Closed Bug 224091 Opened 21 years ago Closed 21 years ago

[FIX] crash on loading of page [@ DoCleanupFrameReferences ]

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: woud1234, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: TB24915641Q)

Crash Data

Attachments

(2 files)

crash stack
6.08 KB, text/plain
Details
Patch rev. 1
1.92 KB, patch
bzbarsky
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031028 Firebird/0.7+ when opened either through a hyperlink, entering it in the adress-bar or a bookmark the browser giving an error and crashes. Reproducible: Always Steps to Reproduce: 1. open the url in browser Actual Results: browser shows this error and then crashes: MozillaFirebird.exe - Application Error The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not "read". reproduced it with latest nightly and a previous version : Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7. Several other users have confirmed it with various operating systems: http://forums.mozillazine.org/viewtopic.php?t=32053
Is this windows-only? This worksforme with a trunk linux build from a few days ago.... In any case, please post a talkback incident id.
Keywords: stackwanted
No, this seems to affect the latest Linux builds. I suggest trying to go there a few times. The first time I went there, Firebird didn't crash, but after further attempts, it did crash. This crash still happens if you disable plugins, images and Javascript. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20031027 Firebird/0.7+ I also repeated this with an old Windows version (23rd May's build under Win2k) as well, but that crashed after some attempts. Seems to not be a recent problem.
Confirming bug, 2003-10-28-05 trunk Linux. Talkback: TB24915641Q
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 2000 → All
Whiteboard: TB24915641Q
crash/Talkback on Win98: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031028 TB24916012Y started Mozilla, loaded this bug, loaded URL from here, crash TB24915843X multiple tabs open, loaded URL clicked around, crash
*** Bug 219686 has been marked as a duplicate of this bug. ***
It's a bit hard to reproduce the crash with a Linux debug build. The best way I have found is to Reload / Shift-Reload the page while hovering the heading of the center box, titled "De Telegraaf" (hovering it makes a abs.pos. block become visible.)
Assignee: general → block-and-inline
Component: Browser-General → Layout: Block & Inline
Keywords: stackwanted
QA Contact: general → ian
Summary: crash on loading of page → crash on loading of page [@ DoCleanupFrameReferences ]
Attached file crash stack
We crash in |DoCleanupFrameReferences| when using an out-of-flow frame that has been destroyed. This is caused by the following code in |nsCSSFrameConstructor::WipeContainingBlock|: 13206 CleanupFrameReferences(aPresContext, frameManager, aFrameList); 13207 nsFrameList tmp(aFrameList); 13208 tmp.DestroyFrames(aPresContext); 13209 if (aState.mAbsoluteItems.childList) { 13210 CleanupFrameReferences(aPresContext, frameManager, aState.mAbsoluteItems.childList); 13211 tmp.SetFrames(aState.mAbsoluteItems.childList); 13212 tmp.DestroyFrames(aPresContext); 13213 } 13214 if (aState.mFixedItems.childList) { 13215 CleanupFrameReferences(aPresContext, frameManager, aState.mFixedItems.childList); 13216 tmp.SetFrames(aState.mFixedItems.childList); 13217 tmp.DestroyFrames(aPresContext); 13218 } 13219 if (aState.mFloatedItems.childList) { 13220 CleanupFrameReferences(aPresContext, frameManager, aState.mFloatedItems.childList); 13221 tmp.SetFrames(aState.mFloatedItems.childList); 13222 tmp.DestroyFrames(aPresContext); 13223 } a few trace printfs shows: CleanupFrameReferences - Normal 0x87a93c4 CleanupFrameReferences - Normal done CleanupFrameReferences - Abs 0x86d4404 nsFrame::Destroy of 0x86d4404 Area(div)(2)@0x86d4404 [view=0x888ff68] {0,0,0,0} [state=00c02506] sc=0x86d4358(i=0,b=0)< > with parent: Area(html)(-1)@0x88e8044 CleanupFrameReferences - Abs done CleanupFrameReferences - Float 0x87a9468 DoCleanupFrameReferences - bad out-of-flow frame 0x86d4404 frame->GetContent()==0xdddddddd The placeholder for the abs.pos. DIV that is destroyed above is a descendent of one of the frames in |aState.mFloatedItems.childList|. Patch coming up...
Summary: crash on loading of page [@ DoCleanupFrameReferences ] → [FIX] crash on loading of page [@ DoCleanupFrameReferences ]
Attached patch Patch rev. 1Splinter Review
Attachment #134595 - Flags: superreview?(dbaron)
Attachment #134595 - Flags: review?(bz-vacation)
Attachment #134595 - Flags: superreview?(dbaron) → superreview+
Comment on attachment 134595 [details] [diff] [review] Patch rev. 1 r=bzbarsky, I guess. We will still do extra work twice in the case we encounter here, but I'm not sure how to easily avoid that....
Attachment #134595 - Flags: review?(bz-vacation) → review+
To mats.
Assignee: block-and-inline → mats.palmgren
Fix checked in. Thanks for the patch, Mats!
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Crash Signature: [@ DoCleanupFrameReferences ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: