Closed Bug 3751 Opened 26 years ago Closed 26 years ago

Resizing window with image selected crashes Gecko

Categories

(Core :: DOM: Selection, defect, P1)

All
Mac System 8.5
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: elig, Assigned: mjudge)

Details

* TITLE/SUMMARY Resizing window with image selected crashes Gecko * STEPS TO REPRODUCE 0) Launch Viewer or Apprunner 1) Go to any page with images (I used www.macintouch.com) 2) Select an image and nearby text block (i.e. I dragged the mouse from a few pixels above the MacInTouch banner, and to the end of the "Resources" navigation label) 3) Resize the window * RESULT - What happened Immediate crash. - What was expected Resize. * REGRESSION - Occurs On AppRunner & viewer (3.15.99 optimized build for Mac OS) AppRunner & viewer (3.11.99 optimized build for Win32 [NT 4, Service Pack 3]) viewer (3.11.99 [I think] optimized build for Linux) - Doesn't Occur On Communicator 4.51 RTM (Mac OS) * CONFIGURATIONS TESTED - [Mac] Power Mac 8500/120 (233 Mhz 604e), 64 MB RAM (VM on; 1 MB of VM used), 1024x768 (Thousands of Colors), Mac OS 8.5.1 - [Win32] Vectra VL (233 Mhz P2), 96 MB RAM, 800x600 (True Color), NT 4.0 SP3. - [Linux] Vectra VL (266 Mhz P2), 96 MB RAM. * STACK CRAWL (Mac OS) PowerPC unmapped memory exception at 0B22DD14 NS_NewNameSpaceManager(nsINameSpaceManager**)+22F4C Calling chain using A6/R1 links Back chain ISA Caller 00000000 PPC 0BE6A77C 02E3CB40 PPC 0BE69A64 02E3CA50 PPC 0B89EF9C NSGetFactory+004F0 02E3CA10 PPC 0B44DBB8 nsMacMessageSink::IsRaptorWindow(GrafPort*)+00E84 02E3C930 PPC 0B44E0CC nsMacMessageSink::IsRaptorWindow(GrafPort*)+01398 02E3C8D0 PPC 0B44E454 nsMacMessageSink::IsRaptorWindow(GrafPort*)+01720 02E3C840 PPC 0B44E7B8 nsMacMessageSink::IsRaptorWindow(GrafPort*)+01A84 02E3C7F0 PPC 0B44C274 nsMacMessageSink::DispatchOSEvent(EventRecord&, GrafPort*)+00038 02E3C7B0 PPC 0B4494A4 NS_GetWidgetNativeData(nsISupports*, void**)+084E4 02E3C750 PPC 0B4496A0 NS_GetWidgetNativeData(nsISupports*, void**)+086E0 02E3C710 PPC 0B449E44 NS_GetWidgetNativeData(nsISupports*, void**)+08E84 02E3C670 PPC 0B449404 NS_GetWidgetNativeData(nsISupports*, void**)+08444 02E3C620 PPC 0B43B0FC 02E3C5E0 PPC 0B43C070 02E3C570 PPC 0B43BD70 02E3C530 PPC 0B43BCE8 02E3C4E0 PPC 0B89C3AC 02E3C480 PPC 0B3A4658 NS_NewThrobberFactory+016F8 02E3C400 PPC 0B3A1358 NSGetFactory+00CEC 02E3C3C0 PPC 0B43B150 02E3C370 PPC 0B43B0FC 02E3C330 PPC 0B43C070 02E3C2C0 PPC 0B43BD70 02E3C280 PPC 0B43BCE8 02E3C230 PPC 0B35B598 NSGetFactory+02D2C 02E3C1E0 PPC 0B359CCC NSGetFactory+01460 02E3C0A0 PPC 0B359308 NSGetFactory+00A9C 02E3C050 PPC 0B0D1108 NS_NewPresShell(nsIPresShell**)+03714 02E3C010 PPC 0B0CF028 NS_NewPresShell(nsIPresShell**)+01634 02E3BEB0 PPC 0B21A9C8 NS_NewNameSpaceManager(nsINameSpaceManager**)+0FC00 02E3BD40 PPC 0B0C2AD8 02E3BCE0 PPC 0B12C298 NS_NewFrameImageLoader(nsIFrameImageLoader**)+021E8 02E3B9B0 PPC 0B0C2AD8 02E3B950 PPC 0B133E84 NS_NewEventListenerManager(nsIEventListenerManager** )+045C0 02E3B7A0 PPC 0B0C2AD8 02E3B740 PPC 0B20F40C NS_NewNameSpaceManager(nsINameSpaceManager**)+04644 02E3B610 PPC 0B1C2DF0 NS_NewImageDocument(nsIDocument**)+8E6D0 02E3AB50 PPC 0B1C39BC NS_NewImageDocument(nsIDocument**)+8F29C 02E3AAD0 PPC 0B1C3DF4 NS_NewImageDocument(nsIDocument**)+8F6D4 02E3AA50 PPC 0B1C4CA4 NS_NewImageDocument(nsIDocument**)+90584 Closing log
Status: NEW → ASSIGNED
Target Milestone: M3
this is not good. I will lookinto this as soon as I have a tree
Priority: P3 → P1
Changed to priority P1 since this is a crasher
Stack trace for Win32 is: getNextFrame(nsIFrame * 0x00000000) line 670 + 9 bytes nsRangeList::ResetSelection(nsRangeList * const 0x0173cad0, nsIFocusTracker * 0x0173ca0c, nsIFrame * 0x0173dbb0) line 1012 + 9 bytes PresShell::ResizeReflow(PresShell * const 0x0173ca00, int 9195, int 4470) line 925 PresShell::ResizeReflow(PresShell * const 0x0173ca04, nsIView * 0x0173b520, int 9195, int 4470) line 1981 nsViewManager::SetWindowDimensions(nsViewManager * const 0x0173a120, int 9195, int 4470) line 357 nsViewManager::DispatchEvent(nsViewManager * const 0x0173a120, nsGUIEvent * 0x0012f570, nsEventStatus & nsEventStatus_eIgnore) line 1578 HandleEvent(nsGUIEvent * 0x0012f570) line 64 nsWindow::DispatchEvent(nsWindow * const 0x0173b600, nsGUIEvent * 0x0012f570, nsEventStatus & nsEventStatus_eIgnore) line 399 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f570) line 415 nsWindow::OnResize(nsRect & {...}) line 2307 + 15 bytes nsWindow::ProcessMessage(unsigned int 71, unsigned int 0, long 1243324, long * 0x0012f850) line 1930 + 24 bytes nsWindow::WindowProc(void * 0x002d0488, unsigned int 71, unsigned int 0, long 1243324) line 458 + 27 bytes USER32! 77e71ab7() USER32! 77e72fbe() NTDLL! 77f7624f() DocumentViewerImpl::SetBounds(DocumentViewerImpl * const 0x016bcaf0, const nsRect & {...}) line 435 nsWebShell::SetBounds(nsWebShell * const 0x016b0700, int 0, int 32, int 613, int 298) line 875 nsBrowserWindow::Layout(int 613, int 354) line 1479 HandleBrowserEvent(nsGUIEvent * 0x0012fa1c) line 312 nsWindow::DispatchEvent(nsWindow * const 0x016b0130, nsGUIEvent * 0x0012fa1c, nsEventStatus & nsEventStatus_eIgnore) line 399 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fa1c) line 415 nsWindow::OnResize(nsRect & {...}) line 2307 + 15 bytes nsWindow::ProcessMessage(unsigned int 71, unsigned int 0, long 1244520, long * 0x0012fcfc) line 1930 + 24 bytes nsWindow::WindowProc(void * 0x00330508, unsigned int 71, unsigned int 0, long 1244520) line 458 + 27 bytes USER32! 77e71ab7() USER32! 77e72fbe() NTDLL! 77f7624f() USER32! 77e7288d() USER32! 77e72918() nsWindow::WindowProc(void * 0x00330508, unsigned int 274, unsigned int 61448, long 25952872) line 470 USER32! 77e71ab7() USER32! 77e71a77() NTDLL! 77f7624f() USER32! 77e7288d() USER32! 77e72918() nsWindow::WindowProc(void * 0x00330508, unsigned int 161, unsigned int 17, long 25952872) line 470 USER32! 77e71250()
This bug can be fixed by modifying getNextFrame(), in nsRangeList.cpp, to check if parent is null before using it: Index: nsRangeList.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/base/src/nsRangeList.cpp,v retrieving revision 1.67 diff -c -r1.67 nsRangeList.cpp *** nsRangeList.cpp 1999/03/15 05:04:34 1.67 --- nsRangeList.cpp 1999/03/15 22:04:20 *************** *** 667,673 **** { nsIFrame *result; nsIFrame *parent = aStart; ! if (NS_SUCCEEDED(parent->FirstChild(nsnull, &result)) && result){ return result; } while(parent){ --- 667,673 ---- { nsIFrame *result; nsIFrame *parent = aStart; ! if (parent && NS_SUCCEEDED(parent->FirstChild(nsnull, &result)) && result){ return result; } while(parent){
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
checked in fix (joe & kin)
you guys are scary... (that's a compliment. ;)
Status: RESOLVED → VERIFIED
Can't reproduce this crash on 3.17.99 Mac OS, Win32 or Linux builds (Apprunner). [Tried resizing, scrolling, etc. I note that IE keeps the selected text selected after a resize, whereas we're unselecting the text as part of a resize, as we did in 4.5.] Thus, saving Claudius the trip and marking as 'Verified'. Thanks!
Per a request from Selection and Search component eng (mjudge) and qa (elig), moving all "Selection and Search" bugs to new "Selection" component. Original "Selection and Search" component will be retired.
You need to log in before you can comment on or make changes to this bug.