Crash entering empty table cell from input (submit) using Caret Browsing

VERIFIED WORKSFORME

Status

()

--
critical
VERIFIED WORKSFORME
14 years ago
9 years ago

People

(Reporter: djcater+bugzilla, Unassigned)

Tracking

({crash, testcase})

1.7 Branch
x86
All
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

336 bytes, application/xhtml+xml
Details
(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050126 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050126 Firefox/1.0

When using Caret Browsing, navigating from a submit button to a completely empty
table data cell (not even whitespace,) the browser crashes.

Reproducible: Always

Steps to Reproduce:
1. Load up the provided testcase.
2. Use Caret Browsing (F7.)
3. Press Tab until the button is highlighted and the caret is at the beginning
of the button (should just be one press.)
4. Press the left arrow key.
Actual Results:  
Caret doesn't move, browser crashes.

Expected Results:  
Caret should have moved to the empty cell, and the browser should have continued
to run.

This occurred using the build specified above on Gentoo Linux, Mozilla 1.7.5
(20050130) on Gentoo Linux, and also Firefox/1.0 on Windows XP. When I boot into
Windows I will post a link to the Talkback crash. I have also devised a
simplified testcase which shows the crash clearly. I will attach it shortly.
(Reporter)

Comment 1

14 years ago
Created attachment 174681 [details]
Testcase

Follow instructions in first post to test the crash using this testcase.

Updated

14 years ago
Assignee: aaronleventhal → ginn.chen
(Reporter)

Comment 2

14 years ago
(In reply to comment #0)
> I will post a link to the Talkback crash

http://talkback-public.mozilla.org./talkback/fastfind.jsp?search=2&type=iid&id=TB3778660Q

Basics:

Stack Signature	 nsTextFrame::PeekOffset 9a3a2129
Product ID	Firefox10
Build ID	2004110711
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0022e6cb)
URL visited	https://bugzilla.mozilla.org./attachment.cgi?id=174681
Trigger Reason	Stack overflow
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsTextFrame.cpp,
line 3870

And after that a whole load of:

nsTextFrame::PeekOffset 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsTextFrame.cpp,
line 3943]

Updated

14 years ago
Assignee: ginn.chen → nobody
Component: Keyboard: Navigation → Layout: Fonts and Text
Keywords: crash
QA Contact: bugzilla → layout.fonts-and-text

Comment 3

14 years ago
IMHO dupe of bug 256835, which was fixed on trunk.
Crash with FF1.0.1NB/20050216/WXP -> TB3779554Z
WFM M1.8b1NB/2005021614/WXP
WFM FF1.0+NB/20050218/WXP
Keywords: testcase
Version: Trunk → 1.7 Branch
Yeah, worksforme on trunk too.  Not sure it's a direct dup of bug 256835, but
it's definitely not crashing.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WORKSFORME
(Reporter)

Updated

14 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.