105168 - [FIX]N610 N620 M094 M095 Trunk Access violation [@ nsLineLayout::VerticalAlignFrames]

Status: RESOLVED FIXED

(Core :: Layout, defect, P1)

Description

[greer]

This one has 31 crashes spread over N610, N620, M094, M095 and the Trunk, but
not enough to make the top 40 reports. 

This one passes through some of the same code as Hyatt's bug 104804 and has a
couple of user comments (below) that might point to the same trouble.

Stack Trace:
nsLineLayout::VerticalAlignFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 2322]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1298]
nsBlockFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3492]
nsBlockFrame::DoReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3374]
nsBlockFrame::DoReflowInlineFramesAuto
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3299]
nsBlockFrame::ReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3244]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2390]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2060]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 815]
nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
589]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
360]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2988]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2276]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2060]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 815]
nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
589]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
360]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2988]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2276]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2060]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 815]
nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
589]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
360]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2988]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2276]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2060]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 815]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 738]
CanvasFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 584]
nsBoxToBlockAdaptor::Reflow
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 885]
nsBoxToBlockAdaptor::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 541]
nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1004]
nsScrollBoxFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp, line 393]
nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1004]
nsContainerBox::LayoutChildAt
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp, line 671]
nsGfxScrollFrameInner::LayoutBox
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1027]
nsGfxScrollFrameInner::Layout
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1138]
nsGfxScrollFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1035]
nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1004]
nsBoxFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 920]
nsGfxScrollFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 753]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 738]
ViewportFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 575]
PresShell::ResizeReflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2811]
PresShell::ResizeReflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5793]
nsViewManager::SetWindowDimensions
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 686]
nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1996]
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83]
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 749]
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 766]
nsWindow::OnResize [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp,
line 4182]
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3483]
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 1014]
USER32.DLL + 0x2e98 (0x77e12e98)
USER32.DLL + 0x39a3 (0x77e139a3)
USER32.DLL + 0x5cdb (0x77e15cdb)
ntdll.dll + 0x2032f (0x77fa032f)
DocumentViewerImpl::SetBounds
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 1419]
nsDocShell::SetPositionAndSize
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2552]
nsWebShell::SetPositionAndSize
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 1422]
nsHTMLFrameInnerFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp, line 1425]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 738]
nsHTMLFrameOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp, line 522]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1038]
-----------------
Very few comments:
(36735627) 2001101209 - Windows 98  4.10 build 67766446  closing a tabbed window
(36653973) 2001101120 - Windows NT  5.0 build 2195       Open Debug Demo #9
(frames)Within "frame3"  click "frame1"  "frame2"  frame3.1"  "self"Click
 Back (this should restore frame 3Within "frame3"  click "self"Click
BackResult:The instruction at "0x6039da64" referenced memory at "0x00000038".

Comment 1

[Marc Attinasi]

The only thing I see is this:

  while (nsnull != pfd) {
    nsIFrame* frame = pfd->mFrame;
...
    frame->GetStyleData(eStyleStruct_TextReset, (const nsStyleStruct*&)textStyle);

No check for NULL frame, but that should never happen anyway. I cannot dup this.
I'm tempted to put in an ASSERTION on the frame not bing null, and get out quick
if it is, but this is just going to mask the real problem (which I cannot
reproduce).

Comment 2

[greer]

These are the latest user comments to help find repro steps. I've tried several
of the windows leads, without success. 

N610 :        8
(37694466) - Windows NT  5.0 build 2195: don't know sending email
(37695628) - Windows NT  5.0 build 2195:  I WAS OPENING MY BROWSER TO YAHOO AND
THAT MESSAGE CAME UP
(37702564) - Windows 98  4.10 build 67766222:
http://www.gsfc.nasa.gov/topstory/20010919sunspot.html trying to print
 the html pagesI had no trouble printing the expanded images (of the sunspots 
etc).  But Netscape choked on printin
g the web page itself.
N620 :       20
(37483121) - Windows NT  5.0 build 2195: property-theme-uninstall Upgrading from
the netscape 6.1 to 6.2 when uninst
alling theme used 6.1 the netscape is crashed.
(37721704) - Linux 2.4.14: http://www.dagbladet.no trying to open the mainpage
when the browser were killed
(37431356) - Linux 2.4.2-2: www.abc.go.com trying to play millionaire
M094 :        2
(37744814) - Windows NT  5.0 build 2195: cbs.sportsline.com I started the damn
browser.
M095 :       15
(37392548) - Windows NT  5.1 build 2600: slashdot.org somewhere Clicked an
eeeeeevil link!I thought it was just a li
nk  but no... it was eeeeeeevil!
Trunk :        6

Comment 3

[Marc Attinasi]

Attachment: PATCH: safety check and assert on frame

The patch is just a sanity check. It will prevent the crash, but is not fixing
the real problem. I cannot reproduce the real problem and cannot find a
sensible reason why it should occur, so this is the best I can offer until we
get a good reproducible case.

Comment 4

[Marc Attinasi]

Patch needs reviews...

Comment 5

[Marc Attinasi]

Really needs reviews :)

Comment 6

[David Hyatt]

sr=hyatt

Comment 7

[karnaze (gone)]

Comment on attachment 57800 [details] [diff] [review]
PATCH: safety check and assert on frame

r=karnaze

Comment 8

[Marc Attinasi]

/cvsroot/mozilla/layout/html/base/src/nsLineLayout.cpp,v  <--  nsLineLayout.cpp
new revision: 3.113; previous revision: 3.112
done