Closed Bug 105619 Opened 23 years ago Closed 23 years ago

Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2][@ FrameManager::ReResolveStyleContext] [@ nsAString::do_AssignFromReadable][@ nsAString::AssignFromReadable]

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: mikael, Assigned: dbaron)

References

(
URL
)

Details

(5 keywords)

Crash Data

Attachments

(11 files, 4 obsolete files)

FYI - patch used for inspection - includes explanatory comments
3.50 KB, text/plain
Details
simplified testcase
640 bytes, text/html
Details
patch fixing this bug
1.19 KB, patch
shaver
: review+
hyatt
: superreview+
Details | Diff | Splinter Review
Stack from Talkback incident 324891
3.38 KB, text/plain
Details
purify info 2001-12-20 solaris build
1.90 KB, text/plain
Details
purify log file (*.pv)
263.69 KB, application/octet-stream
Details
Stacks for incidents in Comments 82 & 83
20.90 KB, text/plain
Details
debugging notes for http://www.iht.com/
8.22 KB, text/plain
Details
testcase from bug 127120
288 bytes, text/html
Details
fix
1.20 KB, patch
bzbarsky
: review+
brendan
: superreview+
shaver
: approval+
Details | Diff | Splinter Review
Stacks from M099 at nsAString::do_AssignFromReadable
7.56 KB, text/plain
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5+) Gecko/20011017 BuildID: 2001101715 When trying to pop down a javascript menu on our BSCW server, Mozilla crashes instantly. This is a problem with both 0.9.5 and the 2001101715 CVS version from Debian unstable. It worked on 0.9.4 and before. Reproducible: Always Steps to Reproduce: 1. Go to http://ulldb.ull.uu.se/matdid/pub/bscw.cgi/0/4 2. Click on "File" 3. Crash Actual Results: Mozilla crashes instantly Expected Results: A pop-down menu should have appeared.
TB36901281E
The crash occures already on mousing over the "File" menu at that site. There's an older (fixed) bug 91479 with the same stack. I added comment there. Resolving as new, adding to summary. Unsure about component.. #0 0x4015dfd3 in CopyChars1To2 () at eval.c:41 #1 0x4015ec8b in nsStr::StrAppend () at eval.c:41 #2 0x4015ebc9 in nsStr::StrAssign () at eval.c:41 #3 0x40161ff1 in nsString::nsString () at eval.c:41 #4 0x40026b23 in nsFont::nsFont () at eval.c:41 #5 0x41293fc2 in nssArenaHashAllocOps () from /usr/local/mozilla/components/libgfx_gtk.so #6 0x400268b6 in nsFontCache::GetMetricsFor () at eval.c:41 #7 0x40025c84 in DeviceContextImpl::GetMetricsFor () at eval.c:41 #8 0x417a72df in NSGetModule () from /usr/local/mozilla/components/libgklayout.so ......
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Javascript menus crash mozilla 0.9.5 & CVS → Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2]
Keywords: crash
moving to strings, probably belongs to fonts (which doesn't exist as a component, layout?)
Assignee: asa → scc
Component: Browser-General → String
QA Contact: doronr → scc
*** Bug 108994 has been marked as a duplicate of this bug. ***
Keywords: mozilla0.9.7
OS: Linux → All
Hardware: PC → All
I'd guess it is this line: http://lxr.mozilla.org/seamonkey/source/gfx/src/nsFont.cpp#46 42 nsFont::nsFont(const char* aName, PRUint8 aStyle, PRUint8 aVariant, 43 PRUint16 aWeight, PRUint8 aDecoration, nscoord aSize, 44 float aSizeAdjust) 45 { 46 name.AssignWithConversion(aName); which has not charged for a while: 3.9 <scc@netscape.com> 03 Apr 2000 01:27 making string conversions explicit Could this be a null pointer? (my unix systems here at netscape are still horked from the network upgrade)
I seem to recollect that name.AssignWithConversion(nsnull) is (or should I say, used to be?) designed not to crash. It amounts to name.SetLength(0).
Anyway, that stack makes it look like it's crashing in the string's constructor, not AssignWithConversion. Maybe some memory is corrupt?
Keywords: top100
*** Bug 108240 has been marked as a duplicate of this bug. ***
I'm not sure I'm happy with dumping these dups on scc. I question whether the string code is at fault here. Please note my comment http://bugzilla.mozilla.org/show_bug.cgi?id=108240#c4 For whatever reason it looks like we're getting a font with a garbage string from a style context. Who is going to actually dig this out and solve it?
The URL given, http://ulldb.ull.uu.se/matdid/pub/bscw.cgi/0/4 , is currently giving me a 404 so I can't reproduce the crash.
I get a 404 too. The dup'd bug 108240 still crashes for me on W2K. Let's be careful this chain of dup's does not get closed because we can't reproduce this one case :)
It is crashing because the data that is stored in nsStyleContext::mCachedStyleData becomes corrupted at some point (maybe somebody is overwriting it). I made a little patch to inspect if the font data that is read from the style context has indeed be set earlier. I see a pattern like >>Set the data in the style context > [set other data] >>Get the data <- OK > [get other data] > [set other data] >>Get the data <- might be OK for some time > [get other data] > [set other data] >>Get the data <- becomes corrupted at some point, causing the crash (For information, I will attach the little patch that I used for this.) Updating URL and adding the regression keyword since it works in m0.9.5. (qawanted might be needed to narrow the window of faulty builds). Re-assigning to the Style System to kick off the investigation from there.
Assignee: scc → dbaron
URL: http://ulldb.ull.uu.se/matdid/pub/bsc...http://www.iht.com/frontpage.htm
Component: String → Style System
Keywords: regression
QA Contact: scc → ian
Sorry, our BSCW server moved, so the URL I gave no longer works. Try instead (same crash): https://kmr.nada.kth.se/pub/bscw.cgi /Mikael
https://kmr.nada.kth.se/pub/bscw.cgi doesn't crash on win2k using build 2001111108. Could the reported crash at this URL be related to bug 107850 ?
Mozilla CVS from 2001110816 on Debian unstable no longer crashes. Has this bug been fixed?
Talking with matic we discovered a similar stack trace in talk backs. There are 67 incidents that end in CopyChars1To2. In a small sampling the following appears to be more prevelant than the stack trace reported earlier in this bug. Talkback ID 38095137 contains this stack if someone wants to look at that. CopyChars1To2() nsStr::StrAppend() nsString::AppendWithConversion() nsString::AssignWithConversion() nsPlainTextSerializer::AppendText()
That's the stack you get when someone tries to append (to?) a bogus string. It shouldn't all be lumped into one bug.
Ok, then about 20% of 67 talkback incidents appear to be related to this bug. That from about a sampling of 10 of the 67 bugs.
QA Contact: ian → amar
Well, it didn't seem to help. Either that, or I'm running into a different crash (I was seeing two different ones before). I did notice a typo, which is that I had mChild in one place where I should have had mEmptyChild.
There was another problem in addition to the mEmptyChild problem -- I need to pass |~PRUint32(0)|, not |bitsToClear|, since ClearStyleData clears all the data from a style context, not just the data it inherits.
Attachment #59126 - Attachment is obsolete: true
Well, it still doesn't work, and I don't know why. (If I do get it to work, in my tree I've renamed the new function to nsStyleContext::ClearInheritedData(PRUint32 aBitsClearedFromParent), and it could probably even be combined with ClearStyleData.)
In the debugger, I found that all the calls to ClearStyleData before the crash set |matched| to false, so they wouldn't cause the crash.
+void nsStyleContext::ClearInheritedData(PRUint32 aBitsClearedFromParent) +{ + PRUint32 bitsToClear = aBitsClearedFromParent & mBits; + if (bitsToClear) { It seems this is not covering all the cases. Suppose a direct child is not inhereting anything, but the grandchild is inheriting something. Then bitsToClear <- 0 for the child, and so the grandchild won't be visited. Or is this case an impossible case?
The grandchild would be inheriting from the child, and since we're not clearing the data out of the child there's no need to clear it out of the grandchild. Though actually, now that I think about it, even if a child isn't inheriting the entire struct, parts of the struct could be invalid and we should probably clear the whole thing anyway. Or am I missing something?
Currently, as soon as |matched| happens to be true, the whole subtree is blown away (by virtue of the recursive call to ClearStyleData() with the param |aRule| forced to nsnull). So invalidations seem to be taking no chances already.
Comment on attachment 59128 [details] [diff] [review] more-cleaned-up version of patch which I think is correct but unrelated to this bug ah, good, then.
Attachment #59128 - Attachment is obsolete: true
I missed that little uncommented |aRule = nsnull| that was the key to the entire function. So now I'm back to having no idea at all how we could get into this state...
Some clues that might be useful. I tried to following experiments: 1) In nsCSSFrameConstructor::AttributeChanged(), I forced the hint to be set as |reconstruct| if if was |restyle|, i.e.: [...] if (restyle) { restyle = PR_FALSE; reconstruct = PR_TRUE; } [...] Motivation: it the style tree is corrupted, let's see what happens if the whole document hierarchy is reconstructed anyway... Unfortunately, this generated lots of assertions with XBL frames, although HTML frames could withstand this and I eventually managed to display the testcase using viewer without scrollbars. (The scroball code was crashing and I had to add an early return in nsGfxScrollFrameInner::AddRemoveScrollbar() to stop them from being created at all.) 2) Back to a fresh tree, in nsDOMCSSAttributeDeclaration::ParsePropertyValue(), I tried commenting the line [hint = 0]: //result = cssParser->ParseProperty(aPropName, aPropValue, baseURI, decl,&hint); Motivation: there are several |style| attributes in the testcase, let see if the problem comes from one of them. With this line commented out, the tescase could render with Mozilla (and viewer). So, going on from there, I dumped: +nsCAutoString prop; prop.Assign(NS_ConvertUCS2toUTF8(aPropName)); +nsCAutoString value; value.Assign(NS_ConvertUCS2toUTF8(aPropValue)); +printf("Content:%p Prop:%s value:%s\n", mContent, prop.get(), value.get()); result = cssParser->ParseProperty(aPropName, aPropValue, baseURI, decl, &hint); This gave the following output on the debug console: Content:02FBDCF0 Prop:visibility value:hidden Content:02FBEEE0 Prop:visibility value:visible Content:02FC76C0 Prop:display value:none Content:02FC5440 Prop:visibility value:hidden Content:02FDB140 Prop:display value:block Content:02FC5440 Prop:visibility value:visible Content:02FDB140 Prop:display value:none Content:02FC5440 Prop:visibility value:hidden Content:02FDB140 Prop:display value:block Content:02FC5440 Prop:visibility value:visible Content:02F71990 Prop:top value:75 ->crash -- invariably happens here after the above sequence. Continuing... I wondered what might happen if the last prop is ignored... i.e., +if (!aPropName.Equals(NS_LITERAL_STRING("top"))) result = cssParser->ParseProperty(aPropName, aPropValue, baseURI, decl, &hint); But this only delayed the crash, which now happened because of an index PRInt32 i = mFormControls.Count(); /* = 50806944 -- see stack trace !! */ nsVoidArray::ElementAt(int 50806943) line 373 + 9 bytes nsFormFrame::AddFormControlFrame(...) line 358 nsFormFrame::AddFormControlFrame(...) line 193 nsHTMLButtonControlFrame::SetInitialChildList(nsHTMLButtonControlFrame * ...) nsCSSFrameConstructor::ConstructFrameByTag(...) nsCSSFrameConstructor::ConstructFrameInternal(...) nsCSSFrameConstructor::ConstructFrame(...) [...] At that point, I gave up... thinking that I might do something else.
I was tracking down a crasher bug in a different page and I wondered if there was something similar already reported. This looks to be the same issue. What I found is that a nsFontStruct is being reused after being freed. So the .name in the nsFont is garbage, so usually you don't get CopyChars1To2 because the charSize is 38 or something, so it just crashes.
*** Bug 111061 has been marked as a duplicate of this bug. ***
*** Bug 112311 has been marked as a duplicate of this bug. ***
Talkback IDs from Bug 112311, which is currently marked as a duplicate of this (105619). TB38567098Z TB38567053M TB38567005M --rt
*** Bug 112451 has been marked as a duplicate of this bug. ***
*** Bug 112454 has been marked as a duplicate of this bug. ***
stephend -- Any chance you could try loading http://www.iht.com/frontpage.htm under Purify? I'd be especially interested to see the stack traces associated with any FMR or FMW (both the stacks for the free and for the FMR/FMW).
I'm building on sheep but it very slow and I may run out of time today.
stephend sent me a purify log, but it wasn't very useful, since it just showed a null pointer dereference
I think what's happening here is that the style context from which we're getting the bad data has actually been destroyed (we never call the destructor, so it still has a valid vtable pointer, even on Windows), and the frame has been destroyed as well (bad vtable pointer, though, but GetStyleContext is inline). I think somehow there are stale frames in the primary frame map, perhaps because we're not observing frame destructions yet during the onload handler or something like that.
My fix for bug 97874 may have fixed this problem. RBS pointed me to this bug, and I tested the testcase and http://www.iht.com/frontpage.htm with my local build and it did not crash. Might be worht applying the simple patch from bug 97874 to see if it does indeed fix this problem.
Nope, I still crash with the patch from 97874. Oh, vell.
Might this be a regression of bug 91479? That bug has a similar stack to the ones reported here.
David, we also have other bugs where we get stale frame pointers out of the frame map, so that could definately be it. Don't know what those bugs are tho, IIRC I gave one to attinasi a while back.
The testcase gives me a completely different stack trace than the original page.
*** Bug 112431 has been marked as a duplicate of this bug. ***
*** Bug 112819 has been marked as a duplicate of this bug. ***
Adding [@ FrameManager::ReResolveStyleContext] to summary since bug 111061 was marked a dup and that crash is a topcrasher on recent MozillaTrunk builds as well.
Summary: Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2] → Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2][@ FrameManager::ReResolveStyleContext]
Once I get bug 110911 checked in I'll try to instrument the primary frame map with PR logging so that I can figure out what isn't being removed. Until then, it's difficult since I don't want to get conflicting changes.
Here's five talkback IDs from bug 112819. Thanks for the hot attention. This bug sucks badly - I have to go back to NS4.7 for my daily news updates. TB38704567X TB38704525Q TB38504540W TB38504451W TB38504351W
So, I had been hoping that, even though the symptoms of the crash on the simplified testcase were different, the underlying reason was the same. That turns out not to be the case. The crash in the minimal testcase is fixed by my patch on bug 110911. I think DST node removal is broken in some way, or something like that. However, I didn't see any cases in http://www.iht.com/ where we were leaving deleted primary frames in the map. So I need to simplify the testcase again in a build with my bug 110911 changes...
So it turns out my nsDST removal didn't really fix the problem in the simplified testcase -- it just hid it so it doesn't crash. The following assertion fires on that testcase: Index: nsFrameManager.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/html/base/src/nsFrameManager.cpp,v retrieving revision 1.94 diff -u -r1.94 nsFrameManager.cpp --- nsFrameManager.cpp 6 Dec 2001 05:45:01 -0000 1.94 +++ nsFrameManager.cpp 6 Dec 2001 21:56:20 -0000 @@ -972,6 +972,16 @@ mPresShell->GetPresContext(getter_AddRefs(presContext)); RemoveAllPropertiesFor(presContext, aFrame); + +#ifdef DEBUG + nsCOMPtr<nsIContent> content; + aFrame->GetContent(getter_AddRefs(content)); + PrimaryFrameMapEntry *entry = NS_STATIC_CAST(PrimaryFrameMapEntry*, + PL_DHashTableOperate(&mPrimaryFrameMap, content, PL_DHASH_LOOKUP)); + NS_ASSERTION(!PL_DHASH_ENTRY_IS_BUSY(entry), + "frame not removed from primary frame map before destruction"); +#endif + return NS_OK; }
The assertion line should really be: + NS_ASSERTION(!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame,
The reason we're getting bad frames in the primary frame map is because they're getting readded after they're removed due to a call to GetPrimaryFrameFor: FrameManager::GetPrimaryFrameFor(FrameManager * const 0x04fdb8b0, nsIContent * 0x043a69c8, nsIFrame * * 0x0012c8f4) line 599 PresShell::GetPrimaryFrameFor(const PresShell * const 0x040ddf38, nsIContent * 0x043a69c8, nsIFrame * * 0x0012c8f4) line 5315 + 32 bytes nsGenericHTMLElement::GetPrimaryFrame(nsIHTMLContent * 0x043a69c8, nsIFormControlFrame * & 0x00000000, int 0, int 0) line 2794 nsHTMLInputElement::SetValueSecure(nsHTMLInputElement * const 0x043a69c8, const nsAString & {...}, int 0) line 518 + 17 bytes nsHTMLInputElement::SetValueGuaranteed(nsHTMLInputElement * const 0x043a69fc, const nsAString & {...}) line 482 nsGfxTextControlFrame2::SetTextControlFrameState(const nsAString & {...}) line 3410 nsGfxTextControlFrame2::Destroy(nsGfxTextControlFrame2 * const 0x050da630, nsIPresContext * 0x04004928) line 1389 nsLineBox::DeleteLineList(nsIPresContext * 0x04004928, nsLineList & {...}) line 292 nsBlockFrame::Destroy(nsBlockFrame * const 0x050da4c4, nsIPresContext * 0x04004928) line 327 + 16 bytes We could try to fix these callers or we could move the removal from the frame map to NotifyDestroyingFrame. I'm going to try the latter right now to see if it fixes the real testcase as well, or just the simplified one.
Doesn't the frame manager know that the frame model is being torn down? Couldn't it simply not add frames to the frame map in that case? Or is this about specific frames being torn down, and not the whole frame model? As for nsHTMLInputElement::SetValueGuaranteed(), we could also make it take a frame pointer which would let the frame code pass in the frame whenever it calls that method, and thus the nsHTMLInputFrame wouldn't need to do the frame lookup when being called from the frame code.
I sat down with hyatt to figure out the real cause of the crash. The root of the problem is in a style context that inherits an entire struct from a parent that is using data cached in the rule tree. Then, when we manipulate the style attribute on the parent, we blow away the rule node's data and expect the children style contexts to have valid data until they destroy their old style contexts in the re-resolve. Patch coming up. I'll also attach the patch I used that allows running with FreeFrame marking memory with 0xdd.
I'm glad to see this is (almost) fixed but I have little question. The IHT crashes that were dupped to this bug did not exist in 0.9.5. That started in 0.9.6. SO something must have regressed in the 095-096 time. Why the difference? Of course, if it works again, you won't hear me complain. Just on the off chance this won't entirely fix it :).
ovvldc@netscape.net: > I'm glad to see this is (almost) fixed but I have little question. The IHT > crashes that were dupped to this bug did not exist in 0.9.5. That started in > 0.9.6. SO something must have regressed in the 095-096 time. Why the > difference? It did not start with 0.9.6. I reported the bug with iht.com, the build was 2001110112. This was bug report 108240. At that time I downloaded a new build every morning (I think, not 100% sure it was *every*...), so I can say (almost) accurately that this was the first build that crashed at IHT. The build from the previous day did not crash there -- at that time I used to check how the nightlies handle iht.com, because of another bug with the back/forward buttons.
Comment on attachment 60747 [details] [diff] [review] patch fixing this bug sr=hyatt
Attachment #60747 - Flags: superreview+
Blocks: 113492
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.7
Comment on attachment 60748 [details] [diff] [review] patch preventing frame access after deletion (and some other cleanup) This patch has been split into bug 114219, bug 114220, bug 114221, and bug 114222
Attachment #60748 - Attachment is obsolete: true
Comment on attachment 60747 [details] [diff] [review] patch fixing this bug r=shaver
Attachment #60747 - Flags: review+
To the poster worried about when this happened: that was the exact date of the huge bug 34297 patch. I exposed this bug and created a few of my own.
Attachment 60747 [details] [diff] checked in 2001-12-08 14:46 PDT. Other issues are split into other bugs as mentioned in comment 65 and other dependencies to bug 114219.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
just crashed with build 2001121003 on win2k! TB324891G
Here is the talkback stack from comment #69 above. Doesn't look like the same animal.
note the 'JS_ReportOutOfMemory ' in the stack for comment 69 (and it is a different bug/crash). However, this was reproducible in a 12/10 build on win2k, but not with today's 12/11 build on win2k.
*** Bug 116205 has been marked as a duplicate of this bug. ***
*** Bug 116274 has been marked as a duplicate of this bug. ***
Attached file purify log file (*.pv)
this is the full purify log
oops, I forgot to say: "it crashed" on the url http://www.iht.com/frontpage.htm
Comment on attachment 62581 [details] purify info 2001-12-20 solaris build If aFont contains garbage, then it is no surprise that font creation will fail.
there might still be problems with www.iht.com http://bugzilla.gnome.org/show_bug.cgi?id=67856 I personally got again a crash in CopyChars1To2, although not immediately entering the site, but after some clicking around (mozilla 0.9.7)
Reopening, but since I can't reproduce the bug I'm unlikely to be able to do anything about it. Does it crash for some people but not others? If so, what determines whether it crashes? Is there somebody else who could own this bug?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla0.9.7 → Future
here is a crash snippet i got directly when opening www.iht.com in TestGtkEmbed compiled against 0.9.7, its reproducable here #0 0x40364a46 in nsAString::Cut () from /usr/lib/libxpcom.so #1 0x4037356e in nsStr::StrAppend () from /usr/lib/libxpcom.so #2 0x403734b1 in nsStr::StrAssign () from /usr/lib/libxpcom.so #3 0x40376831 in nsString::nsString () from /usr/lib/libxpcom.so #4 0x407d9853 in nsFont::nsFont () from /usr/lib/libgkgfx.so #5 0x40831b9f in NSGetModule () from /usr/lib/mozilla/components/libgfx_gtk.so #6 0x407d941d in nsFontCache::GetMetricsFor () from /usr/lib/libgkgfx.so #7 0x407d87c8 in DeviceContextImpl::GetMetricsFor () from /usr/lib/libgkgfx.so #8 0x40e6ee1f in NSGetModule () from /usr/lib/mozilla/components/libgklayout.so .... looks like something completely different but, hey, i dont know :) i can file a different bug if required
ahm, sorry for the spam, but did more testing the crash at initial loading of www.iht.com went away after i removed ~/.TestGtkEmbed but then after some heavy clicking and scrolling while marveling at the dynamic menubar it crashed again with the same backtrace tried running it again and opening iht, crashed while loading it again, this was repeatable until i removed again ~/.TestGtkEmbed then tried causeing this again, heavy clicking and scrolling and got this: #0 0x403729c3 in CopyChars1To2 () from /usr/lib/libxpcom.so #1 0x4037356e in nsStr::StrAppend () from /usr/lib/libxpcom.so #2 0x403734b1 in nsStr::StrAssign () from /usr/lib/libxpcom.so #3 0x40376831 in nsString::nsString () from /usr/lib/libxpcom.so #4 0x407d9853 in nsFont::nsFont () from /usr/lib/libgkgfx.so #5 0x40831b9f in NSGetModule () from /usr/lib/mozilla/components/libgfx_gtk.so #6 0x407d941d in nsFontCache::GetMetricsFor () from /usr/lib/libgkgfx.so #7 0x407d8841 in DeviceContextImpl::GetMetricsFor () from /usr/lib/libgkgfx.so #8 0x4083f69d in NSGetModule () from /usr/lib/mozilla/components/libgfx_gtk.so #9 0x40f56b27 in NSGetModule () from /usr/lib/mozilla/components/libgklayout.so .... it fairly random now and i cant see too much patter in it :(
I am also getting random crashes with the www.iht.com, on the opening page AFAICT. Talkback IDs: 1625876W 1434967M I can't be sure that these are caused by the old problem but since this was reopened, I hope these can shed some light
Also crashing with build 2002012203 on winxp. TB1972641K
The above stacks look like they belong to bug 106341.
*** Bug 106341 has been marked as a duplicate of this bug. ***
The duplicates of bug 106341 have a number of other ways to reproduce what may (or may not) be the same problem, but they'd all already been marked duplicates of bug 106341 because the stack was the same.
*** Bug 117198 has been marked as a duplicate of this bug. ***
*** Bug 107367 has been marked as a duplicate of this bug. ***
Target Milestone: Future → mozilla0.9.9
This shows the problem seems pretty similar to what it was before, but actually with a less unusual situation (a rule node that fully specifies an inherited struct by specifying the 'font' shorthand property, presumably) then the one I saw in the debugger when I was able to see this problem on Windows (explicit inherit on a reset struct). I wonder why it regressed.
Bug 121129 is a duplicate of Bug 106341, Bug 106341 is a duplicate of this bug; so, then, 121129 is a duplicate of this Bug, eh?
*** Bug 122767 has been marked as a duplicate of this bug. ***
adding [@ nsAString::do_AssignFromReadable][@ nsAString::AssignFromReadable] to summary for tracking...since bug 106341 was marked a dup.
Summary: Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2][@ FrameManager::ReResolveStyleContext] → Javascript menus crash mozilla 0.9.5 & CVS [@ CopyChars1To2][@ FrameManager::ReResolveStyleContext] [@ nsAString::do_AssignFromReadable][@ nsAString::AssignFromReadable]
It is now Februari 5th, 2002 and I just installed 0.9.8. Apart from the atrocious slowdown in the mozilla website (the others fly at normal speed), I have just crashed very consistently, at the same point in loading as I used to crash before 0.9.7 came out :(. This is three out of three attempts to load www.iht.com, not as infrequent and erratic as it was in 0.9.8. I filed my talkbacks: TB2438964M TB2477829H TB2333812H Good hunting, gentlemen, and godspeed. This particular bug deserves to be squished once and for all.
Also seeing return of crash bug on load of www.iht.com Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.8) Gecko/20020204 TB2544791K TB2544695W
I dug up the incidents mentioned in the comments above...here are a couple: Incident ID 2333812 Stack Signature 0x000006cc f0b5a1ea Trigger Time 2002-01-31 05:43:50 Email Address ovvldc@netscape.net URL visited www.iht.com User Comments Same bloody crash as usual. Please fix it. It is now erratic, but still happens to me more than any other crash. MTBF is seriously impaired here... Build ID 2001122109 Product ID MozillaBranch Platform Operating System Win32 Module Trigger Reason Access violation Stack Trace 0x000006cc nsAString::do_AssignFromReadable [d:\builds\seamonkey\mozilla\string\src\nsAString.cpp, line 290] nsAString::AssignFromReadable [d:\builds\seamonkey\mozilla\string\src\nsAString.cpp, line 239] nsFont::operator= [d:\builds\seamonkey\mozilla\gfx\src\nsFont.cpp, line 104] nsFontMetricsWin::Init [d:\builds\seamonkey\mozilla\gfx\src\windows\nsFontMetricsWin.cpp, line 452] nsFontCache::GetMetricsFor [d:\builds\seamonkey\mozilla\gfx\src\nsDeviceContext.cpp, line 676] DeviceContextImpl::GetMetricsFor [d:\builds\seamonkey\mozilla\gfx\src\nsDeviceContext.cpp, line 308] nsTextFrame::TextStyle::TextStyle [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 549] nsTextFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 5047] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3688] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3569] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3494] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3439] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2475] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 826] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3183] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2386] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 826] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3183] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2386] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 826] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] nsTableCellFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp, line 943] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] nsTableRowFrame::IR_TargetIsChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 1263] nsTableRowFrame::IncrementalReflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 1158] nsTableRowFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 1433] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] nsTableRowGroupFrame::IR_TargetIsChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 1559] nsTableRowGroupFrame::IncrementalReflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 1236] nsTableRowGroupFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 1146] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] nsTableFrame::IR_TargetIsChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 2861] nsTableFrame::IncrementalReflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 2700] nsTableFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 1955] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] nsTableOuterFrame::OuterReflowChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 983] nsTableOuterFrame::IR_InnerTableReflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1300] nsTableOuterFrame::IR_TargetIsInnerTableFrame [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1089] nsTableOuterFrame::IR_TargetIsChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1079] nsTableOuterFrame::IncrementalReflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1042] nsTableOuterFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1535] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3183] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2386] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 826] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3183] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2386] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 826] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] And.... Incident ID 2544791 Stack Signature 0x0000050a 86304d9c Trigger Time 2002-02-05 12:18:37 Email Address URL visited www.iht.com User Comments Loading www.iht.com homepage immediately crashes Moz. Build ID 2002020409 Product ID MozillaBranch Platform Operating System Win32 Module Trigger Reason Access violation Stack Trace 0x0000050a nsAString::do_AssignFromReadable [d:\builds\seamonkey\mozilla\string\src\nsAString.cpp, line 290] nsAString::AssignFromReadable [d:\builds\seamonkey\mozilla\string\src\nsAString.cpp, line 758] nsFont::operator= [d:\builds\seamonkey\mozilla\gfx\src\nsFont.cpp, line 104] nsFontMetricsWin::Init [d:\builds\seamonkey\mozilla\gfx\src\windows\nsFontMetricsWin.cpp, line 469] nsFontCache::GetMetricsFor [d:\builds\seamonkey\mozilla\gfx\src\nsDeviceContext.cpp, line 671] DeviceContextImpl::GetMetricsFor [d:\builds\seamonkey\mozilla\gfx\src\nsDeviceContext.cpp, line 303] nsTextFrame::TextStyle::TextStyle [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 554] nsTextFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 1429] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsContainerFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 197] nsTableCellFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp, line 481] nsTableRowFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 672] nsTableRowFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 614] nsTableRowGroupFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 327] nsTableRowGroupFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 270] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsContainerFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 197] nsTableFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 1511] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsTableOuterFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 370] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsContainerFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 197] nsTableCellFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp, line 481] nsTableRowFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 672] nsTableRowFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 614] nsTableRowGroupFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 327] nsTableRowGroupFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp, line 270] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsContainerFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 197] nsTableFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 1511] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsTableOuterFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 370] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsBlockFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5515] nsBlockFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5387] nsContainerFrame::PaintChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 254] nsContainerFrame::PaintChildren [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 197] nsHTMLContainerFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line 136] CanvasFrame::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 390] PresShell::Paint [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5713] nsView::Paint [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 272] nsViewManager::RenderDisplayListElement [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1240] nsViewManager::RenderViews [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1164] nsViewManager::Refresh [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 703] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1762] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 854] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 876] Is looks like nsAString::do_AssignFromReadable is still where the crash is, but the crashes are being reported under different stack signatures by Talkback. Adding testcase keyword, since it seems pretty clear that we are crashing at www.iht.com.
Keywords: testcase
Please note that my stack trace listed below is from before I installed 0.9.8. I think I haven't sent in the first crash, believing it to be erratic like the other one I had sent in a week earlier. Sorry for not being specific. Also, I am still running NT4 SP6 on a Celeron 300A with 128 MB RAM. BTW, www.mozilla.org is back up to speed for me :). How about adding 0.9.9 keyword :)? <wink wink> Again, thanks for the hot attention!
nominating for nsbeta1.
Keywords: nsbeta1
*** Bug 126508 has been marked as a duplicate of this bug. ***
Here's a stack from Solaris 2.8 build, ID: 2002020516 (www.iht.com) #0 0x7f9e33c4 in CopyChars1To2 () from /home/la/bin/mozilla/libxpcom.so #1 0x7f9e3e3c in nsStr::StrAppend () from /home/la/bin/mozilla/libxpcom.so #2 0x7f9e3d74 in nsStr::StrAssign () from /home/la/bin/mozilla/libxpcom.so #3 0x7f9e8114 in nsString::nsString () from /home/la/bin/mozilla/libxpcom.so #4 0x7fb55718 in nsFont::nsFont () from /home/la/bin/mozilla/libgkgfx.so #5 0x7e185414 in nsFontMetricsGTK::Init () from /home/la/bin/mozilla/components/libgfx_gtk.so #6 0x7fb552b0 in nsFontCache::GetMetricsFor () from /home/la/bin/mozilla/libgkgfx.so #7 0x7fb54588 in DeviceContextImpl::GetMetricsFor () from /home/la/bin/mozilla/libgkgfx.so #8 0x7d641f88 in nsTextFrame::Paint () from /home/la/bin/mozilla/components/libgklayout.so #9 0x7d5f8374 in nsContainerFrame::PaintChild () from /home/la/bin/mozilla/components/libgklayout.so #10 0x7d5f145c in nsBlockFrame::PaintChildren () from /home/la/bin/mozilla/components/libgklayout.so #11 0x7d5f1254 in nsBlockFrame::Paint () from /home/la/bin/mozilla/components/libgklayout.so #12 0x7d6396d0 in PresShell::Paint () from /home/la/bin/mozilla/components/libgklayout.so #13 0x7d869198 in nsView::Paint () from /home/la/bin/mozilla/components/libgkview.so #14 0x7d873068 in nsViewManager::RenderDisplayListElement () from /home/la/bin/mozilla/components/libgkview.so #15 0x7d872e24 in nsViewManager::RenderViews () from /home/la/bin/mozilla/components/libgkview.so #16 0x7d871ab0 in nsViewManager::Refresh () from /home/la/bin/mozilla/components/libgkview.so #17 0x7d874468 in nsViewManager::DispatchEvent () from /home/la/bin/mozilla/components/libgkview.so #18 0x7d868c08 in _start () from /home/la/bin/mozilla/components/libgkview.so #19 0x7e6bc0d4 in nsWidget::DispatchEvent () from /home/la/bin/mozilla/components/libwidget_gtk.so #20 0x7e6bbfe4 in nsWidget::DispatchWindowEvent () from /home/la/bin/mozilla/components/libwidget_gtk.so #21 0x7e6bf520 in nsWindow::DoPaint () from /home/la/bin/mozilla/components/libwidget_gtk.so #22 0x7e6bf6ec in nsWindow::Update () from /home/la/bin/mozilla/components/libwidget_gtk.so #23 0x7e6bf3a0 in nsWindow::UpdateIdle () from /home/la/bin/mozilla/components/libwidget_gtk.so #24 0x7f6292ec in g_idle_dispatch (source_data=0x7e6bf324, dispatch_time=0xffbee028, user_data=0x0) at gmain.c:1367 #25 0x7f627cfc in g_main_dispatch (dispatch_time=0xffbee028) at gmain.c:656 #26 0x7f628598 in g_main_iterate (block=2137316692, dispatch=1) at gmain.c:877 #27 0x7f6287ac in g_main_run (loop=0x20f9c8) at gmain.c:935 #28 0x7f749ca0 in gtk_main () at gtkmain.c:524 #29 0x7e6ae7f8 in nsAppShell::Run () from /home/la/bin/mozilla/components/libwidget_gtk.so #30 0x7f03bae0 in nsAppShellService::Run () from /home/la/bin/mozilla/components/libnsappshell.so #31 0x180a8 in DoCommandLines () #32 0x18b38 in main ()
*** Bug 127106 has been marked as a duplicate of this bug. ***
*** Bug 127377 has been marked as a duplicate of this bug. ***
Is a fix for this bug still going to go in for 0.9.9? I've been keeping an eye out and I haven't seen this one in Asa's daily bug lists. BTW, this bug should have most-frequent keyword added, there are 25 duplicates on record.
Still crashing with 2002022308. Talkback Incident ID is TB3297169Z.
This testcase crashes immeadiately every time. The javascript changing the style height nukes style (specifically font) data not associated with the <div> or <textarea> tags. Mozilla then attempts to use that font data when it repaints the screen, causing an immediate crash (stacktrace in bug 127120). If you want to catch it deleting the font from the cache, set a breakpoint for nsFont::~nsFont and/or nsDOMCSSDeclaration::SetHeight. It is the first font to be deleted, and SetHeight is only called once.
Attached patch fixSplinter Review
This typo was a regression from the rework of nsRuleNode children storage in the fix to bug 104336.
patch fixes testcase and URL in bug 127120
The reason this was crashing was that we were clearing too much, because it tell every rule node to clear the data for *its* rule. Clearing too much caused a problem because this left the style contexts with dangling pointers to the data that was cleared but shouldn't have been, since the clearStyleData called on the root context from the second part of StyleSetImpl::ClearStyleData didn't clear too much to correspond with the rule node clearing out everything.
No longer blocks: 122050
hyatt's away till Tuesday. Who can r= with authority? I can sr=. /be
*** Bug 125480 has been marked as a duplicate of this bug. ***
*** Bug 127120 has been marked as a duplicate of this bug. ***
Comment on attachment 72166 [details] [diff] [review] fix r=bzbarsky
Attachment #72166 - Flags: review+
*** Bug 128605 has been marked as a duplicate of this bug. ***
Comment on attachment 72166 [details] [diff] [review] fix a=shaver for 0.9.9 and 1.0.
Attachment #72166 - Flags: approval+
Fix checked in: * to trunk, 2002-03-02 16:00:16 PST, and * to MOZILLA_0_9_9_BRANCH, 2002-03-02 16:02:00 PST.
If only bugzilla could read my mind...
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
*** Bug 126131 has been marked as a duplicate of this bug. ***
Good job in hunting the regression, dbaron. Just noted that, actually, you explicitly quoted this code fragment in your review in bug 104336 comment #105, but somehow it didn't cross your mind then.
dbaron, we're seeing stacks in the M099 data (post-fix checkin) that resemble those in comments 82-86. Would it be better to address those crashes in a separate bug or just reopen this one?
The stacks in comment 120 are very different from those in comment 84 -- they show problems in a XUL document rather than an HTML document, and they're related to theme changing. Could you file a new bug? (Probably Style System component.)
-> looks like the existing bug 121638
Changing the QA contact to madhur
QA Contact: amar → madhur
verified fixed in win2000 - buiild: 2002-03-07-trunk and 2002-04-10-06trunk build
Status: RESOLVED → VERIFIED
*** Bug 112696 has been marked as a duplicate of this bug. ***
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ CopyChars1To2] [@ FrameManager::ReResolveStyleContext] [@ nsAString::do_AssignFromReadable] [@ nsAString::AssignFromReadable]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: