Closed
Bug 299153
Opened 19 years ago
Closed 19 years ago
Browser CRASH when re-visiting pages with SVG content
Categories
(Core :: SVG, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: codedread, Assigned: bryner)
References
()
Details
(Keywords: testcase)
Attachments
(3 files)
409 bytes,
image/svg+xml
|
Details | |
144 bytes,
text/html
|
Details | |
2.73 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
benjamin
:
approval1.8b3+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ A bug has been introduced very recently. Not sure if it's related to the Fastback feature or related to fixes to the xlink:href element or what. When you browse to a page with embedded SVG content, browse away and then hit the Back button, the browser crashes. Reproducible: Always Steps to Reproduce: 1. Browse to http://www.codedread.com/ 2. Browse to another page without SVG content 3. Hit the Back button. Actual Results: Browser crashed. Windows asks me if I want to send a bug report to Microsoft. Expected Results: Browser should not crash.
Reporter | ||
Comment 1•19 years ago
|
||
Also works with the Forward button (i.e. browse to a SVG page, browse Back, then hit the Forward button.
Reporter | ||
Comment 2•19 years ago
|
||
Did some quick testing: Crash does not occur when the page is a SVG document. Crash happens when SVG content is embedded via <object> or <embed> tags. Here are easier pages to test with: http://www.codedread.com/mozcrash.html http://www.codedread.com/mozcrash2.html
Not sure what's happening here. Coming back to the page with SVG, I get the following messages and stack: frame: FrameOuter(object)(1) (0x97da0ec) style: 0x97d9a3c {} Using parent's style context ###!!! ASSERTION: bad reflow state: 'aReflowState.frame == aKidFrame', file /home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873 Break: at file /home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873 ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 849 Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849 Program received signal SIGSEGV, Segmentation fault. (gdb) f 0 #0 0x4142c45e in nsDocShell::FinishRestore (this=0x9791820) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010 5010 mContentViewer->GetDOMDocument(getter_AddRefs(domDoc)); (gdb) where 10 #0 0x4142c45e in nsDocShell::FinishRestore (this=0x9791820) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010 #1 0x4142c419 in nsDocShell::FinishRestore (this=0x9626838) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5005 #2 0x41429d35 in HandleRestorePresentationEvent (aEvent=0x97810b8) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:4922 #3 0x400a672e in PL_HandleEvent (self=0x97810b8) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:685 #4 0x400a65ba in PL_ProcessPendingEvents (self=0x8fe3548) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:620 #5 0x400a973d in nsEventQueueImpl::ProcessPendingEvents (this=0x8fb2208) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/nsEventQueue.cpp:417 ...
Reporter | ||
Comment 4•19 years ago
|
||
Tor, I did a Bugzilla search for bugs that went to FIXED yesterday and this one struck my eyes: https://bugzilla.mozilla.org/show_bug.cgi?id=295690 since it has to do with "reflow" (mentioned in your messages).
Comment 5•19 years ago
|
||
I get the crash when using backword button but not when opening in a new tab then closing the tab then opening again in a new tab. Using mozcrash.html and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ . Talckback TB7089001X .
Comment 6•19 years ago
|
||
Comment 7•19 years ago
|
||
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Setting browser.sessionhistory.max_viewers to zero stops the crash, so fastback is definitely involved.
Assignee | ||
Comment 9•19 years ago
|
||
To some extent, this is a manifestation of an existing problem where the docshell tree and session history tree can get out of sync. (it's not clear exactly what should happen, but mChildOffset can end up pointing to a different session history entry). The reason we're getting into this state at all, though, is that we're attempting to recreate frames for the SVG <object> here to restart the plugin, even though there is no plugin. So, at minimum, I think we should fix it not to do this unless there is a plugin instance. I tested that this still works correctly in the real plugin case. I also added a null-check in FinishRestore, on the off-chance that the content viewer is nuked before the plevent is processed.
Assignee | ||
Updated•19 years ago
|
Assignee: general → bryner
Status: NEW → ASSIGNED
Attachment #187752 -
Flags: superreview?(dbaron)
Attachment #187752 -
Flags: review?(dbaron)
Attachment #187752 -
Flags: superreview?(dbaron)
Attachment #187752 -
Flags: superreview+
Attachment #187752 -
Flags: review?(dbaron)
Attachment #187752 -
Flags: review+
Assignee | ||
Updated•19 years ago
|
Attachment #187752 -
Flags: approval1.8b3?
Comment 10•19 years ago
|
||
Comment on attachment 187752 [details] [diff] [review] patch a=bsmedberg for checkin on 6/30 only
Attachment #187752 -
Flags: approval1.8b3? → approval1.8b3+
Assignee | ||
Comment 11•19 years ago
|
||
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 12•19 years ago
|
||
I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards then forward. Reopening. Talkback TB7120246Z and TB7120230K.
Comment 13•19 years ago
|
||
(In reply to comment #12) > I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) > Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards > then forward. Reopening. Talkback TB7120246Z and TB7120230K. That's because there is no build with the patch yet.
Comment 14•19 years ago
|
||
(In reply to comment #13) > (In reply to comment #12) > > I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) > > Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards > > then forward. Reopening. Talkback TB7120246Z and TB7120230K. > > That's because there is no build with the patch yet. Sorry but i saw chekin 06/30 so i taugh that it would be fixed in 06/30 build.
Comment 15•19 years ago
|
||
bryner's fix went in at 13:58 PDT, while you have build ID 2005063012. time as well as date are relevant here. re-resolving FIXED.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Comment 16•19 years ago
|
||
Ok with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050701 Firefox/1.0+
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 17•19 years ago
|
||
*** Bug 295591 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•