Last Comment Bug 359203 - Crash [@ nsHTMLFramesetFrame::MouseDrag]
: Crash [@ nsHTMLFramesetFrame::MouseDrag]
[sg:critical?] freed memory use?
: verified1.8.0.9, verified1.8.1.1
Product: Core
Classification: Components
Component: Layout: HTML Frames (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug]
: Jet Villegas (:jet)
Depends on:
  Show dependency treegraph
Reported: 2006-11-02 09:20 PST by Olli Pettay [:smaug]
Modified: 2007-08-23 19:54 PDT (History)
5 users (show)
dveditz: blocking1.8.1.1+
dveditz: blocking1.8.0.9+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (482 bytes, text/html)
2006-11-02 09:21 PST, Olli Pettay [:smaug]
no flags Details
proposed patch. (1.74 KB, patch)
2006-11-02 09:22 PST, Olli Pettay [:smaug]
bzbarsky: review+
bzbarsky: superreview+
dveditz: approval1.8.0.9+
dveditz: approval1.8.1.1+
Details | Diff | Splinter Review
testcase 1.7 branch (613 bytes, text/html)
2006-12-20 08:24 PST, Alexander Sack
no flags Details

Description Olli Pettay [:smaug] 2006-11-02 09:20:45 PST
Happens in 1.8 and 1.9.
Testcase and patch coming.

#0  0x00ea5410 in __kernel_vsyscall ()
#1  0x00f58966 in __nanosleep_nocancel () from /lib/
#2  0x00f5878b in sleep () from /lib/
#3  0x00215472 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:134
#4  0x0022bdc2 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0x0188857f in nsHTMLFramesetFrame::MouseDrag (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:1547
#7  0x0188866c in nsHTMLFramesetFrame::HandleEvent (this=0xa0b1958,
    aPresContext=0xa08e658, aEvent=0xbfbe6e8c, aEventStatus=0xbfbe6b98)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/generic/nsFrameSetFrame.cpp:793
#8  0x01837ac2 in nsPresShellEventCB::HandleEvent (this=0xbfbe6bf4,
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/base/nsPresShell.cpp:1500
#9  0x01b53039 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xa013ab0, aVisitor=@0xbfbe6b8c, aFlags=6, aCallback=0xbfbe6bf4)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/content/events/src/nsEventDispatcher.cpp:476
Comment 1 Olli Pettay [:smaug] 2006-11-02 09:21:12 PST
Created attachment 244443 [details]
Comment 2 Olli Pettay [:smaug] 2006-11-02 09:22:44 PST
Created attachment 244444 [details] [diff] [review]
proposed patch.
Comment 3 Olli Pettay [:smaug] 2006-11-06 11:25:12 PST
Fixed on trunk, clearing blocking1.9?
Comment 4 Daniel Veditz [:dveditz] 2006-11-07 14:26:11 PST
Comment on attachment 244444 [details] [diff] [review]
proposed patch.

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 5 Olli Pettay [:smaug] 2006-11-07 16:53:27 PST
fixed1.8.0.9, fixed1.8.1.1
Comment 6 Jay Patel [:jay] 2006-12-01 14:43:06 PST
v.fixed on 1.8.0 and 1.8.1 branches with 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20061201 Firefox/
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20061201 BonEcho/

No crash with testcase, but has a question.

Smaug:  Attempting to drag the frame border doesn't crash, but it also does not move at all.  I lose the "drag" mouse cursor after clicking on the border.  Is that expected behavior?  If so, we're good.  It not, I need to revoke my v.fixed.  Let me know.  Thanks!
Comment 7 Olli Pettay [:smaug] 2006-12-02 03:33:13 PST
Sounds like a some sort of repainting issue.
But the crash itself is related to dragging the border and once the dragging starts, the border is actually deleted.
But if there isn't a crash, this particular bug should be fixed, IMO.

Comment 8 Alexander Sack 2006-12-20 08:24:19 PST
Created attachment 249264 [details]
testcase 1.7 branch

adapted testcase for 1.7 branch ... press any key before you drag to crash

Note You need to log in before you can comment on or make changes to this bug.