Created attachment 253349 [details] testcase See testcase, this crashes current Mozilla trunk builds when clicking somewhere on the page (except in the box itself). You need to download the testcase to your computer, because of the use of enhanced privileges. This regressed between 2007-01-08 and 2007-01-09: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-01-08+04&maxdate=2007-01-09+06&cvsroot=%2Fcvsroot I guess a regression from bug 366166. Talkback ID: TB28855469M nsTextFrame::PeekOffsetCharacter [mozilla\layout\generic\nstextframe.cpp, line 4618] nsCycleCollector_shouldSuppress [mozilla\xpcom\base\nscyclecollector.cpp, line 1507]
Actually, this looks to me like a bug in nsTextFrame::PrepareUnicodeText: A preformatted text starting with a newline results in aIndexBuffer not being fully initialized because the following code causes an early break from the loop that should be setting it: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsTextFrame.cpp&rev=1.612&mark=2263-2268#2263 Anyway, nsTextFrame::PrepareUnicodeText is about to disappear (and PeekOffsetCharacter will be drastically modified) in the new Thebes nsTextFrame, (bug 333659) so I don't think there's a point in attempting to fix this now. I doubt if bug 366166 has anything to do with this (anyway, I can't see a connection).
This is now worksforme, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre