Closed
Bug 224091
Opened 21 years ago
Closed 21 years ago
[FIX] crash on loading of page [@ DoCleanupFrameReferences ]
Categories
(Core :: Layout: Block and Inline, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: woud1234, Assigned: MatsPalmgren_bugz)
References
()
Details
(Keywords: crash, Whiteboard: TB24915641Q)
Crash Data
Attachments
(2 files)
6.08 KB,
text/plain
|
Details | |
1.92 KB,
patch
|
bzbarsky
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031028 Firebird/0.7+ when opened either through a hyperlink, entering it in the adress-bar or a bookmark the browser giving an error and crashes. Reproducible: Always Steps to Reproduce: 1. open the url in browser Actual Results: browser shows this error and then crashes: MozillaFirebird.exe - Application Error The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not "read". reproduced it with latest nightly and a previous version : Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7. Several other users have confirmed it with various operating systems: http://forums.mozillazine.org/viewtopic.php?t=32053
Comment 1•21 years ago
|
||
Is this windows-only? This worksforme with a trunk linux build from a few days ago.... In any case, please post a talkback incident id.
Keywords: stackwanted
Comment 2•21 years ago
|
||
No, this seems to affect the latest Linux builds. I suggest trying to go there a few times. The first time I went there, Firebird didn't crash, but after further attempts, it did crash. This crash still happens if you disable plugins, images and Javascript. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20031027 Firebird/0.7+ I also repeated this with an old Windows version (23rd May's build under Win2k) as well, but that crashed after some attempts. Seems to not be a recent problem.
Assignee | ||
Comment 3•21 years ago
|
||
Confirming bug, 2003-10-28-05 trunk Linux. Talkback: TB24915641Q
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 2000 → All
Whiteboard: TB24915641Q
Comment 4•21 years ago
|
||
crash/Talkback on Win98: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031028 TB24916012Y started Mozilla, loaded this bug, loaded URL from here, crash TB24915843X multiple tabs open, loaded URL clicked around, crash
Assignee | ||
Comment 5•21 years ago
|
||
*** Bug 219686 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 6•21 years ago
|
||
It's a bit hard to reproduce the crash with a Linux debug build. The best way I have found is to Reload / Shift-Reload the page while hovering the heading of the center box, titled "De Telegraaf" (hovering it makes a abs.pos. block become visible.)
Assignee: general → block-and-inline
Component: Browser-General → Layout: Block & Inline
Keywords: stackwanted
QA Contact: general → ian
Summary: crash on loading of page → crash on loading of page [@ DoCleanupFrameReferences ]
Assignee | ||
Comment 7•21 years ago
|
||
Assignee | ||
Comment 8•21 years ago
|
||
We crash in |DoCleanupFrameReferences| when using an out-of-flow frame that has been destroyed. This is caused by the following code in |nsCSSFrameConstructor::WipeContainingBlock|: 13206 CleanupFrameReferences(aPresContext, frameManager, aFrameList); 13207 nsFrameList tmp(aFrameList); 13208 tmp.DestroyFrames(aPresContext); 13209 if (aState.mAbsoluteItems.childList) { 13210 CleanupFrameReferences(aPresContext, frameManager, aState.mAbsoluteItems.childList); 13211 tmp.SetFrames(aState.mAbsoluteItems.childList); 13212 tmp.DestroyFrames(aPresContext); 13213 } 13214 if (aState.mFixedItems.childList) { 13215 CleanupFrameReferences(aPresContext, frameManager, aState.mFixedItems.childList); 13216 tmp.SetFrames(aState.mFixedItems.childList); 13217 tmp.DestroyFrames(aPresContext); 13218 } 13219 if (aState.mFloatedItems.childList) { 13220 CleanupFrameReferences(aPresContext, frameManager, aState.mFloatedItems.childList); 13221 tmp.SetFrames(aState.mFloatedItems.childList); 13222 tmp.DestroyFrames(aPresContext); 13223 } a few trace printfs shows: CleanupFrameReferences - Normal 0x87a93c4 CleanupFrameReferences - Normal done CleanupFrameReferences - Abs 0x86d4404 nsFrame::Destroy of 0x86d4404 Area(div)(2)@0x86d4404 [view=0x888ff68] {0,0,0,0} [state=00c02506] sc=0x86d4358(i=0,b=0)< > with parent: Area(html)(-1)@0x88e8044 CleanupFrameReferences - Abs done CleanupFrameReferences - Float 0x87a9468 DoCleanupFrameReferences - bad out-of-flow frame 0x86d4404 frame->GetContent()==0xdddddddd The placeholder for the abs.pos. DIV that is destroyed above is a descendent of one of the frames in |aState.mFloatedItems.childList|. Patch coming up...
Summary: crash on loading of page [@ DoCleanupFrameReferences ] → [FIX] crash on loading of page [@ DoCleanupFrameReferences ]
Assignee | ||
Comment 9•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #134595 -
Flags: superreview?(dbaron)
Attachment #134595 -
Flags: review?(bz-vacation)
Attachment #134595 -
Flags: superreview?(dbaron) → superreview+
Comment 10•21 years ago
|
||
Comment on attachment 134595 [details] [diff] [review] Patch rev. 1 r=bzbarsky, I guess. We will still do extra work twice in the case we encounter here, but I'm not sure how to easily avoid that....
Attachment #134595 -
Flags: review?(bz-vacation) → review+
Comment 12•21 years ago
|
||
Fix checked in. Thanks for the patch, Mats!
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ DoCleanupFrameReferences ]
You need to log in
before you can comment on or make changes to this bug.
Description
•