Closed Bug 299153 Opened 20 years ago Closed 20 years ago

Browser CRASH when re-visiting pages with SVG content

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: codedread, Assigned: bryner)

References

(
URL
)

Details

(Keywords: testcase)

Attachments

(3 files)

used in testcase
409 bytes, image/svg+xml
Details
testcase
144 bytes, text/html
Details
patch
2.73 KB, patch
dbaron
: review+
dbaron
: superreview+
benjamin
: approval1.8b3+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ A bug has been introduced very recently. Not sure if it's related to the Fastback feature or related to fixes to the xlink:href element or what. When you browse to a page with embedded SVG content, browse away and then hit the Back button, the browser crashes. Reproducible: Always Steps to Reproduce: 1. Browse to http://www.codedread.com/ 2. Browse to another page without SVG content 3. Hit the Back button. Actual Results: Browser crashed. Windows asks me if I want to send a bug report to Microsoft. Expected Results: Browser should not crash.
Also works with the Forward button (i.e. browse to a SVG page, browse Back, then hit the Forward button.
Did some quick testing: Crash does not occur when the page is a SVG document. Crash happens when SVG content is embedded via <object> or <embed> tags. Here are easier pages to test with: http://www.codedread.com/mozcrash.html http://www.codedread.com/mozcrash2.html
Not sure what's happening here. Coming back to the page with SVG, I get the following messages and stack: frame: FrameOuter(object)(1) (0x97da0ec) style: 0x97d9a3c {} Using parent's style context ###!!! ASSERTION: bad reflow state: 'aReflowState.frame == aKidFrame', file /home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873 Break: at file /home/tor/src/moz-trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 873 ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 849 Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849 Program received signal SIGSEGV, Segmentation fault. (gdb) f 0 #0 0x4142c45e in nsDocShell::FinishRestore (this=0x9791820) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010 5010 mContentViewer->GetDOMDocument(getter_AddRefs(domDoc)); (gdb) where 10 #0 0x4142c45e in nsDocShell::FinishRestore (this=0x9791820) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5010 #1 0x4142c419 in nsDocShell::FinishRestore (this=0x9626838) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:5005 #2 0x41429d35 in HandleRestorePresentationEvent (aEvent=0x97810b8) at /home/tor/src/moz-trunk/mozilla/docshell/base/nsDocShell.cpp:4922 #3 0x400a672e in PL_HandleEvent (self=0x97810b8) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:685 #4 0x400a65ba in PL_ProcessPendingEvents (self=0x8fe3548) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/plevent.c:620 #5 0x400a973d in nsEventQueueImpl::ProcessPendingEvents (this=0x8fb2208) at /home/tor/src/moz-trunk/mozilla/xpcom/threads/nsEventQueue.cpp:417 ...
Tor, I did a Bugzilla search for bugs that went to FIXED yesterday and this one struck my eyes: https://bugzilla.mozilla.org/show_bug.cgi?id=295690 since it has to do with "reflow" (mentioned in your messages).
I get the crash when using backword button but not when opening in a new tab then closing the tab then opening again in a new tab. Using mozcrash.html and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050629 Firefox/1.0+ . Talckback TB7089001X .
Attached image used in testcase
Attached file testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Setting browser.sessionhistory.max_viewers to zero stops the crash, so fastback is definitely involved.
Flags: blocking1.8b3+
Attached patch patchSplinter Review
To some extent, this is a manifestation of an existing problem where the docshell tree and session history tree can get out of sync. (it's not clear exactly what should happen, but mChildOffset can end up pointing to a different session history entry). The reason we're getting into this state at all, though, is that we're attempting to recreate frames for the SVG <object> here to restart the plugin, even though there is no plugin. So, at minimum, I think we should fix it not to do this unless there is a plugin instance. I tested that this still works correctly in the real plugin case. I also added a null-check in FinishRestore, on the off-chance that the content viewer is nuked before the plevent is processed.
Assignee: general → bryner
Status: NEW → ASSIGNED
Attachment #187752 - Flags: superreview?(dbaron)
Attachment #187752 - Flags: review?(dbaron)
Attachment #187752 - Flags: superreview?(dbaron)
Attachment #187752 - Flags: superreview+
Attachment #187752 - Flags: review?(dbaron)
Attachment #187752 - Flags: review+
Attachment #187752 - Flags: approval1.8b3?
Comment on attachment 187752 [details] [diff] [review] patch a=bsmedberg for checkin on 6/30 only
Attachment #187752 - Flags: approval1.8b3? → approval1.8b3+
checked in
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards then forward. Reopening. Talkback TB7120246Z and TB7120230K.
Status: RESOLVED → REOPENED
Keywords: testcase
Resolution: FIXED → ---
(In reply to comment #12) > I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) > Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards > then forward. Reopening. Talkback TB7120246Z and TB7120230K. That's because there is no build with the patch yet.
(In reply to comment #13) > (In reply to comment #12) > > I still get it with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) > > Gecko/20050630 Firefox/1.0+ using the testcase. I get it when going backwards > > then forward. Reopening. Talkback TB7120246Z and TB7120230K. > > That's because there is no build with the patch yet. Sorry but i saw chekin 06/30 so i taugh that it would be fixed in 06/30 build.
bryner's fix went in at 13:58 PDT, while you have build ID 2005063012. time as well as date are relevant here. re-resolving FIXED.
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Ok with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050701 Firefox/1.0+
Status: RESOLVED → VERIFIED
*** Bug 295591 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: