Closed Bug 344884 Opened 18 years ago Closed 18 years ago

Flickr - Attempt to delete note from picture causes crash [@ nsTextControlFrame::SetValue]

Categories

(Core :: DOM: Editor, defect)

1.8 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 344560

People

(Reporter: kpesavento, Unassigned)

References

()

Details

(Keywords: crash, regression, top100)

Crash Data

Attachments

(1 file)

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1

Firefox 2 Beta 1 crashes when one attempts to delete a note from a picture of theirs on Flickr.

Reproducible: Always

Steps to Reproduce:
1. Log in to flickr.
2. View a picture in your account with a note attached to it.
3. Click on the Note.
4. Click on Delete button for Note.

Actual Results:  
Browser Crashes

Expected Results:  
Note successfully deletes, Browser does not crash.
Other things to note:  this does NOT happen in 1.5.0.4.  It DOES happen in 2.0b1 Safe Mode.  
Please install (or enable) Talkback and get a Talkback ID for the crash. http://kb.mozillazine.org/Talkback
Severity: normal → critical
Last Talkback ID from this bug: TB21019918Y
Bug also occurs in Firefox 2.0b1 on Linux: TB21047986G
Bug 209270 and bug 301270 also have nsTextControlFrame::SetValue at the top,
but they have a different stack leading up to it so I'm confirming this bug
as a separate issue for now.
Status: UNCONFIRMED → NEW
Component: General → Editor
Ever confirmed: true
Keywords: crash, top100
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general
Summary: Flickr - Attempt to delete note from picture causes crash → Flickr - Attempt to delete note from picture causes crash [@ nsTextControlFrame::SetValue]
Version: unspecified → 1.8 Branch
Incident ID: 21019918
Stack Signature	nsTextControlFrame::SetValue 0923404f
Product ID	Firefox2
Build ID	2006071020
Trigger Time	2006-07-16 18:18:29.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0018433f)
URL visited	http://www.flickr.com
User Comments	I was deleting a note from a picture from my flickr account.
Since Last Crash	73503 sec
Total Uptime	73503 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/forms/nsTextControlFrame.cpp, line 3252
Stack Trace 	
nsTextControlFrame::SetValue  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/forms/nsTextControlFrame.cpp, line 3252]
nsTextControlFrame::SetProperty  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/forms/nsTextControlFrame.cpp, line 2416]
nsHTMLTextAreaElement::SetValue  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp, line 435]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2160]
XPC_WN_GetterSetter  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1474]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1349]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1447]
js_InternalGetOrSet  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1507]
js_SetProperty  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3370]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3835]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1368]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1447]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4377]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1474]
nsJSEventListener::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]
nsEventListenerManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1762]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2223]
nsHTMLInputElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1507]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6379]
PresShell::HandleEventWithTarget  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6277]
nsEventStateManager::CheckForAndDispatchClick  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3097]
nsEventStateManager::PostHandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2076]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6451]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6215]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1349]
nsWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6213]
ChildWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6460]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1538]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Keywords: talkbackid
Depends on: 344560
The "Steps to Reproduce" seems like an operation many users might do.
I don't think we should ship Fx2 with this bug.
Flags: blocking1.8.1?
Can someone find the regression range please?
Keywords: regression
First happens in 

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060706 BonEcho/2.0a3

TalkBack ID: TB21268350H
Flags: blocking1.8.1? → blocking1.8.1+
What's useful is a *range*.  What was the last build you tried that didn't have the problem?
I tested that this regressed between Linux nightlies 2006-07-05-04-mozilla1.8 and 2006-07-06-04-mozilla1.8.  And it's still present in 2006-07-31-04-mozilla1.8.
Attached file valgrind warning
This is the first of the series of "invalid read" valgrind warnings that happen right before the crash, and probably the one that best shows the cause of the problem.  Note that mozInlineSpellChecker::SpellCheckAfterEditorChange is deep within the free stack and near the top of the access stack, so this looks like it's a crash-on-unwind.
Looks like (more) fallout from the patch in bug 339066/bug 343532, then.
My first impression is that this ass the same cause as bug 344560 which I'm currently working on.
Note that I also saw this over the weekend in the flickr photo organizer -- pretty much the same symptoms in the debugger, except I didn't have steps to reproduce.
*** Bug 346262 has been marked as a duplicate of this bug. ***

*** This bug has been marked as a duplicate of 344560 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Clearing flag for dupe.
Flags: blocking1.8.1+
Crash Signature: [@ nsTextControlFrame::SetValue]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: