Closed Bug 335474 Opened 18 years ago Closed 18 years ago

Crash in [@ nsCSSRendering::DrawDashedSides]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: stephend, Assigned: masayuki)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(2 files, 1 obsolete file)

stack with symbols
4.69 KB, text/plain
Details
patch for check-in
2.91 KB, patch
masayuki
: review+
masayuki
: superreview+
Details | Diff | Splinter Review 
Summary: Crash in [@ nsCSSRendering::DrawDashedSides] 

Build ID: 2006-04-25-08, SeaMonkey trunk on Windows XP

Steps to Reproduce:

1. Simply load https://bugzilla.mozilla.org/attachment.cgi?id=212050&action=view from bug 326550 and keep pressing Tab until you crash, here:

nsCSSRendering::DrawDashedSides  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSRendering.cpp, line 962]
CanvasFrame::PaintFocus  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsHTMLFrame.cpp, line 520]
nsDisplayCanvasFocus::Paint  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsHTMLFrame.cpp, line 421]
nsDisplayList::Paint  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsDisplayList.cpp, line 234]
PresShell::Paint  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5594]
nsViewManager::RenderViews  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 863]
nsViewManager::Refresh  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 699]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 1469]
HandleEvent  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1103]
nsWindow::ProcessMessage  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4240]
nsWindow::WindowProc  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1292]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xb4c0 (0x77d4b4c0)
USER32.dll + 0xb50c (0x77d4b50c)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsWindow::DispatchStarvedPaints  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4031]
USER32.dll + 0xda57 (0x77d4da57)
nsWindow::DispatchPendingEvents  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4069]
nsWindow::ProcessMessage  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4578]
nsWindow::WindowProc  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1292]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 208]
main  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1750]
WinMain  [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1774]
kernel32.dll + 0x16d4f (0x7c816d4f)
Flags: blocking1.9a1?
Keywords: regression
Attached file stack with symbols 
Blocks: 326550

    
    

    
  
(In reply to comment #0)
> Summary: Crash in [@ nsCSSRendering::DrawDashedSides] 
> 
> Build ID: 2006-04-25-08, SeaMonkey trunk on Windows XP
> 
> Steps to Reproduce:
> 
> 1. Simply load
> https://bugzilla.mozilla.org/attachment.cgi?id=212050&action=view from bug
> 326550 and keep pressing Tab until you crash,

The url given here is NOT significant.  The same steps cause the crash regardless of the URL bing visited.  Firefox even crashes in safe mode if you load about:blank and press tab multiple times.

I suspect the code in bug 326550 needs to null check the current color and revert to using black in that case.


    
    

    
  
Sorry for this regression. The patch of bug 335394 fixes this bug too.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED

    
    

    
  
This is the #2 topcrash in the last few days.
Keywords: topcrash

    
    

    
  
*** Bug 335718 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rv1.0 (obsolete)
        — Splinter Review
      

    


  
O.K. The patch of bug 335394 is not started to review now, we should go this first.

        Attachment #220105 -
        Flags: superreview?(roc)

        Attachment #220105 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 220105 [details] [diff] [review]
Patch rv1.0

+    mStyleContext ? mStyleContext->GetStyleColor() : nsnull;

mStyleContext cannot be null, so don't check that.

        Attachment #220105 -
        Flags: superreview?(roc)

        Attachment #220105 -
        Flags: superreview+

        Attachment #220105 -
        Flags: review?(roc)

        Attachment #220105 -
        Flags: review+

    
    

    
  


  

        Attachment #220105 -
        Attachment is obsolete: true

        Attachment #220200 -
        Flags: superreview+

        Attachment #220200 -
        Flags: review+

    
    

    
  
checked-in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
No longer depends on: 335394

    
    

    
  
Comment on attachment 220200 [details] [diff] [review]
patch for check-in

>+  if (!color) {
>+    NS_ERROR("current color cannot be found");
>+    return;
>+  }

Please remove this runtime check; there's no way this can be null.  Leave an assertion if you really want.

    
    

    
  
(In reply to comment #10)
> (From update of attachment 220200 [details] [diff] [review] [edit])
> >+  if (!color) {
> >+    NS_ERROR("current color cannot be found");
> >+    return;
> >+  }
> 
> Please remove this runtime check; there's no way this can be null.  Leave an
> assertion if you really want.

Sorry, I don't have much time for remove it, now. I'll go to airport. I'll work it ASAP.

    
    

    
  
*** Bug 335907 has been marked as a duplicate of this bug. ***

    
    

    
  
Verified FIXED using build 2006-04-29-05 of SeaMonkey trunk under Windows XP.
Status: RESOLVED → VERIFIED

    
    

    
  
*** Bug 335674 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 335756 has been marked as a duplicate of this bug. ***
Flags: blocking1.9a1?
Crash Signature: [@ nsCSSRendering::DrawDashedSides]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: