Closed
Bug 322759
Opened 19 years ago
Closed 18 years ago
crash if define html:input of type checkbox inside listitem [@ AppendUTF8toUTF16] [@ nsSubstring::MutatePrep] Stack overflow
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
People
(Reporter: also, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [reflow-refactor])
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051110 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051110 Firefox/1.6a1 <vbox> <listbox rows="2"> <listitem label="listitem"/> <listitem><html:input type="checkbox" style="margin:0px;"/></listitem> </listbox> </vbox> There must be 1. the definition of rows in listbox 2. at least one listitem before the listitem with <html:input .... 3. the <html:input of type checkbox or radio 4. a style definition with margin:0px; crash Reproducible: Always
|
||
Comment 1•19 years ago
|
||
|
|
||
Comment 2•19 years ago
|
||
I can confirm the crash. Also crashes Mozilla1.7, so no recent regression.
|
|
||
Comment 3•19 years ago
|
||
I'm unable to get a backtrace in my debug build, I only get this: Program received signal SIGSEGV, Segmentation fault. 0x77f949c5 in ?? () from ntdll.dll It seems like an infinite recursion crash or something like that.
|
||
Comment 4•19 years ago
|
||
4. a style definition with margin:0px; can also be non-zero TB13721317Z martinjn's testcase TB13721541M martinjn's testcase modified to 2px http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=comments&match=contains&searchfor=322759&vendor=MozillaOrg&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
|
||
Comment 5•19 years ago
|
||
Incident ID: 13721317 Stack Signature AppendUTF8toUTF16 a4f0f852 Product ID Firefox15 Build ID 2005111116 Trigger Time 2006-01-08 15:34:58.0 Platform Win32 Operating System Windows 98 4.10 build 67766222 Module XPCOM_CORE.DLL + (0003ae51) URL visited https://bugzilla.mozilla.org/attachment.cgi?id=207929&action=view User Comments Bug 322759 crash if define html:input of type checkbox inside listitem Since Last Crash 39364 sec Total Uptime 39364 sec Trigger Reason Stack overflow Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/string/src/nsReadableUtils.cpp, line 230 Stack Trace AppendUTF8toUTF16 [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/string/src/nsReadableUtils.cpp, line 230] AtomImpl::ToString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/ds/nsAtomTable.cpp, line 362] nsAttrValue::ToString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsAttrValue.cpp, line 318] nsXULElement::GetAttr [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 1566] nsSliderFrame::GetIntegerAttribute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSliderFrame.cpp, line 214] nsSliderFrame::GetMaxPosition [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSliderFrame.cpp, line 194] nsCSSFrameConstructor::AttributeChanged [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10572] PresShell::AttributeChanged [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5435] nsXULElement::SetAttrAndNotify [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 1519] nsXULElement::SetAttr [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 1440] nsXBLPrototypeBinding::AttributeChanged [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp, line 504] nsXBLBinding::AttributeChanged [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLBinding.cpp, line 779] nsXULElement::SetAttr [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 1440] nsGfxScrollFrameInner::SetAttribute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 2482] nsGfxScrollFrameInner::LayoutScrollbars [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 2368] nsXULScrollFrame::Layout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 2331] nsXULScrollFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 1283] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsGridLayout2::Layout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridLayout2.cpp, line 74] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsRootBoxFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 227] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 904] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 240] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 914] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6870] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] PresShell::HandlePostedReflowCallbacks [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5234] PresShell::DidDoReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6785] PresShell::FlushPendingNotifications [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5333] The second stack is pretty much the same except the top two frames are different : nsSubstring::MutatePrep [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/string/src/nsTSubstring.cpp, line 64] nsSubstring::SetLength [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/string/src/nsTSubstring.cpp, line 551]
Summary: crash if define html:input of type checkbox inside listitem → crash if define html:input of type checkbox inside listitem [@ AppendUTF8toUTF16] [@ nsSubstring::MutatePrep]
ispiked, what matters is this line: Trigger Reason Stack overflow it means that the top frame in the stack is likely to vary among the top frames you see here based on what else was on the stack before bad stuff happened.
Summary: crash if define html:input of type checkbox inside listitem [@ AppendUTF8toUTF16] [@ nsSubstring::MutatePrep] → crash if define html:input of type checkbox inside listitem [@ AppendUTF8toUTF16] [@ nsSubstring::MutatePrep] Stack overflow
|
|
||
Updated•18 years ago
|
Flags: blocking1.9?
|
|
||
Comment 7•18 years ago
|
||
*** Bug 359786 has been marked as a duplicate of this bug. ***
|
|
||
Comment 8•18 years ago
|
||
So it looks like the issue is the nested <listitem>s. This appears to be fixed on trunk, but still crashes branch. We should figure out when it got fixed on trunk.
Flags: blocking1.9?
OS: Windows 2000 → All
Hardware: PC → All
Version: Trunk → 1.8 Branch
|
|
||
Comment 9•18 years ago
|
||
Well, I'm still crashing on trunk with the testcase, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061108 Minefield/3.0a1 So for me this isn't fixed on trunk for me.
Version: 1.8 Branch → Trunk
|
|
||
Comment 10•18 years ago
|
||
|
|
||
Comment 11•18 years ago
|
||
I suspect this would be fixed with a fix for bug 281147.
Depends on: 281147
|
|
||
Comment 12•18 years ago
|
||
This is worksforme with a reflow branch build of: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061107 Minefield/3.0a1
Whiteboard: [reflow-refactor]
|
||
Comment 13•18 years ago
|
||
fixed on reflow branch
|
|
||
Updated•18 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 14•18 years ago
|
||
Adding in-testsuite? nomination per bz's request in m.d.t.l. Sorry for the bugspam.
Flags: in-testsuite?
|
Reporter | |
Comment 15•18 years ago
|
||
(In reply to comment #12) > This is worksforme with a reflow branch build of: > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061107 > Minefield/3.0a1 > Test with: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 crash This bug is one of 3 or 4 bugs I reported and all of them produce a crash. All of this examples do NOT use any privileged code and all of them I reported at least one year ago. Not even one of this bugs are fixed. Great !
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ AppendUTF8toUTF16]
[@ nsSubstring::MutatePrep]
|
|
||
Updated•12 years ago
|
Crash Signature: [@ AppendUTF8toUTF16]
[@ nsSubstring::MutatePrep] → [@ AppendUTF8toUTF16]
[@ nsSubstring::MutatePrep]
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•