Closed
Bug 224091
Opened 21 years ago
Closed 21 years ago
[FIX] crash on loading of page [@ DoCleanupFrameReferences ]
Categories
(Core :: Layout: Block and Inline, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: woud1234, Assigned: MatsPalmgren_bugz)
References
()
Details
(Keywords: crash, Whiteboard: TB24915641Q)
Crash Data
Attachments
(2 files)
|
6.08 KB,
text/plain
|
Details | |
|
1.92 KB,
patch
|
bzbarsky
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031028 Firebird/0.7+ when opened either through a hyperlink, entering it in the adress-bar or a bookmark the browser giving an error and crashes. Reproducible: Always Steps to Reproduce: 1. open the url in browser Actual Results: browser shows this error and then crashes: MozillaFirebird.exe - Application Error The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not "read". reproduced it with latest nightly and a previous version : Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7. Several other users have confirmed it with various operating systems: http://forums.mozillazine.org/viewtopic.php?t=32053
|
||
Comment 1•21 years ago
|
||
Is this windows-only? This worksforme with a trunk linux build from a few days ago.... In any case, please post a talkback incident id.
Keywords: stackwanted
|
||
Comment 2•21 years ago
|
||
No, this seems to affect the latest Linux builds. I suggest trying to go there a few times. The first time I went there, Firebird didn't crash, but after further attempts, it did crash. This crash still happens if you disable plugins, images and Javascript. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20031027 Firebird/0.7+ I also repeated this with an old Windows version (23rd May's build under Win2k) as well, but that crashed after some attempts. Seems to not be a recent problem.
|
Assignee | |
Comment 3•21 years ago
|
||
Confirming bug, 2003-10-28-05 trunk Linux. Talkback: TB24915641Q
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 2000 → All
Whiteboard: TB24915641Q
|
||
Comment 4•21 years ago
|
||
crash/Talkback on Win98: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031028 TB24916012Y started Mozilla, loaded this bug, loaded URL from here, crash TB24915843X multiple tabs open, loaded URL clicked around, crash
|
|
Assignee | |
Comment 5•21 years ago
|
||
*** Bug 219686 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 6•21 years ago
|
||
It's a bit hard to reproduce the crash with a Linux debug build. The best way I have found is to Reload / Shift-Reload the page while hovering the heading of the center box, titled "De Telegraaf" (hovering it makes a abs.pos. block become visible.)
Assignee: general → block-and-inline
Component: Browser-General → Layout: Block & Inline
Keywords: stackwanted
QA Contact: general → ian
Summary: crash on loading of page → crash on loading of page [@ DoCleanupFrameReferences ]
|
|
Assignee | |
Comment 7•21 years ago
|
||
|
|
Assignee | |
Comment 8•21 years ago
|
||
We crash in |DoCleanupFrameReferences| when using an out-of-flow frame
that has been destroyed. This is caused by the following code in
|nsCSSFrameConstructor::WipeContainingBlock|:
13206 CleanupFrameReferences(aPresContext, frameManager, aFrameList);
13207 nsFrameList tmp(aFrameList);
13208 tmp.DestroyFrames(aPresContext);
13209 if (aState.mAbsoluteItems.childList) {
13210 CleanupFrameReferences(aPresContext, frameManager,
aState.mAbsoluteItems.childList);
13211 tmp.SetFrames(aState.mAbsoluteItems.childList);
13212 tmp.DestroyFrames(aPresContext);
13213 }
13214 if (aState.mFixedItems.childList) {
13215 CleanupFrameReferences(aPresContext, frameManager,
aState.mFixedItems.childList);
13216 tmp.SetFrames(aState.mFixedItems.childList);
13217 tmp.DestroyFrames(aPresContext);
13218 }
13219 if (aState.mFloatedItems.childList) {
13220 CleanupFrameReferences(aPresContext, frameManager,
aState.mFloatedItems.childList);
13221 tmp.SetFrames(aState.mFloatedItems.childList);
13222 tmp.DestroyFrames(aPresContext);
13223 }
a few trace printfs shows:
CleanupFrameReferences - Normal 0x87a93c4
CleanupFrameReferences - Normal done
CleanupFrameReferences - Abs 0x86d4404
nsFrame::Destroy of 0x86d4404
Area(div)(2)@0x86d4404 [view=0x888ff68] {0,0,0,0} [state=00c02506]
sc=0x86d4358(i=0,b=0)<
>
with parent: Area(html)(-1)@0x88e8044
CleanupFrameReferences - Abs done
CleanupFrameReferences - Float 0x87a9468
DoCleanupFrameReferences - bad out-of-flow frame 0x86d4404
frame->GetContent()==0xdddddddd
The placeholder for the abs.pos. DIV that is destroyed above is a
descendent of one of the frames in |aState.mFloatedItems.childList|.
Patch coming up...
Summary: crash on loading of page [@ DoCleanupFrameReferences ] → [FIX] crash on loading of page [@ DoCleanupFrameReferences ]
|
|
Assignee | |
Comment 9•21 years ago
|
||
|
|
Assignee | |
Updated•21 years ago
|
Attachment #134595 -
Flags: superreview?(dbaron)
Attachment #134595 -
Flags: review?(bz-vacation)
Attachment #134595 -
Flags: superreview?(dbaron) → superreview+
|
|
||
Comment 10•21 years ago
|
||
Comment on attachment 134595 [details] [diff] [review] Patch rev. 1 r=bzbarsky, I guess. We will still do extra work twice in the case we encounter here, but I'm not sure how to easily avoid that....
Attachment #134595 -
Flags: review?(bz-vacation) → review+
|
|
||
Comment 12•21 years ago
|
||
Fix checked in. Thanks for the patch, Mats!
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ DoCleanupFrameReferences ]
You need to log in
before you can comment on or make changes to this bug.
Description
•