Crash in layout replying to mail message

VERIFIED FIXED

Status

()

Core
Layout
P1
major
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: Bienvenu, Assigned: Bienvenu)

Tracking

({crash})

Trunk
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3+][PDTP1])

Attachments

(2 attachments)

(Assignee)

Description

18 years ago
I have a mail message that always crashes layout when I reply to it with the
following stack trace:

segment->mInsideNeighbor is null

nsVoidArray::Count() line 45 + 3 bytes
nsVoidArray::ElementAt(int 0x00000000) line 127 + 14 bytes
nsCSSRendering::DrawDashedSegments(nsIRenderingContext & {...}, const nsRect &
{...}, nsBorderEdges * 0x05552e50, int 0x00000006, nsRect * 0x00000000) line
1143 + 17 bytes
nsCSSRendering::PaintBorderEdges(nsIPresContext * 0x054e95b0,
nsIRenderingContext & {...}, nsIFrame * 0x0482fad4, const nsRect & {...}, const
nsRect & {...}, nsBorderEdges * 0x05552e50, nsIStyleContext * 0x05553280, int
0x00000006, nsRect * 0x00000000) line 1838 + 25 bytes
nsTableFrame::Paint(nsTableFrame * const 0x0482fad4, nsIPresContext *
0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 1300 + 42 bytes
nsContainerFrame::PaintChild(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x0482fad4, nsFramePaintLayer
eFramePaintLayer_Underlay) line 211
nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x0482fa80, nsIPresContext *
0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 352
nsContainerFrame::PaintChild(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x0482fa80, nsFramePaintLayer
eFramePaintLayer_Underlay) line 211
nsBlockFrame::PaintChildren(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay) line 6388
nsBlockFrame::Paint(nsBlockFrame * const 0x03ae9ee0, nsIPresContext *
0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 6266
nsContainerFrame::PaintChild(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x03ae9ee0, nsFramePaintLayer
eFramePaintLayer_Underlay) line 211
nsBlockFrame::PaintChildren(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay) line 6388
nsBlockFrame::Paint(nsBlockFrame * const 0x03ae9d3c, nsIPresContext *
0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 6266
nsContainerFrame::PaintChild(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x03ae9d3c, nsFramePaintLayer
eFramePaintLayer_Underlay) line 211
nsBlockFrame::PaintChildren(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay) line 6388
nsBlockFrame::Paint(nsBlockFrame * const 0x03ae9cf0, nsIPresContext *
0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 6266
nsContainerFrame::PaintChild(nsIPresContext * 0x054e95b0, nsIRenderingContext &
{...}, const nsRect & {...}, nsIFrame * 0x03ae9cf0, nsFramePaintLayer
eFramePaintLayer_Underlay) line 211
nsContainerFrame::PaintChildren(nsIPresContext * 0x054e95b0, nsIRenderingContext
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Underlay) line 155
nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x03ae901c,
nsIPresContext * 0x054e95b0, nsIRenderingContext & {...}, const nsRect & {...},
nsFramePaintLayer eFramePaintLayer_Underlay) line 108
PresShell::Paint(PresShell * const 0x0549c9b4, nsIView * 0x04fabeb0,
nsIRenderingContext & {...}, const nsRect & {...}) line 3784 + 34 bytes
nsView::Paint(nsView * const 0x04fabeb0, nsIRenderingContext & {...}, const
nsRect & {...}, unsigned int 0x00000080, int & 0x10027905) line 284
nsViewManager2::RenderDisplayListElement(DisplayListElement2 * 0x054bc370,
nsIRenderingContext & {...}) line 849
nsViewManager2::RenderViews(nsIView * 0x04fb8750, nsIRenderingContext & {...},
const nsRect & {...}, int & 0x00000000) line 796
nsViewManager2::Refresh(nsIView * 0x04fb8750, nsIRenderingContext * 0x056c3080,
const nsRect * 0x0012e984, unsigned int 0x00000001) line 676
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x0549b510, nsGUIEvent *
0x0012eac4, nsEventStatus * 0x0012e9c8) line 1342
HandleEvent(nsGUIEvent * 0x0012eac4) line 68
nsWindow::DispatchEvent(nsWindow * const 0x04fb8614, nsGUIEvent * 0x0012eac4,
nsEventStatus & nsEventStatus_eIgnore) line 614 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012eac4, nsEventStatus &
nsEventStatus_eIgnore) line 640
nsWindow::OnPaint() line 3619 + 28 bytes
nsWindow::ProcessMessage(unsigned int 0x0000000f, unsigned int 0x00000000, long
0x00000000, long * 0x0012ee74) line 2738 + 17 bytes
nsWindow::WindowProc(HWND__ * 0x0cf504a6, unsigned int 0x0000000f, unsigned int
0x00000000, long 0x00000000) line 883 + 27 bytes
USER32! 77e7131f()
USER32! 77e71e9f()
NTDLL! 77f7637b()
nsViewManager2::Composite(nsViewManager2 * const 0x0549b510) line 1119
nsViewManager2::EnableRefresh(nsViewManager2 * const 0x0549b510, unsigned int
0x00000002) line 2211
nsViewManager2::EndUpdateViewBatch(nsViewManager2 * const 0x0549b510, unsigned
int 0x00000002) line 2242 + 19 bytes
nsEditor::EndUpdateViewBatch() line 5386
nsEditor::EndPlaceHolderTransaction(nsEditor * const 0x0541a810) line 1366
nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch() line 48 + 44 bytes
nsAutoEditBatch::~nsAutoEditBatch() line 61 + 15 bytes
nsHTMLEditor::InsertAsCitedQuotation(nsHTMLEditor * const 0x0541a8ac, const
nsString & {...}, const nsString & {...}, int 0x00000001, const nsString &
{...}, nsIDOMNode * * 0x0012f5f0) line 5691
nsHTMLEditorLog::InsertAsCitedQuotation(nsHTMLEditorLog * const 0x0541a8ac,
const nsString & {...}, const nsString & {...}, int 0x00000001, const nsString &
{...}, nsIDOMNode * * 0x0012f5f0) line 465 + 29 bytes
nsEditorShell::InsertAsCitedQuotation(nsEditorShell * const 0x0547a3c0, const
unsigned short * 0x048a5f18, const unsigned short * 0x054af460, int 0x00000001,
const unsigned short * 0x0012f554, nsIDOMNode * * 0x0012f5f0) line 2520 + 64 bytes
nsMsgCompose::ConvertAndLoadComposeWindow(nsIEditorShell * 0x0547a3c0, nsString
& {...}, nsString & {...}, nsString & {...}, int 0x00000001, int 0x00000001)
line 261 + 93 bytes
QuotingOutputStreamListener::OnStopRequest(QuotingOutputStreamListener * const
0x05428e80, nsIChannel * 0x05428750, nsISupports * 0x054288f4, unsigned int
0x00000000, nsISupports * 0x054288f4) line 1424
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x05428050,
nsIChannel * 0x05428750, nsISupports * 0x054288f4, unsigned int 0x00000000,
const unsigned short * 0x100a55e8 gCommonEmptyBuffer) line 974
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x054b41e0) line 302
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x054b4a60) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x054b4a60) line 589 + 10 bytes
(Assignee)

Comment 1

18 years ago
adding keywords. It's a message generated with MS Word so it has lots of styles.
I can forward the message to whoever ends up fixing this bug.
Keywords: crash, nsbeta3
Dividing up Claytons bugs to triage
Assignee: clayton → kmcclusk
Reassigning to dcone.

Marking nsbeta3 P1 because it is a crasher. 
Assignee: kmcclusk → dcone
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Reassigning to rods, since dcone is swamped.
Assignee: dcone → rods

Comment 5

18 years ago
I haven't a clue as to why this is my bug. reassigning to karnaze
Assignee: rods → karnaze
(Assignee)

Comment 6

18 years ago
I'm going to try adding a null check since that might get this fixed faster.
I'll post my findings.
(Assignee)

Comment 7

18 years ago
Created attachment 14928 [details] [diff] [review]
this patch fixes the crash
(Assignee)

Comment 8

18 years ago
I've attaached a patch that fixes the crash, though it probably doesn't do "the
right thing". Next, I'll attach a message which demonstrates the problem.
(Assignee)

Comment 9

18 years ago
Created attachment 14929 [details]
sample msg that shows bug
(Assignee)

Comment 10

18 years ago
If you save the attached file into your local mail directory and then open the
folder, select the message, and reply, you'll see the crash. I also suspect that
we're not displaying the message correctly in the first place, since when I
reply to it (with my patch not to crash), the compose window shows some of the
text with a box around it that is not shown when the message is displayed. Since
the crash is in code that seems to be dealing with displaying a box around text,
I think it's all related.

Comment 11

18 years ago
Rod, you got the bug because Kevin thinks it may be Don's and Don is too busy to 
look at it. If it turns out to be a problem with tables instead of the border 
drawing code (which Don is familar with and the stack points at) please give it 
back to me. 
Assignee: karnaze → rods

Comment 12

18 years ago
I couldn't get it to crash with the sample message. 
but the patch looks good
Status: NEW → ASSIGNED

Comment 13

18 years ago
Bienvenu and Rod, the patch looks fine: r=attinasi

Comment 14

18 years ago
looks good to me, too. r=waterson

Comment 15

18 years ago
I also cannot get the crash to happen, but the patch looks fine.  r=buster.

Comment 16

18 years ago
PDT agrees P1. Can we check the patch in now?
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
(Assignee)

Comment 17

18 years ago
OK, I'll check it in.
Assignee: rods → bienvenu
Status: ASSIGNED → NEW
(Assignee)

Comment 18

18 years ago
OK, fix checked in.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 19

18 years ago
Marking verified in the Oct 24th branch builds.
Keywords: vtrunk

Comment 20

18 years ago
Verified with the 0ct 20 trunk build
Marking VERIFIED and removing vtrunk keyword
Status: RESOLVED → VERIFIED
Keywords: vtrunk
You need to log in before you can comment on or make changes to this bug.