Closed Bug 37493 Opened 25 years ago Closed 25 years ago

<SELECT> crashes in nsLineBox::DeleteLineList (e.g. composer or www.starwars.com)

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 36558

People

(Reporter: tarkin, Assigned: troy)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(5 files)

backtrace PC/Linux, build 2000042809
(deleted), text/plain
Details
Better backtrace (including function symbols)
(deleted), text/plain
Details
testcase 1, from www.starwars.com
(deleted), text/html
Details
testcase 2, from bug 36902
(deleted), text/html
Details
testcase 3, from bug 36916: load this in composer to crash
(deleted), text/html
Details 
nightly build of 27 april,

crash when going to http://www.starwars.com
crashes for me as well - here's the strace :)

.//run-mozilla.sh: line 29:  9241 Segmentation fault      $prog ${1+"$@"}
[WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 9236
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) ---
wait4(-1, 0xbffff4e0, WNOHANG, NULL)    = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {SIG_DFL}, {0x806c2e0, [], 0x4000000}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
read(3, "", 37)                         = 0
munmap(0x40015000, 4096)                = 0
_exit(0)                                = ?

crash kw
Keywords: crash
I can reproduce that this on PC/Linux with build 2000042809.
Going to attach the stack trace.

Should be a duplicate of a bug I recently touched. Will search for it.
URL: http://www.starwars.com/
Using the 2000042809 build, the first 6 entries on the stack are exactly the
same as with http://bugzilla.mozilla.org/showattachment.cgi?attach_id=7998
as a testcase (see bug 36902).
A better stacktrace shows that this crash is in nsLineBox::DeleteLineList.
Changing summary to indicate this.
Summary: crash when going to http://www.starwars.com → http://www.starwars.com crashes in nsLineBox::DeleteLineList
Assignee: asadotzler → troy
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
QA Contact: jelwell → petersen
updating component and owner. changing status to New.
Attached file testcase 1, from www.starwars.com (deleted) — 

    
    

    
  
The test case attached above is
<table>
  <tr>
    <td><form><nobr><select/></form></td>
  </tr>
</table>

Note that the crash goes away if you insert a space character
between <td> and <form>.

    
    

    
  

      
      
      
      

        Attached file
          
        testcase 2, from bug 36902 (deleted)
        — 
      

    


  

    
    

    
  
Testcase 2 looks like this:
Foo
<span><p></span>
<table>
  <tr>
    <td> 
      <form> 
        <select>
          <option>foo
        </select>
      </form>
    </td>
  </tr>
  <img src="nonexisting" alt="">
</table>

The following part of the stack trace is common to both testcases:
#0  0x0 in ?? ()
#1  0x40ae4b9c in nsLineBox::DeleteLineList ()
   from /build/dist/bin/components/libraptorhtml.so
#2  0x40ac4a93 in nsBlockFrame::Destroy ()
   from /build/dist/bin/components/libraptorhtml.so
#3  0x40ac289e in nsAreaFrame::Destroy ()
   from /build/dist/bin/components/libraptorhtml.so
#4  0x40b97017 in nsComboboxControlFrame::Destroy ()
   from /build/dist/bin/components/libraptorhtml.so

    
    

    
  
*** Bug 36916 has been marked as a duplicate of this bug. ***

    
    

    
  
Changing Platform/OS to All since bug 36916 has been seen on Mac.
Changing summary to include <SELECT>.
Testcase 3 (from there) says that every page containing a <SELECT> element
crashes mozilla when loaded into composer:
<form>
  <select />
</form>

Note:
testcase 1 crashes since 2000041816 (doesn't crash in 2000041609),
testcase 2 crashes since 2000042113 (doesn't crash in 2000041816), 
testcase 3 crashes already in M15.
http://www.starwars.com behaves like testcase 2 in this respect,
although testcase 1 is the one derived from it....
Keywords: testcase
OS: Linux → All
Hardware: PC → All
Summary: http://www.starwars.com crashes in nsLineBox::DeleteLineList → <SELECT> crashes in nsLineBox::DeleteLineList (e.g. composer or www.starwars.com)

    
    

    
  

*** This bug has been marked as a duplicate of 36558 ***
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE

    
    

    
  
*** Bug 37821 has been marked as a duplicate of this bug. ***

    
    

    
  
oops; should have dup'ed against #36558 which is assigned to rods


    
    

    
  
Marking verified dup of 36558.

Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: