Closed Bug 299153 Opened 19 years ago Closed 19 years ago

Browser CRASH when re-visiting pages with SVG content

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: codedread, Assigned: bryner)

References

(
URL
)

Details

(Keywords: testcase)

Attachments

(3 files)

used in testcase
409 bytes, image/svg+xml
Details
testcase
144 bytes, text/html
Details
patch
2.73 KB, patch
dbaron
: review+
dbaron
: superreview+
benjamin
: approval1.8b3+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+

A bug has been introduced very recently.  Not sure if it's related to the
Fastback feature or related to fixes to the xlink:href element or what.

When you browse to a page with embedded SVG content, browse away and then hit
the Back button, the browser crashes.

Reproducible: Always

Steps to Reproduce:
1. Browse to http://www.codedread.com/
2. Browse to another page without SVG content
3. Hit the Back button.

Actual Results:  
Browser crashed.  Windows asks me if I want to send a bug report to Microsoft.

Expected Results:  
Browser should not crash.
Also works with the Forward button (i.e. browse to a SVG page, browse Back, then
hit the Forward button.
Did some quick testing:  Crash does not occur when the page is a SVG document. 
Crash happens when SVG content is embedded via <object> or <embed> tags.  Here
are easier pages to test with:

http://www.codedread.com/mozcrash.html
http://www.codedread.com/mozcrash2.html
Not sure what's happening here.  Coming back to the page with SVG, I get the
following messages and stack:

frame: FrameOuter(object)(1) (0x97da0ec) style: 0x97d9a3c {}
Using parent's style context

###!!! ASSERTION: bad reflow state: 'aReflowState.frame == aKidFrame', file
/home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873
Break: at file
/home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 849
Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849

Program received signal SIGSEGV, Segmentation fault.
(gdb) f 0
#0  0x4142c45e in nsDocShell::FinishRestore (this=0x9791820)
    at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010
5010        mContentViewer->GetDOMDocument(getter_AddRefs(domDoc));
(gdb) where 10
#0  0x4142c45e in nsDocShell::FinishRestore (this=0x9791820)
    at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010
#1  0x4142c419 in nsDocShell::FinishRestore (this=0x9626838)
    at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5005
#2  0x41429d35 in HandleRestorePresentationEvent (aEvent=0x97810b8)
    at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:4922
#3  0x400a672e in PL_HandleEvent (self=0x97810b8)
    at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:685
#4  0x400a65ba in PL_ProcessPendingEvents (self=0x8fe3548)
    at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:620
#5  0x400a973d in nsEventQueueImpl::ProcessPendingEvents (this=0x8fb2208)
    at /home/tor/src/moz-trunk/mozilla/xpcom/threads/nsEventQueue.cpp:417
...

Tor, I did a Bugzilla search for bugs that went to FIXED yesterday and this one
struck my eyes: https://bugzilla.mozilla.org/show_bug.cgi?id=295690 since it has
to do with "reflow" (mentioned in your messages).
I get the crash when using backword button but not when opening in a new tab
then closing the tab then opening again in a new tab. Using mozcrash.html and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629
Firefox/1.0+ . Talckback TB7089001X .
Attached image used in testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Setting browser.sessionhistory.max_viewers to zero stops the crash, so fastback
is definitely involved.


    
  
Flags: blocking1.8b3+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
To some extent, this is a manifestation of an existing problem where the
docshell tree and session history tree can get out of sync.  (it's not clear
exactly what should happen, but mChildOffset can end up pointing to a different
session history entry).  The reason we're getting into this state at all,
though, is that we're attempting to recreate frames for the SVG <object> here
to restart the plugin, even though there is no plugin.	So, at minimum, I think
we should fix it not to do this unless there is a plugin instance.  I tested
that this still works correctly in the real plugin case.  I also added a
null-check in FinishRestore, on the off-chance that the content viewer is nuked
before the plevent is processed.

    
  
Assignee: general → bryner
Status: NEW → ASSIGNED

        Attachment #187752 -
        Flags: superreview?(dbaron)

        Attachment #187752 -
        Flags: review?(dbaron)

        Attachment #187752 -
        Flags: superreview?(dbaron)

        Attachment #187752 -
        Flags: superreview+

        Attachment #187752 -
        Flags: review?(dbaron)

        Attachment #187752 -
        Flags: review+

    
  

        Attachment #187752 -
        Flags: approval1.8b3?

    
    

    
  
Comment on attachment 187752 [details] [diff] [review]
patch

a=bsmedberg for checkin on 6/30 only

        Attachment #187752 -
        Flags: approval1.8b3? → approval1.8b3+

    
    

    
  
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards
then forward. Reopening. Talkback TB7120246Z and TB7120230K.
Status: RESOLVED → REOPENED
Keywords: testcase
Resolution: FIXED → ---

    
    

    
  
(In reply to comment #12)
> I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
> Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards
> then forward. Reopening. Talkback TB7120246Z and TB7120230K.

That's because there is no build with the patch yet.

    
    

    
  
(In reply to comment #13)
> (In reply to comment #12)
> > I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
> > Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards
> > then forward. Reopening. Talkback TB7120246Z and TB7120230K.
> 
> That's because there is no build with the patch yet.

Sorry but i saw chekin 06/30 so i taugh that it would be fixed in 06/30 build.

    
    

    
  
bryner's fix went in at 13:58 PDT, while you have build ID 2005063012.  time as
well as date are relevant here.

re-resolving FIXED.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED

    
    

    
  
Ok with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050701
Firefox/1.0+
Status: RESOLVED → VERIFIED

    
    

    
  
*** Bug 295591 has been marked as a duplicate of this bug. ***

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: