Closed Bug 102778 Opened 24 years ago Closed 24 years ago

Trunk crash [@ nsTextFrame::TextStyle::TextStyle]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 101746
Milestone:
mozilla0.9.6

People

(Reporter: jay, Assigned: attinasi)

Details

(Keywords: crash, topcrash, Whiteboard: want for 0.9.5)

Crash Data

Attachments

(2 files)

patch to check for the obvious errors
1.34 KB, patch
Details | Diff | Splinter Review
stack from the index.html crash that I am seeing (win2K)
9.03 KB, text/plain
Details
This is a topcrasher with recent MozillaTrunk builds on all flavors of Windows. Here is the latest info from Talkback reports: nsTextFrame::TextStyle::TextStyle 18 BBID range: 35990741 - 36148284 Min/Max Seconds since last crash: 12 - 72686 Min/Max Runtime: 169 - 76903 Crash data range: 2001-09-28 to 2001-10-01 Build ID range: 2001092714 to 2001100109 Stack Trace: nsTextFrame::TextStyle::TextStyle [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp line 549] nsTextFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp line 5012] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp line 1038] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3489] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3373] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3298] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3243] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2389] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2059] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 815] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 738] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp line 584] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp line 885] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp line 541] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp line 1004] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp line 393] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp line 1004] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp line 920] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 738] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp line 575] PresShell::InitialReflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 2674] HTMLContentSink::StartLayout [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp line 3898] HTMLContentSink::DidBuildModel [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp line 2741] CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp line 669] nsParser::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp line 1423] nsParser::Terminate [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp line 1493] nsHTMLDocument::StopDocumentLoad [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp line 879] DocumentViewerImpl::Stop [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp line 1240] nsDocShell::Stop [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp line 2296] nsDocShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp line 2441] nsWebShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp line 1411] nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame [d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp line 696] nsHTMLFrameInnerFrame::`scalar deleting destructor' nsFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp line 473] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsLineBox::DeleteLineList [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineBox.cpp line 267] nsBlockFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 328] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsTableFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 295] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 136] nsTableOuterFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 85] nsLineBox::DeleteLineList [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineBox.cpp line 267] nsBlockFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 328] nsLineBox::DeleteLineList [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineBox.cpp line 267] nsBlockFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 328] nsFrameList::DestroyFrame [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 217] CanvasFrame::RemoveFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp line 371] FrameManager::RemoveFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp line 859] nsCSSFrameConstructor::ReconstructDocElementHierarchy [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7145] StyleSetImpl::ReconstructDocElementHierarchy [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp line 1186] PresShell::ReconstructFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5113] nsDocument::InsertStyleSheetAt [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp line 1386] CSSLoaderImpl::InsertSheetInDoc [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 1120] CSSLoaderImpl::SheetComplete [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 823] CSSLoaderImpl::ParseSheet [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 878] Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/html/base/src/nsTextFrame.cpp line : 549 (36111151) URL: http://www2.realint.com/cgi-bin/tbbs.cgi?ginnosankaku (36111151) Comments: close a tab with multizilla (36096099) URL: http://freespace.morat.net/commie1/bugzilla/testcase.zip (36096099) Comments: Same as TB36096059Q (36096059) URL: http://freespace.morat.net/commie1/bugzilla/testcase.zip (36096059) Comments: The provided url is a testcase open index.html in win2k and it will crash. this crash isnt happening under linux (36082915) Comments: I was using the new tabbed window interface..it became unresponsive wiht like 6 tabs...begain painting all over my desktop then died without displaying a gpf box. (36054845) URL: http://x.themes.org and http://www.mozilla.org/start (36054845) Comments: I was downloading a theme at the time
Adding crash, topcrash keywords and [@ nsTextFrame::TextStyle::TextStyle] to summary for tracking.
Keywords: crash, topcrash
Crash is here: #if defined(_WIN32) || defined(XP_OS2) mNormalFont->GetAveCharWidth(mAveCharWidth); #endif I suppose the mNormalFont could be null. It is initialized just above this spot, but it is possible that the font metrics cannot be initialized, and the return value from deviceContext->GetMetricsFor(*plainFont, langGroup, mNormalFont); is lost, so we should probably make this more robust. I cannot reproduce this yet, so just shooting at the usual suspects for now, waiting for trunk build (branch is not crashing at the URLs provided)
Status: NEW → ASSIGNED
rbs - could you tak a look at this? You have more knowledge of fonts and font metrics than I do, and maybe you can understand how the deviceContext->GetMetricsFor method can fail. Patch attached for your enjoyment (and reviews).
Priority: -- → P1
Target Milestone: --- → mozilla0.9.5
I tried unzipping http://freespace.morat.net/commie1/bugzilla/testcase.zip which has the comment "open index.html in win2k and it will crash". It is crashing with my debug build indeed, do you see the crash too? The crash I am seeing is not in TextStyle() -- a null font metrics is highly suspicious of some other problem that will eventually crash elsewhere to say the least.
Had a further look at the unzipped tescase -- it seems there is an infinite recursion somwehere (which means corrupted/unreliable vptr table / stack trace.) I noted that the page renders fine if I comment out these two JS lines in both "titel.htm" and "inhoud\inh-html.htm" : //if (top.frames.length != 3 || (parent.frames[0].name != "titel")) //top.location.href = "index.html";
OK, I do crash on the testcase now (I was not last time I tried, strange). I'll attach the stack, it is totally unrelated to the stack in this report. Basically, it looks like the script changes the href, the docShell is stopped, that unsuppresses painting which then causes the docViewer to Show - The previous DocViewer is then destroyed, which causes the document to stop loading, which then causes the parser to terminate, resulting in a call to StartLayout and an attempt to do the initial reflow. Summary: we are blowing it by trying to layout the previous document after it has been destroyed. Ack. This has nothing to do with this topcrash stack, I think.
Moving to 0.9.6 since the proposed patch is not too likely to help much, and the new stack is not yet understood. It might get done by tomorrow, but don't hold your breath. BTW: these seem to be most common with the tabbed interface...
Target Milestone: mozilla0.9.5 → mozilla0.9.6
I have verified that this bug was fixed with the fix for bug 101746 -- I was crashing with the testcase and I updated my tree with just the patch attached in that bug and couldn't crash anymore. To be precise therefore, the infinite recursion was a regression from the original fix for bug 49874. And now that the dust from that bug has been cleared in the follow-up bug 101746, the infinite scenario described here is gone. *** This bug has been marked as a duplicate of 101746 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Perhaps this was really fixed by the patch to bug 108105?
Yes. The fix for bug 108105 addressed the root cause -- not just symptoms by particular circumstances. With the correct fix, the various sequences that were ultimately causing the document to be laid out when the document is being destroyed (c.f. stack trace above and in that bug) are now short-circuited. And from this, nsTextStyle objects don't come into play anymore (so as I noted over there, the bit that null checks is not really significant).
Crash Signature: [@ nsTextFrame::TextStyle::TextStyle]
Depends on: 1018060
No longer depends on: 1018060
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: