Summary: Crash in [@ nsCSSRendering::DrawDashedSides] Build ID: 2006-04-25-08, SeaMonkey trunk on Windows XP Steps to Reproduce: 1. Simply load https://bugzilla.mozilla.org/attachment.cgi?id=212050&action=view from bug 326550 and keep pressing Tab until you crash, here: nsCSSRendering::DrawDashedSides [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSRendering.cpp, line 962] CanvasFrame::PaintFocus [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsHTMLFrame.cpp, line 520] nsDisplayCanvasFocus::Paint [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsHTMLFrame.cpp, line 421] nsDisplayList::Paint [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsDisplayList.cpp, line 234] PresShell::Paint [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5594] nsViewManager::RenderViews [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 863] nsViewManager::Refresh [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 699] nsViewManager::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 1469] HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1103] nsWindow::ProcessMessage [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4240] nsWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1292] USER32.dll + 0x8734 (0x77d48734) USER32.dll + 0x8816 (0x77d48816) USER32.dll + 0xb4c0 (0x77d4b4c0) USER32.dll + 0xb50c (0x77d4b50c) ntdll.dll + 0xeae3 (0x7c90eae3) nsWindow::DispatchStarvedPaints [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4031] USER32.dll + 0xda57 (0x77d4da57) nsWindow::DispatchPendingEvents [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4069] nsWindow::ProcessMessage [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4578] nsWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1292] USER32.dll + 0x8734 (0x77d48734) USER32.dll + 0x8816 (0x77d48816) USER32.dll + 0x89cd (0x77d489cd) USER32.dll + 0x8a10 (0x77d48a10) nsAppShell::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 208] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1750] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1774] kernel32.dll + 0x16d4f (0x7c816d4f)

(In reply to comment #0) > Summary: Crash in [@ nsCSSRendering::DrawDashedSides] > > Build ID: 2006-04-25-08, SeaMonkey trunk on Windows XP > > Steps to Reproduce: > > 1. Simply load > https://bugzilla.mozilla.org/attachment.cgi?id=212050&action=view from bug > 326550 and keep pressing Tab until you crash, The url given here is NOT significant. The same steps cause the crash regardless of the URL bing visited. Firefox even crashes in safe mode if you load about:blank and press tab multiple times. I suspect the code in bug 326550 needs to null check the current color and revert to using black in that case.

Sorry for this regression. The patch of bug 335394 fixes this bug too.

This is the #2 topcrash in the last few days.

*** Bug 335718 has been marked as a duplicate of this bug. ***

O.K. The patch of bug 335394 is not started to review now, we should go this first.

Comment on attachment 220105 [details] [diff] [review] Patch rv1.0 + mStyleContext ? mStyleContext->GetStyleColor() : nsnull; mStyleContext cannot be null, so don't check that.

checked-in.

Comment on attachment 220200 [details] [diff] [review] patch for check-in >+ if (!color) { >+ NS_ERROR("current color cannot be found"); >+ return; >+ } Please remove this runtime check; there's no way this can be null. Leave an assertion if you really want.

(In reply to comment #10) > (From update of attachment 220200 [details] [diff] [review] [edit]) > >+ if (!color) { > >+ NS_ERROR("current color cannot be found"); > >+ return; > >+ } > > Please remove this runtime check; there's no way this can be null. Leave an > assertion if you really want. Sorry, I don't have much time for remove it, now. I'll go to airport. I'll work it ASAP.

*** Bug 335907 has been marked as a duplicate of this bug. ***

Verified FIXED using build 2006-04-29-05 of SeaMonkey trunk under Windows XP.

*** Bug 335674 has been marked as a duplicate of this bug. ***

*** Bug 335756 has been marked as a duplicate of this bug. ***