User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 The soon to be attached simplified testcase causes a crash @ nsContainerFrame::PaintChild. TB1511445X Reproducible: Always Steps to Reproduce: 1. Open testcase 2. 3. Actual Results: Crash or hang Expected Results: No crash or hang UA's affected: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041023 http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1511445X Stack Signature nsContainerFrame::PaintChild 72399cb9 Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 245

Adding keywords crash and testcase

Confirming bug; crashes for me using build 2004-10-25-05 on Windows XP.

This worksforme with a current trunk build on Linux...

On a debug build with source from this morning (20041025 11:30am pdt) I crash on windows XP. Different spot than in comment 0 though, I crash on a null kid in GetFrameFromLine: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/html/base/src/nsBlockFrame.cpp&rev=3.667#6054 (excuse the blame, I couldn't figure out how to make a regular lxr source link version-specific.)

*** Bug 265902 has been marked as a duplicate of this bug. ***

this is wfm with winxp 2004111204

Testcase still crashes for me using winxp pro sp2 and 20041112 The latest talkback is TB1913013X but it hasn't been processed on the server as of this post.

Adding URL of http://exchangecode.com/crashbugs/265973.html which contains the original testcase, the testcase from bug 265902 that was duped to this bug and three additional testcases that I have not reported due to believing these are probably this same bug. Each testcase is URL encoded in the page itself. These all crash for me with winxp pro sp2 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041112. I also verified that the original testcase causes a crash with a debug build from today on winxp pro sp2. Since this bug already has a testcase along with the testcase from bug 265902 and I may update this page with additional testcases I am not attaching this file to the bug.

The additional testcases at the URL crash 2005-02-1614 under winxp

This and the similiar line layout crashes will happen as soons as aLine->GetChildCount() is to large. We will point beyond the last kid. If it is off by one, we will crash in Paintchild otherwise, directly in PaintLine. static inline void PaintLine nsIFrame* kid = aLine->mFirstChild; PRInt32 n = aLine->GetChildCount(); while (--n >= 0) { aFrame->PaintChild(aPresContext, aRenderingContext, aDirtyRect, kid, aWhichLayer); kid = kid->GetNextSibling(); } http://lxr.mozilla.org/seamonkey/search?string=--n+%3E shows similiar places

This works for me in 20050323 build, but crashes in 20050318 build. This might yet be another bug that has been fixed by the fix for bug 263825. Robert, you might want to recheck all your crasher bugs you have filed. I'm getting already pretty tired of testing all the crasher bugs that seem to be fixed by the fix for bug 263825 :) One of the testcases in the url seems to cause a freeze still, but that one uses Java and is likely to be unrelated. Probably better to file a new bug on that.

Sorry Martijn, I'll try not to fix too many bugs at once in the future :-)

(In reply to comment #13) > Robert, you might want to recheck all your crasher bugs you have filed. I'm > getting already pretty tired of testing all the crasher bugs that seem to be > fixed by the fix for bug 263825 :) Not a problem. I prefer to verify with a debug build and should have the time within the next day or two. (In reply to comment #14) > Sorry Martijn, I'll try not to fix too many bugs at once in the future :-) Don't you dare! :)

It would appear that the checkin for bug 263825 has fixed this.

*** Bug 287721 has been marked as a duplicate of this bug. ***

layout/base/crashtests/265973-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3