Closed Bug 294371 Opened 20 years ago Closed 20 years ago

crash when xul element grid has style="overflow:auto" gkgfx.dll!nsRect::nsRect(const nsRect & aRect={...}) Line 57 + 0xd C++

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: toddf, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

crash test case for xul grid with style overflow:auto
1.58 KB, application/vnd.mozilla.xul+xml
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Stack trace:

 	gkgfx.dll!nsRect::nsRect(const nsRect & aRect={...})  Line 57 + 0xd	C++
 	gklayout.dll!nsView::GetDimensions()  Line 248 + 0x19	C++
 	gklayout.dll!nsView::GetClippedRect()  Line 839	C++
 	gklayout.dll!nsViewManager::UpdateView(nsIView * aView=0x00000000, const
nsRect & aRect={...}, unsigned int aUpdateFlags=4)  Line 1761	C++
>	gklayout.dll!nsViewManager::MoveViewTo(nsIView * aView=0x02b03950, int aX=0,
int aY=1545)  Line 2608	C++
 	gklayout.dll!nsContainerFrame::PositionFrameView(nsIPresContext *
aPresContext=0x02ae3608, nsIFrame * aKidFrame=0x02aff52c)  Line 512	C++
 	gklayout.dll!nsBox::SetBounds(nsBoxLayoutState & aState={...}, const nsRect &
aRect={...})  Line 583 + 0xd	C++
 	gklayout.dll!nsContainerBox::LayoutChildAt(nsBoxLayoutState & aState={...},
nsIBox * aBox=0x02aff564, const nsRect & aRect={...})  Line 640	C++
 	gklayout.dll!nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & aState={...},
nsIBox * aBox=0x02aff564, const nsRect & aRect={...})  Line 1264 + 0x11	C++
 	gklayout.dll!nsGfxScrollFrameInner::Layout(nsBoxLayoutState & aState={...})
 Line 1618	C++
 	gklayout.dll!nsGfxScrollFrame::DoLayout(nsBoxLayoutState & aState={...})  Line
1272 + 0xf	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 1016	C++
 	gklayout.dll!nsSprocketLayout::Layout(nsIBox * aBox=0x02aff024,
nsBoxLayoutState & aState={...})  Line 552	C++
 	gklayout.dll!nsContainerBox::DoLayout(nsBoxLayoutState & aState={...})  Line
610 + 0x22	C++
 	gklayout.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 1053	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 1016	C++
 	gklayout.dll!nsScrollBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) 
Line 337	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 1016	C++
 	gklayout.dll!nsSprocketLayout::Layout(nsIBox * aBox=0x02ad3b30,
nsBoxLayoutState & aState={...})  Line 552	C++
 	gklayout.dll!nsContainerBox::DoLayout(nsBoxLayoutState & aState={...})  Line
610 + 0x22	C++
 	gklayout.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 1053	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 1016	C++
 	gklayout.dll!nsStackLayout::Layout(nsIBox * aBox=0x02ad3840, nsBoxLayoutState
& aState={...})  Line 322	C++
 	gklayout.dll!nsContainerBox::DoLayout(nsBoxLayoutState & aState={...})  Line
610 + 0x22	C++
 	gklayout.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 1053	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 1016	C++
 	gklayout.dll!nsBoxFrame::Reflow(nsIPresContext * aPresContext=0x02ae3608,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 868	C++
 	gklayout.dll!nsRootBoxFrame::Reflow(nsIPresContext * aPresContext=0x02ae3608,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 240	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x02ad3808,
nsIPresContext * aPresContext=0x02ae3608, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int
aY=0, unsigned int aFlags=0, unsigned int & aStatus=0)  Line 967 + 0x1f	C++
 	gklayout.dll!ViewportFrame::Reflow(nsIPresContext * aPresContext=0x02ae3608,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 248 + 0x2b	C++
 	gklayout.dll!PresShell::ResizeReflow(int aWidth=2760, int aHeight=1545) 
Line 2936	C++
 	gklayout.dll!PresShell::ResizeReflow(nsIView * aView=0x02aca4b8, int
aWidth=2760, int aHeight=1545)  Line 6147	C++
 	gklayout.dll!nsViewManager::DoSetWindowDimensions(int aWidth=2760, int
aHeight=1545)  Line 365	C++
 	gklayout.dll!nsViewManager::SetWindowDimensions(int aWidth=2760, int
aHeight=1545)  Line 687	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e4bc,
nsEventStatus * aStatus=0x0012e40c)  Line 1872	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012e4bc)  Line 77	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e4bc,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1067 + 0xa	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e4bc) 
Line 1088	C++
 	gkwidget.dll!nsWindow::OnResize(nsRect & aWindowRect={...})  Line 5114 + 0xf	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=71, unsigned int
wParam=0, long lParam=1239636, long * aRetValue=0x0012e914)  Line 4284 + 0x18	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x00e90210, unsigned int
msg=71, unsigned int wParam=0, long lParam=1239636)  Line 1349 + 0x1b	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4d0a5() 	
 	ntdll.dll!7c90eae3() 	
 	user32.dll!77d4c027() 	
 	gkwidget.dll!nsWindow::Resize(int aX=0, int aY=0, int aWidth=184, int
aHeight=103, int aRepaint=0)  Line 2157 + 0x36	C++
 	gklayout.dll!DocumentViewerImpl::SetBounds(const nsRect & aBounds={...}) 
Line 1477	C++
 	docshell.dll!nsDocShell::SetPositionAndSize(int x=0, int y=0, int cx=184, int
cy=103, int fRepaint=0)  Line 3407 + 0x24	C++
 	appshell.dll!nsWebShellWindow::HandleEvent(nsGUIEvent * aEvent=0x0012ec8c) 
Line 418	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012ec8c,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1067 + 0xa	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012ec8c) 
Line 1088	C++
 	gkwidget.dll!nsWindow::OnResize(nsRect & aWindowRect={...})  Line 5114 + 0xf	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=71, unsigned int
wParam=0, long lParam=1241636, long * aRetValue=0x0012f0e4)  Line 4284 + 0x18	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x00fb01c6, unsigned int
msg=71, unsigned int wParam=0, long lParam=1241636)  Line 1349 + 0x1b	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4d0a5() 	
 	ntdll.dll!7c90eae3() 	
 	user32.dll!77d4c027() 	
 	gkwidget.dll!nsWindow::Resize(int aWidth=0, int aHeight=30, int
aRepaint=1241760)  Line 2104 + 0x32	C++
 	gkwidget.dll!nsWindow::SetSizeMode(int aMode=0)  Line 1830 + 0xd	C++
 	000000c0()	
 	appshell.dll!nsXULWindow::LoadSizeFromXUL()  Line 1123	C++
 	appshell.dll!nsXULWindow::OnChromeLoaded()  Line 937	C++
 	appshell.dll!nsWebShellWindow::OnStateChange(nsIWebProgress *
aProgress=0x029aa0c4, nsIRequest * aRequest=0x029981c0, unsigned int
aStateFlags=786448, unsigned int aStatus=0)  Line 1298	C++
 	docshell.dll!nsDocLoaderImpl::FireOnStateChange(nsIWebProgress *
aProgress=0x029aa0c4, nsIRequest * aRequest=0x029981c0, int aStateFlags=786448,
unsigned int aStatus=0)  Line 1269	C++
 	docshell.dll!nsDocLoaderImpl::doStopDocumentLoad(nsIRequest *
request=0x029981c0, unsigned int aStatus=0)  Line 874	C++
 	docshell.dll!nsDocLoaderImpl::DocLoaderIsEmpty()  Line 771	C++
 	docshell.dll!nsDocLoaderImpl::OnStopRequest(nsIRequest * aRequest=0x02a99b30,
nsISupports * aCtxt=0x00000000, unsigned int aStatus=0)  Line 701	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x02a99b30,
nsISupports * ctxt=0x00000000, unsigned int aStatus=0)  Line 695 + 0x2c	C++
 	necko.dll!nsJARChannel::OnStopRequest(nsIRequest * req=0x02a96658, nsISupports
* ctx=0x00000000, unsigned int status=0)  Line 679	C++
 	necko.dll!nsInputStreamPump::OnStateStop()  Line 499	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *
stream=0x02a92204)  Line 339 + 0xb	C++
 	xpcom.dll!nsInputStreamReadyEvent::EventHandler(PLEvent * plevent=0x02a8dcec)
 Line 119	C++
 	xpcom.dll!PL_HandleEvent(PLEvent * self=0x02a8dcec)  Line 673 + 0xa	C
 	xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00efff68)  Line 608
+ 0x9	C
 	xpcom.dll!_md_EventReceiverProc(HWND__ * hwnd=0x00e202a8, unsigned int
uMsg=49364, unsigned int wParam=0, long lParam=15728488)  Line 1414 + 0x9	C
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d489cd() 	
 	user32.dll!77d49402() 	
 	user32.dll!77d48a10() 	
 	gkwidget.dll!nsAppShell::Run()  Line 135	C++
 	appshell.dll!nsAppShellService::Run()  Line 495	C++
 	firefox.exe!xre_main(int argc=5, char * * argv=0x003d9060, const nsXREAppData
* aAppData=0x0041e06c)  Line 1911 + 0x23	C++
 	firefox.exe!main(int argc=5, char * * argv=0x003d9060)  Line 58 + 0x12	C++
 	firefox.exe!mainCRTStartup()  Line 398 + 0x11	C
 	kernel32.dll!7c816d4f() 	
 	kernel32.dll!7c8399f3() 	


Reproducible: Always

Steps to Reproduce:

The crash is caused by a null pointer passed to UpdateView called in 
nsViewManager::MoveViewTo from nsviewmanager.cpp

It looks like nsView::GetParent return's null
Keywords: crash, testcase
Crashes for me in Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
Gecko/20050509 Firefox/1.0.4
Does not crash for me in Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.8b2) Gecko/20050515 Firefox/1.0+ ID:2005051518

Todd, can you try with a nightly firefox (1.1alpha) build to verify that this
bug is indeed fixed? Thanks!
- http://ftp.uni-erlangen.de/pub/mozilla.org/firefox/nightly/latest-trunk/
(I'd make a new profile for the trunk build)
(In reply to comment #2)
> Crashes for me in Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
> Gecko/20050509 Firefox/1.0.4
> Does not crash for me in Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
> rv:1.8b2) Gecko/20050515 Firefox/1.0+ ID:2005051518
> 
> Todd, can you try with a nightly firefox (1.1alpha) build to verify that this
> bug is indeed fixed? Thanks!
> - http://ftp.uni-erlangen.de/pub/mozilla.org/firefox/nightly/latest-trunk/
> (I'd make a new profile for the trunk build)


Yes, it does work as expected in the nightly build.  I'd still like to submit a
patch to get this so that it at least doesn't crash in firefox 1.0.x  Perhaps it
could be included in 1.0.5?
Of course you may attach a patch if you want, but the only patches that really
land on the branch (firefox 1.0x) are security related ones. All the hard work
is going on on the trunk for firefox 1.1.
wfm then, this is a layout fix, no way such a patch would go into FF 1.0.x, also
FF 1.1 is before the door, so i doubt anyone will still put so much effort into
crasher fixes for 1.0.x
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Also see Bug 284976 Comment 7 (the 1.7 branch is similar to the aviary 1.0(.1)
branch in layout parts).
layout/xul/base/src/crashtests/294371-1.xul
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: