194615 - Crash because deleted frame not removed from primary frame map - Trunk [@ nsCSSFrameConstructor::AttributeChanged]

Status: RESOLVED WORKSFORME

(Core :: CSS Parsing and Computation, defect, P1)

Description

[Boris Zbarsky [:bzbarsky]]

Testcase coming up; this is crashing my vanilla CVS debug build consistently
with the stack:

#0  nsCOMPtr<nsIStyleRule>::get (this=0xdddddde5)
    at ../../../../dist/include/xpcom/nsCOMPtr.h:632
#1  0x4146060a in int operator==<nsIStyleRule, nsIStyleRule> (lhs=@0xdddddde5, 
    rhs=0x8734f6c) at ../../../dist/include/xpcom/nsCOMPtr.h:1162
#2  0x412c14f0 in nsRuleNode::ClearCachedData (this=0xdddddddd, aRule=0x8734f6c)
    at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsRuleNode.cpp:577
#3  0x412e99f0 in StyleSetImpl::ClearStyleData (this=0x87b3ce8,
aPresContext=0x8133540, 
    aRule=0x8734f6c, aContext=0x87cb7a0)
    at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsStyleSet.cpp:1430
#4  0x40f35064 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x87b3f28, 
    aPresContext=0x8133540, aContent=0x87cdde0, aInlineStyle=1, 
    aInlineStyleRule=0x8734f6c, aStyleContext=0x87cb7a0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:12142
#5  0x40f3083e in nsCSSFrameConstructor::AttributeChanged (this=0x87b3f28, 
    aPresContext=0x8133540, aContent=0x87cdde0, aNameSpaceID=0,
aAttribute=0x818c698, 
    aModType=1, aHint=254)
    at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10765

(if you track back, the AttributeChanged is called by
CSS2PropertiesTearoff::SetDisplay).

So how are we ending up with a deleted rulenode here?

A few notes:

1)  I crash on the first click on any of those links; the original report
(http://www.mozillazine.org/forums/viewtopic.php?t=6192) claims that three
clicks are needed and that the second link does not crash.

2)  If I use a build with the patch for bug 171830 I see the behavior described
in that mozillazine post -- crash on third click, with the second link not
crashing.  In that case, on the second click I see:

###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1050
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1050

and on the third click I crash in:

#0  0x40fc432f in nsCSSFrameConstructor::AttributeChanged (this=0x87ae468, 
    aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0,
aAttribute=0x81a6450, 
    aModType=1, aHint=14)
    at
/home/bzbarsky/mozilla/profile/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10628
#1  0x413af311 in StyleSetImpl::AttributeChanged (this=0x87ae3d8, 
    aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0,
aAttribute=0x81a6450, 
    aModType=1, aHint=14)
    at /home/bzbarsky/mozilla/profile/mozilla/content/base/src/nsStyleSet.cpp:1643
#2  0x40f45cbe in PresShell::AttributeChanged (this=0x87ae558, aDocument=0x8792f00, 
    aContent=0x87c78b0, aNameSpaceID=0, aAttribute=0x81a6450, aModType=1, aHint=14)
    at
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsPresShell.cpp:5168

(called from CSS2PropertiesTearoff::SetDisplay again).

The cause of the crash is that the frame returned by GetPrimaryFrameFor has been
deleted:

(gdb) p *primaryFrame
$2 = {<nsISupports> = {_vptr. = 0x0}, mRect = {x = -572662307, y = -572662307, 
    width = -572662307, height = -572662307}, mContent = 0xdddddddd, 
  mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, 
  mState = 3722304989}

Comment 1

[Boris Zbarsky [:bzbarsky]]

Attachment: testcase

Comment 2

[Boris Zbarsky [:bzbarsky]]

Ah, ok.  The first crash I'm seeing is bug 194584.   Once that's fixed, I doubt
bug 171830 will affect this.

Are we doing something like calling GetPrimaryFrameFor in the middle of things
here, at the wrong time?  I seem to recall form controls doing that on some attr
changes....

Comment 3

[Chris Casciano]

more crash data... 200222303/OS X... Talkback IDs:

TB174378E
TB174391K

Comment 4

[Boris Zbarsky [:bzbarsky]]

> "200222303/OS X."

Then that's bug 194584.

To reproduce this bug you must use a build at least a few days old or a build
with the patch for bug 194584 in it.

Comment 5

[Chris Casciano]

ack... i really screwed that one up didn't I... maybe i need more coffee...
those crases were on 2003022303

Comment 6

[joakim_46]

WFM with build 2003021008 under Windows XP SP1.

Comment 7

[Boris Zbarsky [:bzbarsky]]

If you're not using a debug build, the crash may be intermittent (since you're
accessing random garbage data).  With a debug build, it is guaranteed.

Comment 8

[Matthias Versen [:Matti]]

*** Bug 194698 has been marked as a duplicate of this bug. ***

Comment 9

[Jay Patel [:jay]]

I crashed with today's MozillaTrunk build after clicking the first link the 3rd
time.  Here's my incident:

Incident ID 17466055
Stack Signature 	nsCSSFrameConstructor::AttributeChanged 202924a9
Email Address 	jpatel@netscape.com
Product ID 	MozillaTrunk
Build ID 	2003022408
Trigger Time 	2003-02-24 16:13:22
Platform 	Win32
Operating System 	Windows NT 5.1 build 2600
Module 	gklayout.dll
URL visited 	http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile
User Comments 	crashed after clicking on first testcase 3 times.
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
Trigger Line No. 	10623
Stack Trace 	
nsCSSFrameConstructor::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10623]
StyleSetImpl::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1716]
PresShell::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5170]
nsDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2121]
nsHTMLDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line
1543]
nsDOMCSSAttributeDeclaration::ParsePropertyValue
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 275]
nsDOMCSSDeclaration::SetProperty
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp,
line 252]
CSS2PropertiesTearoff::SetDisplay
[../../../../dist/include/content\nsCSSPropList.h, line 178]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
XPC_WN_GetterSetter
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1317]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2640]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2656]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1043]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183]
nsEventListenerManager::HandleEventSubType
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1218]
nsEventListenerManager::HandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1389]
nsGenericElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929]
nsGenericHTMLElement::HandleDOMEventForAnchors
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1423]
nsHTMLAnchorElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp,
line 355]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6228]
PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6196]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2852]
nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1849]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6265]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6179]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2208]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1944]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1117]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1134]
nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5374]
ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5629]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4130]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1401]
USER32.dll + 0x3a68 (0x77d43a68)
USER32.dll + 0x3b37 (0x77d43b37)
USER32.dll + 0x3d91 (0x77d43d91)
USER32.dll + 0x3df7 (0x77d43df7)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1289]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1639]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1660]
WinMainCRTStartup()
kernel32.dll + 0x214c7 (0x77e814c7) 

Adding testcase keyword and topcrash+.  There have been quite a few of these
crashes lately (not sure if it's a common problem or just from all the testing
being done).  

It looks like the stack signature started showing up with builds from 2/18. 

Comment 10

[Mark Annand]

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030303

Crashes every time for me on the test page
 
http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile

Here's a talkback number: TB17789336Z

Comment 11

[Madhur Bhatia]

marking priority P1 since it is a topcrash+ bug 

Comment 12

[Jan Carpenter]

Not on any topcrash reports; marking topcrash-
Here's a recent crash from NetscapeMozillaTrunkWin322003032611

Incident ID 18500276
Stack Signature 	nsCSSFrameConstructor::AttributeChanged 291682c8
Product ID 	MozillaTrunk
Build ID 	2003032611
Trigger Time 	2003-03-26 16:53:43
Platform 	Win32
Operating System 	Windows NT 5.0 build 2195
Module 	gklayout.dll
URL visited 	
User Comments 	
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
Trigger Line No. 	10634
Stack Trace 	
nsCSSFrameConstructor::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10634]
StyleSetImpl::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1764]
PresShell::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5233]
nsDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2183]
nsHTMLDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line
1496]
nsGenericHTMLElement::SetHTMLAttribute
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2011]
nsDOMCSSAttributeDeclaration::SetCSSDeclaration
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 125]
nsDOMCSSAttributeDeclaration::ParsePropertyValue
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 241]
nsDOMCSSDeclaration::SetProperty
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp,
line 252]
CSS2PropertiesTearoff::SetDisplay
[../../../../dist/include/content\nsCSSPropList.h, line 178]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
XPC_WN_GetterSetter
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1317]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
js_InternalGetOrSet [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 962]
js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2631]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2673]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3529]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1068]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183]
nsEventListenerManager::HandleEventSubType
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1192]
nsEventListenerManager::HandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1363]
nsGenericElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929]
nsGenericHTMLElement::HandleDOMEventForAnchors
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1423]
nsHTMLAreaElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAreaElement.cpp,
line 230]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6289]
PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6257]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2864]
nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1859]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6326]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6240]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2221]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1957]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1154]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1171]
nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5439]
ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5694]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4190]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1438]
USER32.dll + 0x2a244 (0x77e3a244)
USER32.dll + 0x45e5 (0x77e145e5)
USER32.dll + 0xa792 (0x77e1a792)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1287]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1645]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1666]
WinMainCRTStartup()
KERNEL32.dll + 0x2847c (0x77ea847c) 

Comment 13

[Mats Palmgren (inactive)]

Testcase does not crash and URL in comment 10 is 404.
WFM, SeaMonkey 2005-08-31-02 trunk Linux.

Comment 14

[Boris Zbarsky [:bzbarsky]]

Oh, yeah.  Most of the code in those last 4-5 stackframes is just gone
completely nowadays...