Closed Bug 17640 Opened 25 years ago Closed 25 years ago

crash on this file

Categories

(Core :: Layout: Form Controls, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED DUPLICATE of bug 17372

People

(Reporter: dbaron, Assigned: kmcclusk)

Details

Attachments

(1 file)

DESCRIPTION: Loading this file crashes for me. It crashed instantly in apprunner, but it loads once in viewer (in a very messed up way) and crashes the second time. The difference could be the result of an extra something being done in apprunner. STEPS TO REPRODUCE: * load attached testcase, twice if in viewer ACTUAL RESULTS: * crash (first time in viewer page is all black) EXPECTED RESULTS: * no crash DOES NOT WORK CORRECTLY ON: * Linux, apprunner, 1999-10-30-08-M11 * Linux, viewer, 1999-10-30-08-M11 ADDITIONAL INFORMATION: Stack trace: #0 nsVoidArray::Count (this=0x64) at nsVoidArray.h:39 #1 0x40f56042 in nsFormFrame::GetRadioInfo (this=0x0, aFrame=0x83eca6c, aName=@0xbfffee74, aGroup=@0xbfffef0c) at nsFormFrame.cpp:323 #2 0x40f562ff in nsFormFrame::RemoveRadioControlFrame (this=0x0, aFrame=0x83eca6c) at nsFormFrame.cpp:395 #3 0x40f5c554 in nsGfxRadioControlFrame::~nsGfxRadioControlFrame ( this=0x83eca40, __in_chrg=3) at nsGfxRadioControlFrame.cpp:56 #4 0x40e537a8 in nsFrame::Destroy (this=0x83eca40, aPresContext=@0x82bb4c8) at nsFrame.cpp:371 #5 0x40e7446b in nsLineBox::DeleteLineList (aPresContext=@0x82bb4c8, aLine=0x83c8988) at nsLineBox.cpp:217 #6 0x40e42073 in nsBlockFrame::Destroy (this=0x83b30b8, aPresContext=@0x82bb4c8) at nsBlockFrame.cpp:1118 #7 0x41059e03 in nsFrameList::DestroyFrames (this=0x83b3084, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #8 0x40e4f88d in nsContainerFrame::Destroy (this=0x83b3050, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #9 0x41059e03 in nsFrameList::DestroyFrames (this=0x83b2c3c, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #10 0x40e4f88d in nsContainerFrame::Destroy (this=0x83b2c08, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #11 0x41059e03 in nsFrameList::DestroyFrames (this=0x83b27d4, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #12 0x40e4f88d in nsContainerFrame::Destroy (this=0x83b27a0, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #13 0x41059e03 in nsFrameList::DestroyFrames (this=0x83b2314, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #14 0x40e4f88d in nsContainerFrame::Destroy (this=0x83b22e0, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #15 0x40fec9e2 in nsTableFrame::Destroy (this=0x83b22e0, aPresContext=@0x82bb4c8) at nsTableFrame.cpp:242 #16 0x41059e03 in nsFrameList::DestroyFrames (this=0x83b22bc, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #17 0x40e4f88d in nsContainerFrame::Destroy (this=0x83b2288, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #18 0x40e7446b in nsLineBox::DeleteLineList (aPresContext=@0x82bb4c8, aLine=0x83c9348) at nsLineBox.cpp:217 #19 0x40e42073 in nsBlockFrame::Destroy (this=0x83a73e0, aPresContext=@0x82bb4c8) at nsBlockFrame.cpp:1118 #20 0x40e7446b in nsLineBox::DeleteLineList (aPresContext=@0x82bb4c8, aLine=0x83a7460) at nsLineBox.cpp:217 #21 0x40e42073 in nsBlockFrame::Destroy (this=0x83a6608, aPresContext=@0x82bb4c8) at nsBlockFrame.cpp:1118 #22 0x40e3f0af in nsAreaFrame::Destroy (this=0x83a6608, aPresContext=@0x82bb4c8) at nsAreaFrame.cpp:82 #23 0x41059e03 in nsFrameList::DestroyFrames (this=0x83a3ba4, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #24 0x40e4f88d in nsContainerFrame::Destroy (this=0x83a3b70, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #25 0x41059e03 in nsFrameList::DestroyFrames (this=0x83a3fdc, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #26 0x40e4f88d in nsContainerFrame::Destroy (this=0x83a3fa8, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #27 0x41059e03 in nsFrameList::DestroyFrames (this=0x83a38a4, aPresContext=@0x82bb4c8) at nsFrameList.cpp:28 #28 0x40e4f88d in nsContainerFrame::Destroy (this=0x83a3870, aPresContext=@0x82bb4c8) at nsContainerFrame.cpp:89 #29 0x40e969f6 in ViewportFrame::Destroy (this=0x83a3870, aPresContext=@0x82bb4c8) at nsViewportFrame.cpp:133 #30 0x40e5abee in FrameManager::~FrameManager (this=0x83647b8, __in_chrg=3) at nsFrameManager.cpp:336 #31 0x40e5ab22 in FrameManager::Release (this=0x83647b8) at nsFrameManager.cpp:322 #32 0x40e80a55 in PresShell::~PresShell (this=0x8320978, __in_chrg=3) at nsPresShell.cpp:552 #33 0x40e80715 in PresShell::Release (this=0x8320978) at nsPresShell.cpp:483 #34 0x4109ea64 in nsCOMPtr<nsIPresShell>::~nsCOMPtr (this=0x820b628, __in_chrg=2) at ../../../dist/include/nsCOMPtr.h:457 #35 0x41053bc1 in DocumentViewerImpl::~DocumentViewerImpl (this=0x820b600, (stack trace is from debug build from 10-29 (?).)
Assignee: troy → karnaze
Component: Layout → HTML Form Controls
Oops, I meant to change component to HTML Form Controls after looking at the stack trace...
Attached file test case (deleted) —
Assignee: karnaze → kmcclusk
Reassigning to Kevin.
Looks like the mContent has been released. nsListControlFrame::GetSelect(nsIContent * 0x000000f0) line 1065 + 13 bytes nsListControlFrame::GetOptions(nsIContent * 0x000000f0, nsIDOMHTMLSelectElement * 0x00000000) line 1117 + 9 bytes nsListControlFrame::GetOptionContent(int 6) line 1100 + 14 bytes nsListControlFrame::SetContentSelected(int 6, int 0) line 1235 + 12 bytes nsListControlFrame::Deselect() line 1258 nsListControlFrame::Reset(nsIPresContext * 0x01fb0f10) line 1343 nsListControlFrame::AddOption(nsListControlFrame * const 0x01fef8d8, nsIPresContext * 0x01fb0f10, int 20) line 1632 nsComboboxControlFrame::AddOption(nsComboboxControlFrame * const 0x01fef9e4, nsIPresContext * 0x01fb0f10, int 20) line 1074 + 20 bytes nsHTMLSelectElement::AddOption(nsHTMLSelectElement * const 0x01fbf46c, nsIContent * 0x01ffe9fc) line 662 + 32 bytes nsHTMLOptionElement::SetParent(nsHTMLOptionElement * const 0x01ffe9fc, nsIContent * 0x01fbf460) line 208 nsGenericHTMLContainerElement::AppendChildTo(nsIContent * 0x01ffe9fc, int 0) line 2968 nsHTMLSelectElement::AppendChildTo(nsHTMLSelectElement * const 0x01fbf460, nsIContent * 0x01ffe9fc, int 0) line 165 + 22 bytes SinkContext::CloseContainer(const nsIParserNode & {...}) line 1214 + 30 bytes HTMLContentSink::CloseContainer(HTMLContentSink * const 0x01fb5f20, const nsIParserNode & {...}) line 2544 + 15 bytes CNavDTD::CloseContainer(const nsIParserNode & {...}, nsHTMLTag eHTMLTag_select, int 0) line 2732 + 31 bytes CNavDTD::CloseContainersTo(int 6, nsHTMLTag eHTMLTag_select, int 0) line 2769 + 26 bytes CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_select, int 0) line 2791 + 20 bytes CNavDTD::HandleEndToken(CToken * 0x01ccb930) line 1488 + 20 bytes CNavDTD::HandleToken(CNavDTD * const 0x01f83280, CToken * 0x01ccb930, nsIParser * 0x01fb41d0) line 656 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x01f83280, nsIParser * 0x01fb41d0, nsITokenizer * 0x01f82bf0, nsITokenObserver * 0x00000000, nsIContentSink * 0x01fb5f20) line 458 + 20 bytes nsParser::BuildModel() line 1062 + 34 bytes nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 973 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x01fb41d4, nsIChannel * 0x01fb32a0, nsISupports * 0x00000000, nsIInputStream * 0x01fb48b8, unsigned int 8192, unsigned int 8192) line 1400 + 19 bytes nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x01fb3400, nsIChannel * 0x01fb32a0, nsISupports * 0x00000000, nsIInputStream * 0x01fb48b8, unsigned int 8192, unsigned int 8192) line 1216 + 32 bytes nsChannelListener::OnDataAvailable(nsChannelListener * const 0x01fb3380, nsIChannel * 0x01fb32a0, nsISupports * 0x00000000, nsIInputStream * 0x01fb48b8, unsigned int 8192, unsigned int 8192) line 1402 nsFileChannel::OnDataAvailable(nsFileChannel * const 0x01fb32a4, nsIChannel * 0x01fb31c0, nsISupports * 0x00000000, nsIInputStream * 0x01fb48b8, unsigned int 8192, unsigned int 8192) line 444 nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x01c9e140) line 413 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x01c9e0f0) line 169 + 12 bytes PL_HandleEvent(PLEvent * 0x01c9e0f0) line 537 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00c4d8c0) line 498 + 9 bytes _md_EventReceiverProc(HWND__ * 0x000c084e, unsigned int 49346, unsigned int 0, long 12900544) line 972 + 9 bytes USER32! 77e71820() 00c4d8c0()
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
Looking at the stack trace this is actually a dup of bug 17372 *** This bug has been marked as a duplicate of 17372 ***
Status: RESOLVED → VERIFIED
Agreed. Marking as verified dup of 17372.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: