Closed Bug 223064 Opened 21 years ago Closed 21 years ago

browser crashes or locks up when visiting www.vnunet.com (position: absolute div inside <a>) [@ nsHTMLReflowState::CalculateHypotheticalBox ]

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pavel1r, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Stack trace
7.77 KB, text/plain
Details
testcase
247 bytes, text/html
Details
Patch rev. 1
2.47 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020 Whenever I load www.vnunet.com mozilla either crashes or locks-up. If it locks-up browser is still responsive, but clicking on any link does nothing and new windows can not be opened. It happens with todays build (2003102004) and the site was working fine few days ago. Reproducible: Always Steps to Reproduce: 1. Visit www.vnunet.com 2. 3. Actual Results: Browser crashes or locks up Expected Results: Load the page. Talkback ID: TB24607740Y
Keywords: crash, stackwanted
Whiteboard: TB24607740Y
crash for me to on XPProf. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031020 Firebird/0.7+
Linux version also crashes: Starting program: /home/petevine/MozillaFirebird/MozillaFirebird-bin http://www.vnunet.com (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...[New Thread 1024 (LWP 25719)] Type Manifest File: /home/petevine/MozillaFirebird/components/xpti.dat nsNativeComponentLoader: autoregistering begins. nsNativeComponentLoader: autoregistering succeeded nNCL: registering deferred (0) [New Thread 2049 (LWP 25721)] [New Thread 1026 (LWP 25722)] GFX: dpi=90 t2p=0,0625 p2t=16 depth=24 WEBSHELL+ = 1 [New Thread 2051 (LWP 25726)] [New Thread 3076 (LWP 25728)] WEBSHELL+ = 2 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp, line 3190 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp, line 3190 Note: verifyreflow is disabled Note: styleverifytree is disabled Note: frameverifytree is disabled WEBSHELL+ = 3 [New Thread 4101 (LWP 25729)] [New Thread 5126 (LWP 25730)] CSS Error (http://images.vnunet.com/v6_style/v65_style.css :126.103): Expected color but found 'none'. Error in parsing value for property 'background-color'. Declaration dropped. JavaScript error: http://ad.uk.doubleclick.net/adj/tb.vnunet.uk/vnunet_home;cat=vnunet_home;page=home;pos=top;sz=468x60;tile=1;ptile=1;ord=807138944? line 1: illegal character WARNING: Couldn't add reflow command, so splitting. WARNING: Couldn't add reflow command, so splitting. WARNING: Couldn't add reflow command, so splitting. ###!!! ASSERTION: Must reach our placeholder before end of list!: 'firstFrame', file nsHTMLReflowState.cpp, line 870 Break: at file nsHTMLReflowState.cpp, line 870 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 25719)] 0x410f6344 in nsHTMLReflowState::CalculateHypotheticalBox(nsIPresContext*, nsIFrame*, nsIFrame*, nsMargin&, nsIFrame*, nsHypotheticalBox&) () from /home/petevine/MozillaFirebird/components/libgklayout.so
No dupes found, marking NEW. Can you attach full stack (using 'backtrace' when in GDB and Mozilla has crashed) via "create a new attachment" ?
Assignee: general → block-and-inline
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout: Block & Inline
Ever confirmed: true
Keywords: stackwantedregression
OS: Windows 2000 → All
QA Contact: general → ian
Summary: browser crashes or locks up when visiting www.vnunet.com → browser crashes or locks up when visiting www.vnunet.com [@ nsHTMLReflowState::CalculateHypotheticalBox ]
Whiteboard: TB24607740Y
Seems to be okay with 1.5 (Win2k)
Attached file Stack trace
Here's the stack trace you requested. BTW, only gtk2 version is affected.
I just had a crash using Trunk BuildID 2003102004. DocWatson came up, but there was no talkback in the sea.exe-package. Stack summary of DocWatson was showing 37 calls to GKLAYOUT.DLL and one call to XPCOM, no others. WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007 WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Didn´t find Flash on this page.
Checked this out on recent nightlies on WIN XP... 20031017 : no crash 20031018 and later: crash
Charles, great info, can you even reduce more by mentioning the build ID (like "2003101705") in the title bar ?
Oliver: 2003101704 and 2003101804 Looking at CVS checkins, BZ touched mozilla/ layout/ html/ base/ src/ nsHTMLReflowState.cpp a few times during that time period.
TB24618351G Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031019
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031018 BuildID 2003101804 TB24618983G crash on loading URL TB24618895X crash on loading local copy of URL saved with BuildID 2003101704 tested Build ID2003101704 only once, to save the page, no crash all later builds are crashing, some don´t have talkback, though I selected complete install (SEA.EXE).
Keywords: topcrash
Attached file testcase
This javascript causes the crash: document.writeln("<A><DIV STYLE=\"position:absolute;\">" + "</DIV></A>");
Keywords: testcase
Summary: browser crashes or locks up when visiting www.vnunet.com [@ nsHTMLReflowState::CalculateHypotheticalBox ] → browser crashes or locks up when visiting www.vnunet.com (position: absolute div inside <a>) [@ nsHTMLReflowState::CalculateHypotheticalBox ]
Blocks: 223017
No longer blocks: 223017
bz, see comments in bug 223017 isolating this to recent nsHTMLReflowState.cpp checkins.
*** Bug 223171 has been marked as a duplicate of this bug. ***
Rolling back nsHTMLReflowState.cpp to -r1.174 makes the crash disappear so the culprit is the checkin for bug 94468. I think the real problem is in the frame splitting code in nsCSSFrameConstructor.cpp though, it has a lot of concerned comments [1] about not handling abs.pos. blocks (and floats) correctly. I think this could lead to the situation where the placeholder has a different parent than the block where the frame is on the abs.pos. list. (So the assertion on line 870 triggers and we will dereference null on line 872). [1] e.g. read XXX_kin comments in AdjustOutOfFlowFrameParentPtrs()
Attached patch Patch rev. 1Splinter Review
This fixes the crash without regressing bug 94468.
To Mats.
Assignee: block-and-inline → mats.palmgren
Comment on attachment 133807 [details] [diff] [review] Patch rev. 1 r+sr=bzbarsky. This even leads to correct positioning of positioned blocks-inside-inlines, since they have to start a new line normally and since the placeholder remains in the first line.
Attachment #133807 - Flags: superreview+
Attachment #133807 - Flags: review+
I just checked this in, and the tree was even still open for 1.6a. ;) Mats, thanks a ton for debugging this and for the patch!
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
*** Bug 223070 has been marked as a duplicate of this bug. ***
I just wanted to comment that this bug report is impressive in the way it features: - crash report with an URL and Talkback ID, - fix in less than 24hr, - reduced testcase, - stacks and verification on multiple OS, - regression window, - debugging explanation in comment 15, - and, of course, the patch, from someone else than where the regression came from, - teamwork: all of these were provided by different people, PS: Sorry for the spam, let's not start a discussion here, I simply wanted to express my happy feelings on bugzilla today :)
Flags: blocking1.6a?
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Crash Signature: [@ nsHTMLReflowState::CalculateHypotheticalBox ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: