Closed Bug 107545 Opened 23 years ago Closed 22 years ago

M098 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]

Categories

(Core :: Layout, defect, P1)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla1.0

People

(Reporter: greer, Assigned: alexsavulov)

References

()

Details

(Keywords: crash, topcrash+, Whiteboard: [patch][adt1])

Crash Data

Attachments

(5 files, 2 obsolete files)

The PlaceFrameView signature shows up in talkback for all of the recent releases
and Trunk, but in small enough numbers that it hasn't been seen. (Currently N620
has 4 incidents, M095, 36 incidents, Trunk ,6) The top frames of the stack look
similar to that of bug 81905, but comments don't point distinctly to the
password manager.

Here's the stack from N620 data:

        PlaceFrameView
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line
2554]
         nsBlockFrame::PostPlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 4101]
         nsBlockFrame::PlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3972]
         nsBlockFrame::DoReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3433]
         nsBlockFrame::DoReflowInlineFramesMalloc
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3263]
         nsBlockFrame::ReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 3224]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2375]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]
         nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
345]
         nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2973]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2261]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]
         nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
345]
         nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2973]
         nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2261]
         nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp  line 2045]
         nsBlockFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp
line 800]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp  line 759]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 887]
         nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp  line 1246]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 396]
         nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp 
line 1056]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp  line 3046]
         nsTableFrame::Reflow  
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp
line 1854]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line 723]
         nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 976]
         nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp  line 1541]
         nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp  line
574]

Here are the comments across all releases:
N610 :       10
37268259 http://topcat.switchinc.org.8080/proxy.pac waiting for full text article
37269006 www.eco-furniture.com clicked on one of the products in the lawn and
garden section
37318937  I was opening mail when program failed.
37320432  Reloading web page
37371824 www.douglascollege.bc.ca Click on link
37375266 http://www.ishaah.com/Smile.htm reading my e-mail
37379707 www.webtrendslive.com checking html tracking  reports on the websites
homepage
M094 :       11
37066956 http://webcompare.internet.com/webbasics/webbasics_2.html mozilla tried
to read memory location 0x000000... was runni
ng VERY slowly prior to this error. Last page was a link from cbs.sportsline.com
to the fantasy section.
37052016 www.cbssportsline.com
M095 :       36
37376526 fantasy.sportsline.com just clicked on my fantasy team link  might have
clicked twice...
37018266 http://football221.fantasy.sportsline.com/mp/ when looking at all the
picke in my league in cbs fantasy football.I ha
ve crashed many times on theis site since mozilla 0.9.4
37114953 http://members4.fantasy.sportsline.com/home? trying to enter the site.
 Everytime I try on my laptop  it crashes.  Ho
me PC is fine  just the laptop.
37325324  Using tabbed layout.  Went to cbs.sportsline.com (my second tab) and
clicked fantasy. Crash!  error in gkslayout...o
r something
37181660 football258.fantasy.sportsline.com Was pulling up a draft list of free
agents for my fantasy football pool.  As an as
ide  the 'Back' button does not work on cnn.com.
37063743 http://ici.planet-multiplayer.de/phpBB Just loaded the page.
Keywords: crash, topcrash
I don't understand why you think this is password manager.  But it indeed looks 
like the same stack trace as in bug 81905 (which I'm not cc'd on) and that one 
too is marked password manager.  And Chris Waterson has that bug.

So reassigning this one to Waterson.
Assignee: morse → waterson
This one has become a major crasher on M095 (28 incidents) and N620 (481 
incidents). I will attach the comments below to help find a reproducible case. 
Adding qawanted keyword.
Keywords: qawanted
Adding  [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] to summary, since that is
the stack signature for this crash on MacOS.  The stack looks similar and the
websites are the same as in bug 109996 (which I am about to mark a dup of this
bug).  Here is the info from that bug for Mac crashes with Netscape 6.20:

 Count   Offset    Real Signature
[ 13   .__ptr_glue ed499dd6 - nsBlockFrame::PostPlaceLine() ]
 
     Crash date range: 2001-11-06 to 2001-11-12
     Min/Max Seconds since last crash: 61 - 18381
     Min/Max Runtime: 9513 - 72520
     Keyword List :  
     Count   Platform List 
     10   MacOS version 9.2.1  
     2   MacOS version 9.1  
     1   MacOS version 9.0  
 
     Count   Build Id List 
     13   2001102217
 
     No of Unique Users         6
 
 Stack trace(Frame) 

	 .__ptr_glue  
	 nsBlockFrame::PostPlaceLine()
[nsBlockFrame.cpp  line 4100] 
	 nsBlockFrame::PlaceLine()
[nsBlockFrame.cpp  line 3968] 
	 nsBlockFrame::DoReflowInlineFrames()
[nsBlockFrame.cpp  line 3430] 
	 nsBlockFrame::DoReflowInlineFramesMalloc()
[nsBlockFrame.cpp  line 3260] 
	 nsBlockFrame::ReflowInlineFrames()
[nsBlockFrame.cpp  line 3220] 
	 nsBlockFrame::ReflowLine()
[nsBlockFrame.cpp  line 2374] 
	 nsBlockFrame::ReflowDirtyLines()
[nsBlockFrame.cpp  line 2044] 
	 nsBlockFrame::Reflow()
[nsBlockFrame.cpp  line 798]  
 
COMMENTS/URLs:

     (37873973)	URL: cbs.sportline.com
     (37629077)	URL: www.cbs.sportsline.com
     (37629077)	Comments: Picking up a Free Agent on my fantesy football team

Summary: M095 N620 Trunk crash [@ PlaceFrameView] → M095 N620 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
*** Bug 109996 has been marked as a duplicate of this bug. ***
This crash still shows in the latest releases and milestones. Changing summary. 
current problem links: www.cbssportsline.com   and  www.wheresgeorge.com. 
Summary: M095 N620 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] → M097 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
Is this a Mac-only crash? Stacks make it look that way...
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.8
This attachment is a rough breakdown of platforms that are returning crashes at
the PlaceFrameView signature (from a snapshot of Talkback data 12/26). It is
almost entirely Windows.
Target Milestone: mozilla0.9.8 → mozilla0.9.9
This is not showing up in recent builds (according to
<http://ftp.mozilla.org/pub/data/crash-data>); marking WORKSFORME.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Since Chris isn't seeing this in the crash reports anymore and I tried all the
links on this page with Win XP build 2002012903, marking Verified
Status: RESOLVED → VERIFIED
I convinced a friend to start using Mozilla and he loves it, however he is
definitely seeing this crash at www.wheresgeorge.com .  He says it crashes after
he's entered in a few bills, so you'd possibly need to have a WG account and log
in to reproduce this.

Build:  Mozilla 0.9.8 (2002020406), also seen routinely on 0.9.7
OS   :  Windows 2000

He has submitted many talkbacks on it, most recently TB2686276K .

I brought this up in #mozillazine, and endico took a look at the TB report, and
reported that the first two lines were:

PlaceFrameView
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2813]
nsBlockFrame::PostPlaceLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 4360]

Not sure if that's relevant.  The consensus was that I should report it here in
this bug.  I've now told you everything I know :)

Reopen?
 
The stack from the incident listed in the previous comment looks the same as
the original stack, I'm attaching it for reference to the new line numbers.
So far five unique users have crashed on M098 with this signature. However, 
all of the comments point to the wheresgeorge site (all unique users). Which 
makes me wonder if the site has the problem. 

(2710709) - 2002020409: Windows NT  5.0 build 2195 Had just selected the site 
from my bookmark list URL: http://www.wheresgeorge.com
(2693842) - 2002020409: Windows NT  5.0 build 2195 clicking on to another 
section of the site URL: www.wheresgeorge.com
(2686276) - 2002020409: Windows NT  5.0 build 2195 Just trying to access the 
page. It bombed immediately after I hit return on typing the URL. None of the 
page rendered. URL:http://www.wheresgeorge.com

Updating to M098 and reopening (tentatively) to see if this one begins to show 
up in large numbers with this release. There are currently only 2 incidents 
reported against the trunk. 
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
Summary: M097 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] → M098 N621 Trunk crash [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
It seems I am able to reproduce this one at will (currently). 
Using Trunk build 2002020610, I went to www.wheresgeorge.com, entered 10 bills.
clicked around. Finally clicked on "This site is owned by www.wheresgeorge.com" 
(at the bottom of a page) and got the PlaceFramView crash.

Following that, I restarted the browser and clicked on the history bar's down 
arrow, selected the wheresgeorge site and I crash every time (3 times so far), 
before the page even begins to load. 
nominating topcrash bugs for nsbeta1. 
Keywords: nsbeta1
Reassigning to Alex.
Assignee: waterson → alexsavulov
Status: REOPENED → NEW
Keywords: nsbeta1nsbeta1+
Target Milestone: mozilla0.9.9 → mozilla1.0
CANNOT REPRODUCE ON W2000. ANYONE PLEASE POST EXACT STEPS TO REPRODUCE,
OHTERWISE CANNOT FIX
*** Bug 128937 has been marked as a duplicate of this bug. ***
Alex: try http://mozilla.statesoftware.com/ This URL crashes in PlaceFrameView
in bug 128937
Someone is still crashing at www.wheresgeorge.com...I see a couple of incidents
from 3/2.  And why is the component still password mananger?  Is that correct? 
I would think this was some sort of layout bug.

Here are just a few urls I found from recent incidents:
www.rediff.com 
http://www.wheresgeorge.com 
wannabe.gathering.org/tg - looks like you need an account for this page.  
bmwe30.net - customize link is mentioned in the comment.

I tried to reproduce at the first 2 sites, but wasn't able to.
I went back to wheresgeorge.com with M098 on W2K and simply clicked on the 
www.wheresgeorge.com link at the bottom. It opened a new window, so I clicked 
on the same link in the new window. After 4-5 times I got the crash @ 
PlaceFrameView. Incident #3738786
Trunk also crashes with these steps.
Component: Password Manager → Layout
That previous comment was a bit laconic. I was able to crash with the steps I
listed in comment #21 using the Trunk build 2002030606. This crash ended at
nsBlockFrame::GetTopBlockChild but with a similar stack.
 
  Interesting behavior, as I reproduced this crash the number of windows that I
 opened before crashing became fewer. The first crash took 4-5 times of
clicking on the link, the next crash occurred after clicking only two times,
the third came after simply submitting the URL (I never got to the page).
After a talk with REPORTER (greer@netscape.com) we discovered that the bug is
reproductible only if using a profile that was generated with a previous NS or
MOZ build. On the machine where the crash was reproductible with an old profile,
with a new profile the crash was not reproductible. Switching back to the old
profile, causes mozilla to crash during the test again. However, I was unable to
reproduce the crash even using old profiles created with NS61, NS62 and NS621. I
will have to download and try the 096, 097, 098 builds too. 

If not reproductible, I suggest removing the keyword nsbeta1+.
replacing nsbeta1+ with nsbeta1

this crash is hardly reproductible. there are two incidents reported by
greer@netscape.com (3750819 and 4016427) that are produced reliably with build
2002030306 with an old profile that has been generated with an older version of
mozilla (greer thinks that it was a netscape distribution). since we spoke last
week there were no incidents with similar stack signatures reported (except the
two reported by greer)
Keywords: nsbeta1+nsbeta1
nsbeata1-. Remove the minus to renominate if this can be reproduced. Since the 
crash seems to occur when using old profiles, it really doesn't sound like a 
layout bug.
Keywords: nsbeta1nsbeta1-
This shouldn't be qawanted.  Looks like Tom Greer has reproducible steps and the
investigation led to having this bug be seen only on older profiles.

That could be an issue if a lot of folks are running into this since I'm sure
folks will have profiles created by older builds.

Is there a way to get a debug build onto Greer's system and run it through his
profile?


Keywords: qawanted
Lisa, It's my machine at home that is crashing and I need to get some tools for
it from the office. Working on that.
Lisa, recently I have seen this crash happen almost at will using these steps: 

1. Goto www.realgm.com
2. click on Player Profiles
3. click on a team
4. click on a player
5. If you haven't crashed yet, try using the "back" button a few times and 
repeat the process.

I have crashed at least once at each of steps 1-3 and got the steps from a user 
who got to step 4. 

Could you please have some of your QA folks take a stab at reproducing this one 
in house?
Looking at one of my crashes in Talkback the value of aFrame is NULL at the time
of the crash. A null check before dereferencing should fix this one.

>snip<
2783 static void
2784 PlaceFrameView(nsIPresContext* aPresContext,
2785                  nsIFrame*       aFrame)
2786 {
2787 nsIView*  view;

** Check aFrame Here **

2788 aFrame->GetView(aPresContext, &view);
2789 if (view)
2790 nsContainerFrame::SyncFrameViewAfterReflow(aPresContext, aFrame, view, nsnull);

I haven't been successful at building the code at home, but I would gladly test
this one if I could get a build with the patch.
Whiteboard: [patch]
Attached patch nullcheck patch (obsolete) — Splinter Review
added null check in the loop condition
Keywords: nsbeta1-nsbeta1
Comment on attachment 78460 [details] [diff] [review]
nullcheck patch

sr=attinasi - but please put in an ASSERTION so that we can see if the child
count gets out of whack (which is what is happening if |frame| is null).
Attachment #78460 - Flags: superreview+
Attachment #78460 - Attachment is obsolete: true
Attachment #78464 - Flags: superreview+
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch


transfered sr=
nsbeta1+
Keywords: nsbeta1nsbeta1+
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch

r=kmcclusk@netscape.com
Attachment #78464 - Flags: review+
Keywords: topcrashtopcrash+
Whiteboard: [patch] → [patch][adt1]
Since it is always the case that i < aLine->GetChildCount(), change the 
assertion to:

   NS_ASSERTION(frame, "Child count bigger than the number of linked 
frames!!!"); 
chris:

marc ment to have the assertion beeing self-explanatory that's why it has that
complicated form, but yes, you're right so is simpler.
Isn't that assertion going to fire all the time since you've gotten the next
sibling but haven't incremented i yet?  Shouldn't it be:
  NS_ASSERTION(line->GetChildCount() == i + 1 || frame, "...");
which would also be simpler.

Have you investigated why the child count is being set incorrectly?
Comment on attachment 78464 [details] [diff] [review]
added assertion to the previous nullcheck patch

I didn't mean "all the time" literally.  It should only fire every time the
line is the last line of a block.
Attachment #78464 - Flags: needs-work+
Attached patch revised patchSplinter Review
right, it has to be i+1 == blah blah

i cannot reproduce this bug so i cannot say what the hack is happening there.
all this is based on talkback and the reporters observations on a machine that
he has and where the bug is reproductible. so far there were all kinds of URL's

involved and we cannot localize the bug.
Attachment #78464 - Attachment is obsolete: true
Attachment #78480 - Flags: superreview+
Attachment #78480 - Flags: review+
Could you put a newline before the text of the assertion so that it all wraps
before 80 characters?
tpreston - pls try greer's comments in comment 29 to see if you can reproduce
this.  Will help once the patch gets checked in for verifications.
adding adt1.0.0 nomination
Keywords: adt1.0.0
adt1.0.0+
Keywords: adt1.0.0adt1.0.0+
I have tested two optimized builds from Alexandru on my machine at home (which
crashes on this bug). One build w/o the patched crashed at step 2 in comment #29. 

The build with the patch has repeadtedly handled all the steps in #21 and #29
without crashing.
Comment on attachment 78480 [details] [diff] [review]
revised patch

a=rjesup@wgate.com for drivers.  Please check into both trunk and branch.
Attachment #78480 - Flags: approval+
Blocks: 136392
Using Step 29: Win XP build 2002040903 (crashes when just trying to reach
www.realgm.com URL Talkback incident:  5048123  

Using Step 29: Win 2k build 2002041003 (crashes when I get to player and click
on Kobe Bryant) Talkback incident:  5048365

Will check other platforms
I wasn't able to reproduce a crash, but I did manage to see an assertion which
is probably related:

#2  0x40267955 in nsDebug::Assertion (aStr=0x42a01ed8 "running past end", 
    aExpr=0x42a01ec2 "mCurrent != mListLink", 
    aFile=0x42a01da0 "/builds/trunk/mozilla/layout/html/base/src/nsLineBox.h", 
    aLine=537) at /builds/trunk/mozilla/xpcom/glue/nsDebug.cpp:291
#3  0x4299c0df in nsLineList_iterator::operator-> (this=0xbfffa848)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.h:537
#4  0x4277f604 in nsBlockFrame::ReflowLine (this=0x41ecd04c, 
    aState=@0xbfffac00, aLine={mCurrent = 0x41ee0954, mListLink = 0x41ecd088}, 
    aKeepReflowGoing=0xbfffa9e8, aDamageDirtyArea=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2553
#5  0x4277e7d4 in nsBlockFrame::ReflowDirtyLines (this=0x41ecd04c, 
    aState=@0xbfffac00)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2250
#6  0x4277b5ea in nsBlockFrame::Reflow (this=0x41ecd04c, 
    aPresContext=0x42bb2c70, aMetrics=@0xbfffb0e0, aReflowState=@0xbfffb020, 
    aStatus=@0xbfffc354)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844

The cause of the assertion was that ReflowDirtyLines had passed a line to
ReflowLine that was no longer in the line list, but had prev and next pointers
indicating that it thought it was the only line in the line list (same list
link, but that link didn't point back to it).  The line list thought it had 5
lines, and aState.mLineNumber was 3.
Of those 5 lines (I actually missed the first), the first, third, and fifth were
blocks.  The second had a single child, and the fourth had 2, and all the
sibling linkage seemed to be correct.

The line being reflowed, which was not in the list, had a child count of 2 and
its first child had 5 siblings after (so there were four siblings following not
on the line), but none of these frames were the same.  In fact, their block
parent (which should have been the |this| block) was in fact a
(great-)*5-grandchild of the |this| block, and the chain went through the first
child of the |this| block (the child of the first line).
Recording which lines have already been reflown makes it look like the mLines
list was somehow entirely replaced in the middle of reflowing the children.
fixed on trunk and 1.0.0 branch

in order to verify you must check the change in the source file 

/cvsroot/mozilla/layout/html/base/src/nsBlockFrame.cpp

in the method 

nsBlockFrame::PostPlaceLine(...

Status: NEW → RESOLVED
Closed: 23 years ago22 years ago
Resolution: --- → FIXED
The real problem here is that frames are being destroyed while they're in the
middle of being reflowed.  While we may be lucky enough to be able to work
around it with a single null check in this case, that's unlikely to work in
general.  We shouldn't have to protect against this.  Here's the stack showing
the real problem:

#3  0x40ca7adb in nsObjectFrame::Destroy (this=0x435c984c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:633
#4  0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435c9764)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#5  0x40c53177 in nsBlockFrame::Destroy (this=0x435c9728, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#6  0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435c95f8)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#7  0x40c53177 in nsBlockFrame::Destroy (this=0x435c95bc, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#8  0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9590, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#9  0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c955c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#10 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9478, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#11 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9444, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#12 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d49e4, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#13 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d49b0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#14 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9324, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#15 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c92f0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#16 0x40d694f6 in nsTableFrame::Destroy (this=0x435c92f0, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableFrame.cpp:318
#17 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c914c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#18 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9118, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#19 0x40d7e8bc in nsTableOuterFrame::Destroy (this=0x435c9118, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:83
#20 0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, 
    aLines=@0x435d40b8)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311
#21 0x40c53177 in nsBlockFrame::Destroy (this=0x435d407c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328
#22 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d4050, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130
#23 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d401c, 
    aPresContext=0x4307b6f0)
    at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138
#24 0x40de75e3 in nsFrameList::DestroyFrame (this=0x435c76a8, 
    aPresContext=0x4307b6f0, aFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:217
#25 0x40d83c18 in nsTableRowFrame::RemoveFrame (this=0x435c7674, 
    aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aListName=0x0, 
    aOldFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/html/table/src/nsTableRowFrame.cpp:334
#26 0x40c7d669 in FrameManager::RemoveFrame (this=0x435b5658, 
    aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aParentFrame=0x435c7674, 
    aListName=0x0, aOldFrame=0x435d401c)
    at /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp:1014
#27 0x40d3dd0b in nsCSSFrameConstructor::ContentRemoved (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435ce310, aChild=0x435ce3e8, 
    aIndexInContainer=1, aInContentReplaced=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:9587
#28 0x40d3ba42 in nsCSSFrameConstructor::ContentReplaced (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435ce310, aOldChild=0x435ce3e8, 
    aNewChild=0x435ce3e8, aIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8917
#29 0x40d498d4 in nsCSSFrameConstructor::WipeContainingBlock (this=0x43093910, 
    aPresContext=0x4307b6f0, aState=@0xbfff5e34, aBlockContent=0x435ce3e8, 
    aFrame=0x4364fa8c, aFrameList=0x436500a4)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:13686
#30 0x40d395da in nsCSSFrameConstructor::ContentAppended (this=0x43093910, 
    aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8266
#31 0x42567cf1 in StyleSetImpl::ContentAppended (this=0x430937d0, 
    aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/base/src/nsStyleSet.cpp:1520
#32 0x40cc6a3e in PresShell::ContentAppended (this=0x4357ff60, 
    aDocument=0x4307b960, aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:5160
#33 0x424e4bda in nsDocument::ContentAppended (this=0x4307b960, 
    aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/base/src/nsDocument.cpp:1893
#34 0x4238ab0d in nsHTMLDocument::ContentAppended (this=0x4307b960, 
    aContainer=0x435c7f38, aNewIndexInContainer=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1335
#35 0x42381f6c in HTMLContentSink::NotifyAppend (this=0x430b2198, 
    aContainer=0x435c7f38, aStartIndex=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:4819
#36 0x42378197 in SinkContext::FlushTags (this=0x4308add0, aNotify=1)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2184
#37 0x423834f1 in HTMLContentSink::FlushPendingNotifications (this=0x430b2198)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:5268
#38 0x4238b26a in nsHTMLDocument::FlushPendingNotifications (this=0x4307b960, 
    aFlushReflows=0, aUpdateViews=0)
    at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1486
#39 0x424dc50b in nsContentList::GetLength (this=0x43625d48, 
    aLength=0xbfff64c0, aDoFlush=1)
    at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:392
#40 0x424dc88f in nsContentList::GetLength (this=0x43625d48, 
    aLength=0xbfff64c0)
    at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:475
#41 0x40cb100c in nsPluginInstanceOwner::EnsureCachedAttrParamArrays (
    this=0x43593cf0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2809
#42 0x40cada5a in nsPluginInstanceOwner::GetAttributes (this=0x43593cf0, 
    n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2071
#43 0x427d9641 in nsPluginInstancePeerImpl::GetAttributes (this=0x43623480, 
    n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginInstancePeer.cpp:345
#44 0x428a30a2 in JavaPluginInstance5::Initialize ()
   from /usr/java/jdk1.3.1/jre/plugin/i386/ns600/libjavaplugin_oji.so
#45 0x427cf7b4 in nsPluginHostImpl::SetUpPluginInstance (this=0x840fff0, 
    aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, 
    aOwner=0x43593cf0)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3932
#46 0x427ce2f5 in nsPluginHostImpl::InstantiateEmbededPlugin (this=0x840fff0, 
    aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, 
    aOwner=0x43593cf0)
    at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3447
#47 0x40caa3a9 in nsObjectFrame::InstantiatePlugin (this=0x435c984c, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, 
    aPluginHost=0x840fff4, aMimetype=0x40ee4090 "application/x-java-vm", 
    aURI=0x435be698)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1242
#48 0x40ca95f9 in nsObjectFrame::Reflow (this=0x435c984c, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, 
    aStatus=@0xbfff70b0)
    at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1048
#49 0x40ca1cc8 in nsLineLayout::ReflowFrame (this=0xbfff7190, 
    aFrame=0x435c984c, aNextRCFrame=0xbfff7b1c, aReflowStatus=@0xbfff70b0, 
    aMetrics=0x0, aPushedFrame=@0xbfff70ac)
    at /builds/trunk/mozilla/layout/html/base/src/nsLineLayout.cpp:1088
#50 0x40c5b03c in nsBlockFrame::ReflowInlineFrame (this=0x435c9728, 
    aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine=
      {mCurrent = 0x435c9920, mListLink = 0x435c9764}, aFrame=0x435c984c, 
    aLineReflowStatus=0xbfff711f "")
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3700
#51 0x40c5ac6c in nsBlockFrame::DoReflowInlineFrames (this=0x435c9728, 
    aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine=
      {mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", 
    aUpdateMaximumWidth=0, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3582
#52 0x40c5a9dc in nsBlockFrame::DoReflowInlineFramesAuto (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", 
    aUpdateMaximumWidth=0, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3505
#53 0x40c5a7b8 in nsBlockFrame::ReflowInlineFrames (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0, aUpdateMaximumWidth=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3451
#54 0x40c588a2 in nsBlockFrame::ReflowLine (this=0x435c9728, 
    aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, 
    aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2614
#55 0x40c57804 in nsBlockFrame::ReflowDirtyLines (this=0x435c9728, 
    aState=@0xbfff7aa0)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2253
#56 0x40c545ea in nsBlockFrame::Reflow (this=0x435c9728, 
    aPresContext=0x4307b6f0, aMetrics=@0xbfff8168, aReflowState=@0xbfff7eb0, 
    aStatus=@0xbfff8024)
    at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844

... (through tons of block, table, gfxscroll, etc. reflow)

#137 0x40ce9023 in ViewportFrame::Reflow (this=0x43646424, 
    aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, 
    aReflowState=@0xbfffe580, aStatus=@0xbfffe648)
    at /builds/trunk/mozilla/layout/html/base/src/nsViewportFrame.cpp:587
#138 0x40c89806 in nsHTMLReflowCommand::Dispatch (this=0x435a9758, 
    aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, aMaxSize=@0xbfffe730, 
    aRendContext=@0x435ce058)
    at /builds/trunk/mozilla/layout/html/base/src/nsHTMLReflowCommand.cpp:216
#139 0x40cc9814 in PresShell::ProcessReflowCommand (this=0x4357ff60, 
    aQueue=@0x4357ffb0, aAccumulateTime=1, aDesiredSize=@0xbfffe750, 
    aMaxSize=@0xbfffe730, aRenderingContext=@0x435ce058)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6287
#140 0x40cc9a98 in PresShell::ProcessReflowCommands (this=0x4357ff60, 
    aInterruptible=1)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6342
#141 0x40e99e80 in ReflowEvent::HandleEvent (this=0x435aa158)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6196
#142 0x40cc9556 in HandlePLEvent (aEvent=0x435aa158)
    at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6212
#143 0x402222e0 in PL_HandleEvent (self=0x435aa158)
    at /builds/trunk/mozilla/xpcom/threads/plevent.c:596
#144 0x40222a51 in PL_ProcessEventsBeforeID (aSelf=0x811a1b8, aID=7389)
    at /builds/trunk/mozilla/xpcom/threads/plevent.c:1270

... (main event loop, main, etc.)

Reopening because the fact that this doesn't crash with your null check is
merely at the mercy of what the allocator decides to recycle, and thus this bug
could come back any time, or could easily still be present on other machines. 
With my patches in bug 114219 and bug 114221 to fill pres-shell-freed memory
with 0xdd, we crash quite hard in other places.  (This is quite easy to
reproduce with those patches in my tree, by loading the URL
http://www.realgm.com/src_roster.php?team=Philadelphia and clicking on one of
the players.)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I appreciate the fact that we're trying to track down a bug that nobody can
reproduce (and so spackle is appropriate), but I agree with dbaron: we should be
looking more deeply for causes.
remarking as fixed.

for David Baron's proposal to fix the real issue that caused the crash I opened
bug 136927.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
Verified fix checked into lxr.mozilla.org and no crash Mac OS X build 2002041105
and linux build 2002041105 (windows build hosed, will check that tomorrow.) 
Marking verified though
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.0
Crash Signature: [@ PlaceFrameView] [@ .__ptr_glue - nsBlockFrame::PostPlaceLine]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: