Closed
Bug 43214
Opened 24 years ago
Closed 24 years ago
Crash when font X_HEIGHT property is garbage (mozilla-fonts font package)
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
M18
People
(Reporter: jesup, Assigned: pollmann)
References
()
Details
(Keywords: crash, Whiteboard: [nsbeta3+]fix in hand)
Attachments
(5 files)
Version post-M16 - updated from CVS around 6/17 or later Crash due to flow (from flow->mNextInFlow) being NULL at nsBlockFrame.cpp:5644 Created by going to playboy.com, then clicking on the link that leads to playboy.com/oncampus. (gdb) p flow $3 = (nsBlockFrame *) 0x0 (gdb) p this $4 = (nsBlockFrame *) 0x99c915c (gdb) p *this $5 = { <nsHTMLContainerFrame> = { <nsContainerFrame> = { <nsSplittableFrame> = { <nsFrame> = { <nsIFrame> = { <nsISupports> = { _vptr$ = 0x2a0765a0 }, <No data fields>}, <nsIFrameDebug> = { <nsISupports> = { _vptr$ = 0x2a076560 }, <No data fields>}, members of nsFrame: mRect = { x = 0, y = 0, width = 8625, height = 15150 }, mContent = 0x9a06c8c, mStyleContext = 0x960c000, mParent = 0x99c9100, mNextSibling = 0x0, mState = 1835013 }, members of nsSplittableFrame: mPrevInFlow = 0x0, mNextInFlow = 0x0 }, members of nsContainerFrame: mFrames = { mFirstChild = 0x0 } }, <No data fields>}, members of nsBlockFrame: mLines = 0x9ae04f0, mTextRuns = 0x0, mFloaters = { mFirstChild = 0x0 }, mBullet = 0x0, mAbsoluteContainer = { mAbsoluteFrames = { mFirstChild = 0x0 } } } (gdb) p nextInFlow No symbol "nextInFlow" in current context. (gdb) bt #0 0x29ac4007 in nsBlockFrame::DoRemoveFrame (this=0x99c915c, aPresContext=0x8310e00, aDeletedFrame=0x9bda37c) at nsBlockFrame.cpp:5644 #1 0x29ac41fd in nsBlockFrame::DeleteChildsNextInFlow (this=0x99c915c, aPresContext=0x8310e00, aChild=0x99c91e4) at nsBlockFrame.cpp:5669 #2 0x29ac958c in nsBlockReflowContext::ReflowBlock (this=0xbfbf8df0, aFrame=0x99c91e4, aSpace=@0xbfbf8d38, aApplyTopMargin=1, aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbf8d48, aFrameReflowStatus=@0xbfbf8d2c) at nsBlockReflowContext.cpp:601 #3 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x99c915c, aState=@0xbfbf9234, aLine=0x9ae0518, aKeepReflowGoing=0xbfbf8fc8) at nsBlockFrame.cpp:3928 #4 0x29abebbd in nsBlockFrame::ReflowLine (this=0x99c915c, aState=@0xbfbf9234, aLine=0x9ae0518, aKeepReflowGoing=0xbfbf8fc8, aDamageDirtyArea=1) at nsBlockFrame.cpp:3192 #5 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x99c915c, aState=@0xbfbf9234) at nsBlockFrame.cpp:2999 #6 0x29abb863 in nsBlockFrame::Reflow (this=0x99c915c, aPresContext=0x8310e00, aMetrics=@0xbfbf960c, aReflowState=@0xbfbf956c, aStatus=@0xbfbfa82c) at nsBlockFrame.cpp:1765 #7 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9100, aKidFrame=0x99c915c, aPresContext=0x8310e00, aDesiredSize=@0xbfbf960c, aReflowState=@0xbfbf956c, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c) at nsContainerFrame.cpp:693 #8 0x29d5ad0b in nsTableCellFrame::Reflow (this=0x99c9100, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9824, aReflowState=@0xbfbf9784, aStatus=@0xbfbfa82c) at nsTableCellFrame.cpp:822 #9 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c90b8, aKidFrame=0x99c9100, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9824, aReflowState=@0xbfbf9784, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c) at nsContainerFrame.cpp:693 #10 0x29d71cbb in nsTableRowFrame::IR_TargetIsChild (this=0x99c90b8, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf99d4, aStatus=@0xbfbfa82c, aNextFrame=0x99c9100) at nsTableRowFrame.cpp:1388 #11 0x29d718a0 in nsTableRowFrame::IncrementalReflow (this=0x99c90b8, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf99d4, aStatus=@0xbfbfa82c) at nsTableRowFrame.cpp:1269 #12 0x29d722ef in nsTableRowFrame::Reflow (this=0x99c90b8, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf9af4, aStatus=@0xbfbfa82c) at nsTableRowFrame.cpp:1623 #13 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9074, aKidFrame=0x99c90b8, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9ab8, aReflowState=@0xbfbf9af4, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c) at nsContainerFrame.cpp:693 #14 0x29d76715 in nsTableRowGroupFrame::IR_TargetIsChild (this=0x99c9074, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9c94, aStatus=@0xbfbfa82c, aNextFrame=0x99c90b8) at nsTableRowGroupFrame.cpp:1541 #15 0x29d75860 in nsTableRowGroupFrame::IncrementalReflow (this=0x99c9074, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9c94, aStatus=@0xbfbfa82c) at nsTableRowGroupFrame.cpp:1173 #16 0x29d7534a in nsTableRowGroupFrame::Reflow (this=0x99c9074, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9dc0, aStatus=@0xbfbfa82c) at nsTableRowGroupFrame.cpp:1074 #17 0x29ace031 in nsContainerFrame::ReflowChild (this=0x99c9010, aKidFrame=0x99c9074, aPresContext=0x8310e00, aDesiredSize=@0xbfbf9e60, aReflowState=@0xbfbf9dc0, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfa82c) at nsContainerFrame.cpp:693 #18 0x29d65df7 in nsTableFrame::IR_TargetIsChild (this=0x99c9010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbf9f14, aStatus=@0xbfbfa82c, aNextFrame=0x99c9074) at nsTableFrame.cpp:2719 #19 0x29d657f7 in nsTableFrame::IncrementalReflow (this=0x99c9010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbfa21c, aStatus=@0xbfbfa82c) at nsTableFrame.cpp:2507 #20 0x29d62f4a in nsTableFrame::Reflow (this=0x99c9010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbfa21c, aStatus=@0xbfbfa82c) at nsTableFrame.cpp:1550 #21 0x29ace031 in nsContainerFrame::ReflowChild (this=0x98c5f68, aKidFrame=0x99c9010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa3b0, aReflowState=@0xbfbfa21c, aX=0, aY=0, aFlags=3, aStatus=@0xbfbfa82c) at nsContainerFrame.cpp:693 #22 0x29d6ced1 in nsTableOuterFrame::OuterReflowChild (this=0x98c5f68, aPresContext=0x8310e00, aChildFrame=0x99c9010, aOuterRS=@0xbfbfa6c0, aMetrics=@0xbfbfa3b0, aAvailWidth=0x0, aDesiredSize=@0xbfbfa404, aMargin=@0xbfbfa3f4, aPadding=@0xbfbfa3e4, aReflowReason=eReflowReason_Incremental, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:884 #23 0x29d6dcba in nsTableOuterFrame::IR_InnerTableReflow (this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aOuterRS=@0xbfbfa6c0, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:1186 #24 0x29d6d2a7 in nsTableOuterFrame::IR_TargetIsInnerTableFrame ( this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aReflowState=@0xbfbfa6c0, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:986 #25 0x29d6d177 in nsTableOuterFrame::IR_TargetIsChild (this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aReflowState=@0xbfbfa6c0, aStatus=@0xbfbfa82c, aNextFrame=0x99c9010) at nsTableOuterFrame.cpp:958 #26 0x29d6d106 in nsTableOuterFrame::IncrementalReflow (this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aReflowState=@0xbfbfa6c0, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:937 #27 0x29d6e6f5 in nsTableOuterFrame::Reflow (this=0x98c5f68, aPresContext=0x8310e00, aDesiredSize=@0xbfbfa930, aOuterRS=@0xbfbfa6c0, aStatus=@0xbfbfa82c) at nsTableOuterFrame.cpp:1387 #28 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfa8f0, aFrame=0x98c5f68, aSpace=@0xbfbfa838, aApplyTopMargin=0, aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbfa848, aFrameReflowStatus=@0xbfbfa82c) at nsBlockReflowContext.cpp:511 #29 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x98c5ea4, aState=@0xbfbfad34, aLine=0x9b5e480, aKeepReflowGoing=0xbfbfaac8) at nsBlockFrame.cpp:3928 #30 0x29abebbd in nsBlockFrame::ReflowLine (this=0x98c5ea4, aState=@0xbfbfad34, aLine=0x9b5e480, aKeepReflowGoing=0xbfbfaac8, aDamageDirtyArea=1) at nsBlockFrame.cpp:3192 #31 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x98c5ea4, aState=@0xbfbfad34) at nsBlockFrame.cpp:2999 #32 0x29abb863 in nsBlockFrame::Reflow (this=0x98c5ea4, aPresContext=0x8310e00, aMetrics=@0xbfbfb2a0, aReflowState=@0xbfbfb030, aStatus=@0xbfbfb19c) at nsBlockFrame.cpp:1765 #33 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfb260, aFrame=0x98c5ea4, aSpace=@0xbfbfb1a8, aApplyTopMargin=1, aPrevBottomMargin=0, aIsAdjacentWithTop=0, aComputedOffsets=@0xbfbfb1b8, aFrameReflowStatus=@0xbfbfb19c) at nsBlockReflowContext.cpp:511 #34 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x960ed64, aState=@0xbfbfb6a4, aLine=0x9b5e4d0, aKeepReflowGoing=0xbfbfb438) at nsBlockFrame.cpp:3928 #35 0x29abebbd in nsBlockFrame::ReflowLine (this=0x960ed64, aState=@0xbfbfb6a4, aLine=0x9b5e4d0, aKeepReflowGoing=0xbfbfb438, aDamageDirtyArea=1) at nsBlockFrame.cpp:3192 #36 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x960ed64, aState=@0xbfbfb6a4) at nsBlockFrame.cpp:2999 #37 0x29abb863 in nsBlockFrame::Reflow (this=0x960ed64, aPresContext=0x8310e00, aMetrics=@0xbfbfbc10, aReflowState=@0xbfbfb9a0, aStatus=@0xbfbfbb0c) at nsBlockFrame.cpp:1765 #38 0x29ac92f4 in nsBlockReflowContext::ReflowBlock (this=0xbfbfbbd0, aFrame=0x960ed64, aSpace=@0xbfbfbb18, aApplyTopMargin=1, aPrevBottomMargin=0, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfbfbb28, aFrameReflowStatus=@0xbfbfbb0c) at nsBlockReflowContext.cpp:511 #39 0x29ac05bd in nsBlockFrame::ReflowBlockFrame (this=0x960ecdc, aState=@0xbfbfc014, aLine=0x960edd8, aKeepReflowGoing=0xbfbfbda8) at nsBlockFrame.cpp:3928 #40 0x29abebbd in nsBlockFrame::ReflowLine (this=0x960ecdc, aState=@0xbfbfc014, aLine=0x960edd8, aKeepReflowGoing=0xbfbfbda8, aDamageDirtyArea=1) at nsBlockFrame.cpp:3192 #41 0x29abe47e in nsBlockFrame::ReflowDirtyLines (this=0x960ecdc, aState=@0xbfbfc014) at nsBlockFrame.cpp:2999 #42 0x29abb863 in nsBlockFrame::Reflow (this=0x960ecdc, aPresContext=0x8310e00, aMetrics=@0xbfbfc3ec, aReflowState=@0xbfbfc34c, aStatus=@0xbfbfc724) at nsBlockFrame.cpp:1765 #43 0x29ace031 in nsContainerFrame::ReflowChild (this=0x960e04c, aKidFrame=0x960ecdc, aPresContext=0x8310e00, aDesiredSize=@0xbfbfc3ec, aReflowState=@0xbfbfc34c, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfc724) at nsContainerFrame.cpp:693 #44 0x29aecdda in CanvasFrame::Reflow (this=0x960e04c, aPresContext=0x8310e00, aDesiredSize=@0xbfbfc6f0, aReflowState=@0xbfbfc51c, aStatus=@0xbfbfc724) at nsHTMLFrame.cpp:301 #45 0x29db3c13 in nsBoxToBlockAdaptor::Reflow (this=0x960ec80, aState=@0xbfbfca4c, aPresContext=0x8310e00, aDesiredSize=@0xbfbfc6f0, aReflowState=@0xbfbfcbb0, aStatus=@0xbfbfc724, aX=0, aY=0, aWidth=13620, aHeight=10905, aMoveFrame=1) at nsBoxToBlockAdaptor.cpp:794 #46 0x29db3307 in nsBoxToBlockAdaptor::Layout (this=0x960ec80, aState=@0xbfbfca4c) at nsBoxToBlockAdaptor.cpp:467 #47 0x29b3b5cd in nsScrollPortFrame::Layout (this=0x960e128, aState=@0xbfbfca4c) at nsScrollPortFrame.cpp:335 #48 0x29db6187 in nsContainerBox::LayoutChildAt (aState=@0xbfbfca4c, aBox=0x960e160, aRect=@0xbfbfc950) at nsContainerBox.cpp:609 #49 0x29b3946b in nsGfxScrollFrameInner::LayoutBox (this=0x9b72b00, aState=@0xbfbfca4c, aBox=0x960e160, aRect=@0xbfbfc950) at nsGfxScrollFrame.cpp:1016 #50 0x29b396df in nsGfxScrollFrameInner::Layout (this=0x9b72b00, aState=@0xbfbfca4c) at nsGfxScrollFrame.cpp:1101 #51 0x29b394e7 in nsGfxScrollFrame::Layout (this=0x960e084, aState=@0xbfbfca4c) at nsGfxScrollFrame.cpp:1029 #52 0x29dc7226 in nsBoxFrame::Reflow (this=0x960e088, aPresContext=0x8310e00, aDesiredSize=@0xbfbfcc58, aReflowState=@0xbfbfcbb0, aStatus=@0xbfbfcdc0) at nsBoxFrame.cpp:648 #53 0x29b38546 in nsGfxScrollFrame::Reflow (this=0x960e084, aPresContext=0x8310e00, aDesiredSize=@0xbfbfcc58, aReflowState=@0xbfbfcbb0, aStatus=@0xbfbfcdc0) at nsGfxScrollFrame.cpp:715 #54 0x29ace031 in nsContainerFrame::ReflowChild (this=0x960e010, aKidFrame=0x960e088, aPresContext=0x8310e00, aDesiredSize=@0xbfbfcc58, aReflowState=@0xbfbfcbb0, aX=0, aY=0, aFlags=0, aStatus=@0xbfbfcdc0) at nsContainerFrame.cpp:693 #55 0x29b361e6 in ViewportFrame::Reflow (this=0x960e010, aPresContext=0x8310e00, aDesiredSize=@0xbfbfce44, aReflowState=@0xbfbfcd20, aStatus=@0xbfbfcdc0) at nsViewportFrame.cpp:545 #56 0x29aee904 in nsHTMLReflowCommand::Dispatch (this=0x9a503c0, aPresContext=0x8310e00, aDesiredSize=@0xbfbfce44, aMaxSize=@0xbfbfce24, aRendContext=@0xa043000) at nsHTMLReflowCommand.cpp:144 #57 0x29b1bad4 in PresShell::ProcessReflowCommands (this=0x8c1a400, aInterruptible=1) at nsPresShell.cpp:3927 #58 0x29ef2ca8 in ReflowEvent::HandleEvent (this=0x9b26040) at nsPresShell.cpp:3815 #59 0x29b1b597 in HandlePLEvent (aEvent=0x9b26040) at nsPresShell.cpp:3826 #60 0x281d9d61 in PL_HandleEvent (self=0x9b26040) at plevent.c:575 #61 0x281d9bf0 in PL_ProcessPendingEvents (self=0x8112480) at plevent.c:520 #62 0x281dbecc in nsEventQueueImpl::ProcessPendingEvents (this=0x8112440) at nsEventQueue.cpp:356 #63 0x290cbba3 in event_processor_callback (data=0x8112440, source=8, condition=GDK_INPUT_READ) at nsAppShell.cpp:158 #64 0x290cb755 in our_gdk_io_invoke (source=0x8256d20, condition=G_IO_IN, data=0x8256d10) at nsAppShell.cpp:58 #65 0x292c35aa in g_io_unix_dispatch () from /usr/local/lib/libglib12.so.3 #66 0x292c4d17 in g_main_dispatch () from /usr/local/lib/libglib12.so.3 #67 0x292c531f in g_main_iterate () from /usr/local/lib/libglib12.so.3 #68 0x292c54a1 in g_main_run () from /usr/local/lib/libglib12.so.3 #69 0x291f96f3 in gtk_main () from /usr/X11R6/lib/libgtk12.so.2 #70 0x290cc545 in nsAppShell::Run (this=0x8140ce0) at nsAppShell.cpp:334 #71 0x28963ee6 in nsAppShellService::Run (this=0x813ddc0) at nsAppShellService.cpp:386 #72 0x8054e47 in main1 (argc=1, argv=0xbfbfd398, nativeApp=0x0) at nsAppRunner.cpp:906 #73 0x8055be1 in main (argc=1, argv=0xbfbfd398) at nsAppRunner.cpp:1092 (gdb) up #1 0x29ac41fd in nsBlockFrame::DeleteChildsNextInFlow (this=0x99c915c, aPresContext=0x8310e00, aChild=0x99c91e4) at nsBlockFrame.cpp:5669 (gdb) p *aPresContext $6 = (nsIPresContext *) 0x8310e00 (gdb) p *aPresContext $7 = { <nsISupports> = { _vptr$ = 0x2a09d460 }, <No data fields>} (gdb) p *nextInFlow $8 = (nsIFrame *) 0x9bda37c (gdb) p *nextInFlow $9 = { <nsISupports> = { _vptr$ = 0x2a090dc0 }, <No data fields>} (gdb) down #0 0x29ac4007 in nsBlockFrame::DoRemoveFrame (this=0x99c915c, aPresContext=0x8310e00, aDeletedFrame=0x9bda37c) at nsBlockFrame.cpp:5644 (gdb) p line $10 = (nsLineBox *) 0x0 (gdb) p prevLine $11 = (nsLineBox *) 0x0 (gdb) p *linep $12 = (nsLineBox **) 0x9ae051c (gdb) p *linep $13 = (nsLineBox *) 0x0 (gdb) p *this->mLines $14 = (nsLineBox *) 0x9ae04f0 (gdb) p *this->mLines $15 = { mFirstChild = 0x99c91a8, mNext = 0x9ae0518, mBounds = { x = 0, y = 0, width = 0, height = 0 }, mMaxElementWidth = 0, mMaximumWidth = 0, { mAllFlags = 1024, mFlags = { mDirty = 0, mBlock = 0, mImpactedByFloater = 0, mTrimmed = 0, mHasPercentageChild = 0, mLineWrapped = 0, mBreakType = 0, mChildCount = 1 } }, { mData = 0x0, mBlockData = 0x0, mInlineData = 0x0 } } (gdb)
Comment 1•24 years ago
|
||
Using Linux Build 2000062008 from 6/20/00, mozilla doesn't crash. Instead, some javascript errors are reported. JavaScript error: line 0: uncaught exception: [Exception... "Component does not have requested interface" code: "-2147467262" nsresult: "0x80004002 (NS_NOINTERFACE)" location: "<unknown>"] JavaScript error: line 0: uncaught exception: [Exception... "Component does not have requested interface" code: "-2147467262" nsresult: "0x80004002 (NS_NOINTERFACE)" location: "<unknown>"]
Reporter | ||
Comment 2•24 years ago
|
||
Changed the URL to tensingpen.com. The crash is consistent. Warning: tensingpen.com might be changing (it changed in the last week); I may try to create a minimal example. Here's the output associated with the crash. Note all the assertion failures. Document http://www.mozilla.org/ loaded successfully ->>>>>>>>>>>>>> Write Clipboard to memory Entry at index 0 is tensingpen.com Document: Done (5.955 secs) Error loading URL http://tensingpen.com/ Enabling Quirk StyleSheet Document: Done (0.925 secs) *** check number of frames in content area Error loading URL http://www.tensingpen.com/ WARNING: not calling OnDataAvailable, file nsAsyncStreamListener.cpp, line 409 Enabling Quirk StyleSheet Enabling Quirk StyleSheet WARNING: cell content 0x89e0fa0 has large height 1073743969 nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=11040,1073743969! nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=11040,1073743969! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 796 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796 WARNING: cell content 0x89e0fa0 has large height 1073743969 nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=10815,1073743969! nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=10815,1073743969! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 796 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796 WARNING: cell content 0x89e0fa0 has large height 1073743969 nsBlockReflowContext: TableOuter(table)(1)@0x89e0e00 metrics=10815,1073743969! nsBlockReflowContext: Block(body)(2)@0x89e0d64 metrics=10815,1073743969! ###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file nsBlockFrame.cpp, line 5524 ###!!! Break: at file nsBlockFrame.cpp, line 5524 ###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file nsBlockFrame.cpp, line 5528 ###!!! Break: at file nsBlockFrame.cpp, line 5528 ###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file nsBlockFrame.cpp, line 5642 ###!!! Break: at file nsBlockFrame.cpp, line 5642 Segmentation fault - core dumped
Reporter | ||
Comment 3•24 years ago
|
||
Assignee | ||
Comment 4•24 years ago
|
||
*sigh* What a rough job. I am not able to reproduce this (Javascript warnings or crash) on today's Windows NT build at any of the sites mentioned. Will try Linux tomorrow when I get in.
Component: HTMLFrames → Layout
Comment 5•24 years ago
|
||
Unable to reproduce a crash on PC/Linux SuSE6.2, build 2000062020, with the "HTML for tensingpen.com" attachment. My X server is running on a different machine than mozilla, don't know if that makes any difference. Shell output: Entry at index 0 is http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 Document: Done (1.607 secs) Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 Document: Done (6.832 secs) Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 Note: In Communicator, all images are broken on the attachment page.
Reporter | ||
Comment 6•24 years ago
|
||
Add <base href="http://www.tensingpen.com"> to the attachment to make the crash happen. (I really had added the attachment because I was worried that the site would change before the problem could be tracked down - it went through a major update in the last week.) I'll upload a modified attachment.
Assignee | ||
Comment 7•24 years ago
|
||
Tried this on Linux (today's build) with the attachment, the modified attachment, and the current tensingpen.com homepage. No crashes and no javascript warnings. Reporter, can you please try today's build to see if you can still reproduce the problem? Thanks! Marking WORKSFORME due to unreproducibility. Please reopen if you can reproduce this with today's build.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 8•24 years ago
|
||
To clarify, "modified attachment" in my above comment means that I took the attachment and added <base href="http://www.tensingpen.com"> as suggested. This page behaved correctly on Linux and Win NT.
Reporter | ||
Comment 9•24 years ago
|
||
Fresh checkout, clean and build on 6/21/2000 at ~9pm: still crashes when http://tensingpen.com is loaded. I'll upload a backtrace for the crash, and also for when the first assertion failure occurs. Entry at index 0 is tensingpen.com Document: Done (1.009 secs) Error loading URL http://tensingpen.com/ Enabling Quirk StyleSheet Document: Done (1.482 secs) Error loading URL http://www.tensingpen.com/ Enabling Quirk StyleSheet Enabling Quirk StyleSheet WARNING: cell content 0x8b39fa0 has large height 1073743969 nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9720,1073743969! nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9720,1073743969! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 796 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796 WARNING: cell content 0x8b39fa0 has large height 1073743969 nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9495,1073743969! nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9495,1073743969! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 796 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 796 WARNING: cell content 0x8b39fa0 has large height 1073744209 nsBlockReflowContext: TableOuter(table)(1)@0x8b39e00 metrics=9495,1073744209! nsBlockReflowContext: Block(body)(2)@0x8b39d64 metrics=9495,1073744209! ###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file nsBlockFrame.cpp, line 5524 ###!!! Break: at file nsBlockFrame.cpp, line 5524 ###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file nsBlockFrame.cpp, line 5528 ###!!! Break: at file nsBlockFrame.cpp, line 5528 ###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file nsBlockFrame.cpp, line 5642 ###!!! Break: at file nsBlockFrame.cpp, line 5642 Program received signal SIGSEGV, Segmentation fault. 0x29ac3937 in ?? ()
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Reporter | ||
Comment 10•24 years ago
|
||
Assignee | ||
Comment 11•24 years ago
|
||
Puzzling! I just tested a 10PM debug pull from 21-Jun on both Linux and Solaris and no crash. I wonder if this is FreeBSD only... I know this is redundant, but exactly what steps do you take to get the crash? I started up, typed: "http://tensingpen.com" in the URL bar then hit Enter. Page loads, no crash. Have you tried deleting ~/.mozilla (sometimes old profiles cause badness) Do you have any changes in your tree? grep "^M" $MOZROOT/../cvsco.log If we rule out the obvious, I'll see if I can set up a FreeBSD machine here, or find one already set up.
Reporter | ||
Comment 12•24 years ago
|
||
Reporter | ||
Comment 13•24 years ago
|
||
One further note: After I opened mozilla, I resized it a bit larger. I then typed "tensingpen.com" into the URL widget and hit return. Boom. Compiler is gcc/g++ 2.95.2; OS is FreeBSD 3.x. build options are: ac_add_options --disable-md ac_add_options --disable-cpp-rtti ac_add_options --disable-xterm-updates ac_add_options --disable-pedantic ac_add_options --enable-cpp-exceptions ac_add_options --with-pthreads ac_add_options --enable-pics ac_add_options --enable-tests
Reporter | ||
Comment 14•24 years ago
|
||
Reporter | ||
Comment 15•24 years ago
|
||
I added a package of diffs (from the *.mozilla.*.unix newsgroup) to intl that make Mozilla work with FreeBSD 3.3 (which I happen to be using). I don't see how these changes could be it, but you never know... Those changes were to work around a bug in symbol resolution from dlopen()'d shared objects. The message the diff was taken from was: From: pete@alphanumerica.com (pete collins) Subject: Re: Running M15 on FreeBSD3.3 Newsgroups: netscape.public.mozilla.unix Date: 27 Apr 2000 18:43:47 GMT I also changed one line in nsProfile.cpp; see bug #43087. I changed nsProfile.cpp:349 to: if (NS_FAILED(rv) || ((const PRUnichar*)currentProfileStr == 0)) { I don't think this could be implicated.
Assignee | ||
Comment 16•24 years ago
|
||
I agree, those patches are probably not to blame for the crash you're seeing. I'll try to get a FreeBSD build going, but it may take a few days due to other deadlines I've got to meet. :)
Assignee | ||
Comment 17•24 years ago
|
||
See related bug 43250.
Comment 18•24 years ago
|
||
Adding crash keyword to all open crashers.
Reporter | ||
Comment 19•24 years ago
|
||
Build ID 2000061408, fresh checkout/clean/build as of July 1, problem still happens using the first attachment (06/20/00 19:33).
Assignee | ||
Comment 20•24 years ago
|
||
I just now got a FreeBSD machine up and running. Build is past xpcom, so I think I should have something to work with next week.
Assignee | ||
Comment 21•24 years ago
|
||
Can't reproduce the crash in my FreeBSD build. I tested at tensingpen.com and that other URL mentioned above. ;) I get no crashes. pollmann rock(1):~> uname -a FreeBSD rock 4.0-20000712-STABLE FreeBSD 4.0-20000712-STABLE #0: Wed Jul 12 11:19:03 GMT 2000 root@usw3.freebsd.org:/usr/src/sys/compile/GENERIC i386 pollmann rock(2):~> gcc --version 2.95.2 Added these configure options (same as I use on Linux) ac_add_options --with-pthreads ac_add_options --disable-build-nspr ac_add_options --enable-xterm-updates ac_add_options --enable-debug I'm curious - would you be willing to build an additional, completely clean tree without these options set (they are ones that you added), or are they needed for the build? Also, have you thought of upgrading from 3.3 to 4? :) ac_add_options --disable-md ac_add_options --disable-cpp-rtti ac_add_options --enable-cpp-exceptions ac_add_options --enable-pics (BTW, I have to say that FreeBSD was the fastest and easiest to set up of any OS I've used so far! My only nit is that I still don't have automount working for NIS maps we have setup internally here. :S )
Reporter | ||
Comment 22•24 years ago
|
||
Fresh build with new options still crashes. I wonder if this could be related to the fonts I have installed on my system. I installed some additional fonts supposedly designed for Mozilla (and Netscape 4.x) under Linux/etc; I don't know if they'd have an effect. I got them from this place: http://fox.mit.edu/skunk/xwin/#mozilla_fonts See also bug 44677 My ~/.mozconfig (please excuse the disable/enable of xterm-updates): ac_add_options --disable-xterm-updates ac_add_options --disable-pedantic ac_add_options --with-pthreads ac_add_options --enable-tests ac_add_options --enable-xterm-updates ac_add_options --enable-debug Document: Done (2.754 secs) Error loading URL http://bugzilla.mozilla.org/showattachment.cgi?attach_id=10434 WARNING: not calling OnDataAvailable, file nsAsyncStreamListener.cpp, line 404 Enabling Quirk StyleSheet Enabling Quirk StyleSheet WARNING: cell content 0x8d51010 has large height 1073744209 nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13305,1073744209! nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13305,1073744209! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 813 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813 WARNING: cell content 0x8d51010 has large height 1073744209 nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13245,1073744209! nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13245,1073744209! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 813 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813 WARNING: cell content 0x8d51010 has large height 1073744209 nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13080,1073744209! nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13080,1073744209! ###!!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file nsBoxToBlockAdaptor.cpp, line 813 ###!!! Break: at file nsBoxToBlockAdaptor.cpp, line 813 WARNING: cell content 0x8d51010 has large height 1073744209 nsBlockReflowContext: TableOuter(table)(1)@0x8ce6e44 metrics=13080,1073744209! nsBlockReflowContext: Block(body)(2)@0x8ce6da8 metrics=13080,1073744209! ###!!! ASSERTION: can't find deleted frame in lines: 'nsnull != line', file nsBlockFrame.cpp, line 5468 ###!!! Break: at file nsBlockFrame.cpp, line 5468 ###!!! ASSERTION: bad prevSibling: 'tmp == aDeletedFrame', file nsBlockFrame.cpp, line 5472 ###!!! Break: at file nsBlockFrame.cpp, line 5472 ###!!! ASSERTION: whoops, continuation without a parent: 'nsnull != flow', file nsBlockFrame.cpp, line 5586 ###!!! Break: at file nsBlockFrame.cpp, line 5586 Segmentation fault - core dumped
Reporter | ||
Comment 23•24 years ago
|
||
Another site that causes the same crash: http://www.avsforum.com/ubbcgi/forumdisplay.cgi?action=topics&forum=HDTV&number=11&DaysPrune=5&LastLogin= (Or, go to www.avsforum.com, and click on HDTV).
Reporter | ||
Comment 24•24 years ago
|
||
Reporter | ||
Comment 25•24 years ago
|
||
I made a minimal example. This bug is closely related (or is the same as) bug 44677. This appears to be caused by problems handling the Arial font that's installed by the mozilla font package mentioned. I suspect strongly something isn't checking for an error when getting the size of a string.
Assignee | ||
Comment 26•24 years ago
|
||
After installing the fonts, I can see the crash. Great work narrowing down the problem Randell! My guess is that this bug is also present on Linux, Solaris, and any Unix after installing the fonts.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 27•24 years ago
|
||
This is a severe bug (crash) but not widely seen (need to install these particular fonts, and on un*x only). Marking Future.
Target Milestone: --- → Future
Reporter | ||
Comment 28•24 years ago
|
||
Ok, I tracked down the specific reason for the wacky area sizes that cause problems. In nsFontMetricsGTK.cpp:942, we do this: if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr)) { mXHeight = nscoord(pr * f); #ifdef REALLY_NOISY_FONTS printf("xHeight=%d\n", mXHeight); #endif } All well and good. However, this font appears to have the X_HEIGHT property set to 0xfffffffe: (gdb) p/x fontInfo->properties[16] $29 = { name = 0x38, card32 = 0xfffffffe } Note: the call didn't fail, the font has a garbage value for X_HEIGHT. There are two solutions (we can do both): 1) get the font designer to fix the font. This font is supposedly designed for use with Mozilla (witness the name). The problem may well be in their font editor/converter, since few people build them by hand. 2) Add this to nsFontMetricsGTK.cpp: if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr)) { if (pr < 0x00ffffff) // arbitrary to exclude garbage values { mXHeight = nscoord(pr * f); #ifdef REALLY_NOISY_FONTS printf("xHeight=%d\n", mXHeight); #endif } } Note that this sort of sanity-checking could apply to any font property, so we'd need to add it to a bunch of them. While this would avoid the problem, I don't think malformed fonts are that big an issue in general, __UNLESS__ there's a tool out there that does this commonly to converted fonts - and there might be. We need to contact the author of the fonts and find out how this happened (and get him to fix it). I'd suggest closing this bug, at least until we find out if there's a bad tool creating these bad X_HEIGHT's in common use. Also, 44677 should be marked as a dup of this (or vice-versa). Also, you might want to not close this one, but resolve it by adding Assertions about the X font properties, so any future problems like this are easier to debug (it can cause wild-ass problems far down the road from the error). That wouldn't impact speed/size in non-debug versions.
Comment 29•24 years ago
|
||
*** Bug 44677 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 30•24 years ago
|
||
Great work Randell! Thanks for going the extra mile on this! if (::XGetFontProperty(fontInfo, XA_X_HEIGHT, &pr)) { if (pr < 0x00ffffff) // arbitrary to exclude garbage values { mXHeight = nscoord(pr * f); #ifdef REALLY_NOISY_FONTS printf("xHeight=%d\n", mXHeight); #endif } } Should the check be pr < 0xfffffffe? What should be done in the "else" case? Is there some rational number for mXHeight to default to, or should it not be changed as above? (what is mXHeight? can it be derived somehow from the font?) I'd be interested to see what the moz-classic source base did in this case because it seems to handle those fonts fine!
Reporter | ||
Comment 31•24 years ago
|
||
>Should the check be pr < 0xfffffffe? I chose a "very large" value (0x00ffffff - 16 million points). If anything, that should be lowered. It's just meant to exclude irrational items.) >What should be done in the "else" case? Is there some rational number for >mXHeight to default to, or should it not be changed as above? (what is >mXHeight? can it be derived somehow from the font?) It's the 'nominal' height of lower-case letters above the baseline. There is a default already set before this snippet of code, so all we have to do is not set it to a silly value. >I'd be interested to see what the moz-classic source base did in this case >because it seems to handle those fonts fine! It'd be very interesting. Note: mXHeight is used to create default superscript and subscript vertical offsets (which was where the problem was coming from). I suspect old Netscape used something else.
Assignee | ||
Comment 32•24 years ago
|
||
> I chose a "very large" value (0x00ffffff - 16 million points). If anything, > that should be lowered. It's just meant to exclude irrational items.) Agreed - I didn't see the preceeding 00 somehow... Oops! Using the default values is fine, that's great that it's set in case the font has a wacky value! I couldn't find this in the moz-classic code base. I can say from http://lxr.mozilla.org/classic that we never called XGetFontProperty to get XA_X_HEIGHT anywhere in the code base. Perhaps a fixed value (based on the font size?) was used?
Reporter | ||
Comment 33•24 years ago
|
||
(I changed the Summary) It didn't crash (or have problems) in Classic because it used the font->ascent/2 for superscripts (and probably subscripts), instead of using X_HEIGHT (which is more correct - X_HEIGHT is the nominal height of lower-case letters in the font; ascent is the height of upper-case characters). Search for text "superscript" on LXR in classic and you'll find it in the layout directory near the front of the hit list.
Summary: Crash when removing a frame on reflow → Crash when font X_HEIGHT property is garbage (mozilla-fonts font package)
Assignee | ||
Comment 34•24 years ago
|
||
Since we start out with the assumption that the nominal height is .56 of the ascent, it seems like we'll fall back on a reasonable value with your fix. Annotating this as "fix in hand" and nominating for beta3. This is a simple, low-risk solution for the crash.
Keywords: nsbeta3
Whiteboard: fix in hand
Assignee | ||
Updated•24 years ago
|
Target Milestone: Future → M18
Assignee | ||
Comment 37•24 years ago
|
||
Fix checked in (to GTK, Xlib, and Xprint). To verify: 1) Get a Linux build 2) Add the naughty fonts to your path: xset +fp /u/pollmann/public/mozilla-fonts 3) Start up apprunner 4) Type http://tensingpen.com into the URL bar and press Enter If you don't crash, the bug is fixed! Thanks again Randell!
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•