 
bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox * 
0x0398b930, int * 0x0012d334, int 0) line 3740 + 28 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0398b930, 
int * 0x0012d334, int 1) line 2913 + 25 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2622 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x00f4acb0, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1566 + 15 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x00f4acb0, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 272 + 25 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x00f4acb0, const nsRect & {...}, 
int 1, int 0, int 0, nsMargin & {...}, unsigned int & 0) line 449 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 
0x039b0390, int * 0x0012df18) line 3498 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x039b0390, 
int * 0x0012df18, int 1) line 2811 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2622 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02a742bc, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1566 + 15 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02a742bc, const nsRect & {...}, 
int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 449 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 
0x02ecca90, int * 0x0012ea08) line 3498 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x02ecca90, 
int * 0x0012ea08, int 1) line 2811 + 23 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2622 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02a74234, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1566 + 15 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x02a74234, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 272 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x02a74234, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x02a246ac, nsIPresContext * 0x038c2cf0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) 
line 331
nsContainerFrame::ReflowChild(nsIFrame * 0x02a246ac, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 1, unsigned int & 0) line 638 + 31 bytes
nsScrollPortFrame::Reflow(nsScrollPortFrame * const 0x02a24734, nsIPresContext 
* 0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 455
nsContainerFrame::ReflowChild(nsIFrame * 0x02a24734, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 3, unsigned int & 0) line 638 + 31 bytes
nsGfxScrollFrameInner::ReflowFrame(nsIPresContext * 0x038c2cf0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, 
nsIFrame * 0x02a24734, const nsSize & {...}, const nsSize & {...}, int & 0, 
nsIFrame * & 0x00000000) line 1300
nsGfxScrollFrameInner::ReflowScrollArea(nsIPresContext * 0x038c2cf0, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, 
nsIFrame * & 0x00000000) line 1367
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x02a246e8, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 577
nsContainerFrame::ReflowChild(nsIFrame * 0x02a246e8, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 
0, int 0, unsigned int 0, unsigned int & 0) line 638 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x02a24670, nsIPresContext * 
0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 531
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x03ae4040, 
nsIPresContext * 0x038c2cf0, nsHTMLReflowMetrics & {...}, const nsSize & {...}, 
nsIRenderingContext & {...}) line 145
PresShell::ProcessReflowCommands(PresShell * const 0x0384f350, int 1) line 2031
ReflowEvent::HandleEvent() line 1931
HandlePLEvent(ReflowEvent * 0x03ae5f70) line 1943
PL_HandleEvent(PLEvent * 0x03ae5f70) line 526 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x010286e0) line 487 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x09730300, unsigned int 49335, unsigned int 0, 
long 16942816) line 975 + 9 bytes
USER32! 77e71268()
010286e0()
Assignee: cbegle → troy
Component: Browser-General → Layout
QA Contact: asadotzler → petersen
Huh, crash in line layout. Gee, that's Kipp's old code. You know what that 
means. :-)
Assignee: troy → kipp
serious crash
Assignee: kipp → buster
Severity: major → critical
Keywords: beta1, crash
Priority: P3 → P1
Target Milestone: M14
the frame tree looks correct.  the font span holds the anchor span on one line, 
and on the next line the continued font span holds the continued anchor span.
at the time of the assertion, all the frames look legit.  But I think 
DeleteChildsNextInFlow might make a bad assumption about the parentage of the 
frames that are being removed.  investigating....
Status: NEW → ASSIGNED
PDT+
Whiteboard: [PDT+]
Whiteboard: [PDT+] → [PDT+] 2/21
Steve, I'm pretty sure this is because of the change you made to the block 
frame's Reflow() function for how we handle incremental reflow. Notice that the 
stack trace shows we're in an incremental reflow.

And bug #28434 I know is caused by that problem, and it has the same stack trace 
and crashes in the same way

All these problems are recent regressions as well
I belive i found another exemple at http://www.chc-3.com/,

Steps to reproduce:
	Gto http://www.chc-3.com/pub/linuxgrok.htm press in 'first article' to go to
'http://www.chc-3.com/globe_10_28_99.htm' or 'second article' to go to
'http://www.chc-3.com/globe_01_20_00.htm' and mozzilla crashes .

Build id 2000021708 on NT 4.



	
	

*** Bug 28434 has been marked as a duplicate of this bug. ***
OS: Windows NT → All
Hardware: PC → All
*** Bug 28318 has been marked as a duplicate of this bug. ***
*** Bug 28810 has been marked as a duplicate of this bug. ***
fixed, along with 25510.  fix was in nsBlockFrame.cpp handling of incremental 
reflows targeted at child inline frames.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
It looks fine in Build ID 2000022216 NT 4

Fine here too, thank you buster! Marking verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: