Closed Bug 117736 Opened 23 years ago Closed 23 years ago

[PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: pmac, Assigned: attinasi_layout)

References

(
URL
)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

wallpaper to prevent the crash when a font cannot be realized
1.47 KB, patch
shaver
: review+
shaver
: superreview+
attinasi
: approval+
Details | Diff | Splinter Review
Seen on windows 98 with jre 1.3.1 (2002-01-01-10-trunk). Works fine on linux redhat 6.2 with jre 1.3.1 (2001-01-01-21-trunk). 1. Launch netscape. 2. Type this url: http://www.silvercreekonline.com 3. Click on "Click here for Virtual Tour 38". Notice that it quits the browser about 3 out of 6 times.
Did you use a talkback-enabled build? Can you post the talkback id here? Thanks
Severity: normal → critical
Keywords: crash
Summary: The browser quits while loading the above url → Crash while loading the above url
Incident ID 1146267 Stack Trace nsTextFrame::MeasureText [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 4454] nsTextFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 5172] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3766] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3647] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3572] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3517] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2589] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2179] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 567] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 843] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 606] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1051] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp, line 396] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1051] nsContainerBox::LayoutChildAt [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp, line 654] nsGfxScrollFrameInner::LayoutBox [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1059] nsGfxScrollFrameInner::Layout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1170] nsGfxScrollFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1067] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1051] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 953] nsGfxScrollFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 776] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 766] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 574] PresShell::InitialReflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2717] HTMLContentSink::StartLayout [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 3921] HTMLContentSink::DidBuildModel [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 2757] CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 674] nsParser::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1388] nsParser::Terminate [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1470] nsHTMLDocument::StopDocumentLoad [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 956] DocumentViewerImpl::Stop [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 1408] nsDocShell::Stop [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2313] nsDocShell::Stop [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2334] nsDocShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2470] nsWebShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 1452] nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame [d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp, line 668] nsHTMLFrameInnerFrame::`scalar deleting destructor' nsFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp, line 472] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] nsLineBox::DeleteLineList [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineBox.cpp, line 292] nsBlockFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 330] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] nsBoxFrame::Destroy [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1181] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp, line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 140] ViewportFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 157] FrameManager::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp, line 509] PresShell::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 1730] DocumentViewerImpl::Destroy [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 1392] DocumentViewerImpl::Show [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 1614] PresShell::UnsuppressAndInvalidate [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4802] PresShell::UnsuppressPainting [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4846] PresShell::sPaintSuppressionCallback [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2797]
I just tried again on windows 98 using (2002-02-03-06-trunk), "Click here for Virtual Tour 38" while loading the applet, the browser was automatically quitted.
This one is a tropcrasher for M097 and the Trunk. I have reproduced it on Win2000 by going to : (874561) URL: http://www.cavedog.com/boneyards/by_totala/download.html Wait a moment and the browser crashes without loading the page. Updating summary and keywords for talkback tracking.
URL: http://www.silvercreekonline.comhttp://www.silvercreekonline.com (874...
Keywords: topcrash
Summary: Crash while loading the above url → Trunk M097 Crash while loading the above url [@ nsTextFrame::MeasureText]
Stack trace is pointing to the problem of laying down a document that is being torn down. I thought attinasi nailed this a while ago?
Clicking on the link in comment #4 (above) crashes the Trunk 2002010906 build. Can we get a testcase or a fix out of this? :-]
From the stack, this looks like a layout bug. --->layout
Assignee: joe.chou → attinasi
Component: OJI → Layout
QA Contact: pmac → petersen
Hmm. This is not crashing for me on a 1/4 build. I am on Win 2000. Patty, can you try with NO java installed? I'm thinking it might be a java bug since the page (tour #38) has a java app (http://tours.ipixmedia.com/A8CPNNVC.htm) Sorry, I cannot repro it :(
It crashes on me after creating tons on webshells... [...] WEBSHELL+ = 3808 WEBSHELL+ = 3809 WEBSHELL+ = 3810 WEBSHELL+ = 3811 WEBSHELL+ = 3812 WEBSHELL+ = 3813 WEBSHELL+ = 3814 WEBSHELL+ = 3815 WEBSHELL+ = 3816 WEBSHELL+ = 3817 WEBSHELL+ = 3818 WEBSHELL+ = 3819
Here's some more Talkback data from Mozilla 0.9.7 crashes: nsTextFrame::MeasureText 69 117736 NEW attinasi@netscape.com --- Fri 23:51 BBID range: 1292559 - 1755516 Min/Max Seconds since last crash: 11 - 497012 Min/Max Runtime: 864 - 824480 Crash data range: 2002-01-06 to 2002-01-16 Build ID range: 2001122109 to 2001122109 Keyword List : load(6), Stack Trace: nsTextFrame::MeasureText [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp line 4447] nsTextFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp line 5160] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp line 1087] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3688] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3569] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3494] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3439] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2507] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2159] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 826] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 766] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp line 570] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp line 843] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp line 606] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp line 1004] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp line 397] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp line 1004] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp line 954] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 766] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp line 576] PresShell::InitialReflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 2680] HTMLContentSink::StartLayout [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp line 3984] HTMLContentSink::DidBuildModel [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp line 2820] CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp line 673] nsParser::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp line 1388] nsParser::Terminate [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp line 1470] nsHTMLDocument::StopDocumentLoad [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp line 877] DocumentViewerImpl::Stop [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp line 1351] nsDocShell::Stop [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp line 2302] nsDocShell::Stop [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp line 2323] nsDocShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp line 2459] nsWebShell::Destroy [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp line 1462] nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame [d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp line 703] nsHTMLFrameInnerFrame::`scalar deleting destructor' nsFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp line 472] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 140] nsFrameList::DestroyFrames [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 131] nsContainerFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 140] nsLineBox::DeleteLineList [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineBox.cpp line 292] nsBlockFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 329] nsFrameList::DestroyFrame [d:\builds\seamonkey\mozilla\layout\base\src\nsFrameList.cpp line 217] CanvasFrame::RemoveFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp line 370] FrameManager::RemoveFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrameManager.cpp line 946] nsCSSFrameConstructor::ReconstructDocElementHierarchy [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7275] StyleSetImpl::ReconstructDocElementHierarchy [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp line 1407] PresShell::ReconstructFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5217] PresShell::StyleSheetAdded [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5234] nsDocument::InsertStyleSheetAt [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp line 1399] CSSLoaderImpl::InsertSheetInDoc [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 1197] CSSLoaderImpl::SheetComplete [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 900] CSSLoaderImpl::ParseSheet [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 955] CSSLoaderImpl::DidLoadStyle [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 991] SheetLoadData::OnStreamComplete [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp line 751] nsStreamLoader::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamLoader.cpp line 137] nsStreamListenerTee::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp line 25] nsHttpChannel::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp line 2386] nsOnStopRequestEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp line 213] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1072] KERNEL32.DLL + 0x248f7 (0xbff848f7) 0x00688c02 0x00058f64 Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/html/base/src/nsTextFrame.cpp line : 4447 (1755516) URL: http://www.landsend.com/cd/fp/prod/0 (1755516) Comments: Clicked on "try it on" (1749307) URL: www.FreeTradeZone.com (1749307) Comments: clicking the "close tab" X while the page was loading. (1746507) URL: slashdot.org (1746507) Comments: lots of dropdown boxes seems to make mozilla go boom! (1740403) URL: http://www.nwmusicmedia.com/frames.html?=body_band_pdxs_listing.html (1740403) Comments: heading of page started loading repeatedly... crashed mozilla (1719464) Comments: I had at least 20 browser windows open and I was switching between them. (1674272) URL: http://www.holly-shop.de (1672710) URL: http://www.gnupg.org/frontends.html (1672710) Comments: Clicked "GnomePGP". A new tab opened I realised that I've clicked the wrong link closed the tab before anything was visible on it ==> crash. (1643032) URL: www.atu.de (1643032) Comments: while starting mozilla (connecting to 2 imap accounts one pop) and loading my ebay.de i accessed http://www.atu.de and clicked the "splash" picture to continue to main site. i'm not sure if any of the other action were still in progress (1628942) URL: www.gmx.net (1570151) URL: http://www.murlock.org/mom/ (1566426) Comments: setting monospaced font size in preferences (1522093) URL: http://www.mein-schlemmerfreund.de/index.php (1516790) URL: http://top.addfreestats.com/cgi-bin/main.cgi?usr=00082153P001 (1516790) Comments: Clicking the link provided in the specified URL. When the page got loaded Mozilla crashed. (1513760) URL: http://images.google.com/ (1513760) Comments: I was searching for 'dak amputee' in Image Search with the family filter turned off. I opened the one-legged naked woman in a new tab then closed the tab and BOOM in gklayout.(I am d_yerrick@hotmail.com on mozilla. If any Bug comes of this please (1513760) Comments: CC me.) (1513100) URL: postag.de (1513022) URL: postag.de (1511560) Comments: it's been making my whole display go funky...overwriting random parts of the screen and stuff (1480626) URL: astalavista.box (1455660) URL: http://commcenter.net2phone.com/GLPPublish.asp?idpage=startdl (1444178) Comments: nothing out of the ordinary (1394363) URL: http://www.buffyguide.com (1394363) Comments: Just tried to load the page. Poof! (1360389) URL: www.gameoftheyear.com (1297015) Comments: being redirected to a web-based help file from the PalmOS IDE PilotMAG help menu (1294042) Comments: searching for subject at google (1292559) URL: www.latticesemi.com/products/ispPAL/index.cfm (1292559) Comments: a page didn't not load fully and I hit refresh and the error happened. It's happening with all flavors of Windows...
Using 2002012203 build on WINXP I crashed loading http://www.cavedog.com/boneyards/by_totala/download.html I did not crash loading http://www.silvercreekonline.com
Target Milestone: --- → mozilla0.9.9
*** Bug 121554 has been marked as a duplicate of this bug. ***
*** Bug 121533 has been marked as a duplicate of this bug. ***
Adding testcase keyword, since people have been able to reproduce this crash at: http://www.cavedog.com/boneyards/by_totala/download.html
Keywords: testcase
M098 still crashes NT4 at http://www.cavedog.com/boneyards/by_totala/download.html without loading the page.
Summary: Trunk M097 Crash while loading the above url [@ nsTextFrame::MeasureText] → Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText]
Marking nsbeta1+
Keywords: nsbeta1+
Status: NEW → ASSIGNED
Priority: -- → P1
Is it me or is http://www.cavedog.com/boneyards/by_totala/download.html totally bogus on IE and Nav 4.x as well? I loaded it in Mozilla and is just eats a bunch of memory, but looking at it I can see why I think - it is a recursive frameset. Maybe there is a bug on that - I think we have to prevent nested framesets to avoid crashing here. I am not crashing on the http://www.silvercreekonline.com site at all, and getting various levels of success and failure in the other URL's in the talkbacks. I'll keep trying to get this stack but so far I have not gotten it even once. (I am seeing some GIF decoder assertions on some URL's however, and will let Pavlov know.)
In the case of the recursive frameset, we are simply running out of font resources. We get some error / assert messages from RealizeFont: NTDLL! 77fa018c() nsDebug::Assertion(const char * 0x025fa3d4, const char * 0x005845c4, const char * 0x025fa3a4, int 2416) line 291 + 13 bytes nsDebug::Error(const char * 0x025fa3d4, const char * 0x025fa3a4, int 2416) line 458 + 22 bytes nsFontMetricsWin::FindSubstituteFont(HDC__ * 0xdc01075b, unsigned int 97) line 2416 + 21 bytes nsFontMetricsWin::FindFont(HDC__ * 0xdc01075b, unsigned int 97) line 3111 + 22 bytes nsFontMetricsWin::RealizeFont() line 3221 + 20 bytes nsFontMetricsWin::Init(nsFontMetricsWin * const 0x14d3a648, const nsFont & {...}, nsIAtom * 0x02034568, nsIDeviceContext * 0x14cf6388) line 484 nsFontCache::GetMetricsFor(nsFontCache * const 0x14d3a5f0, const nsFont & {...}, nsIAtom * 0x02034568, nsIFontMetrics * & 0x00000000) line 670 + 27 bytes DeviceContextImpl::GetMetricsFor(DeviceContextImpl * const 0x14cf6388, const nsFont & {...}, nsIAtom * 0x02034568, nsIFontMetrics * & 0x00000000) line 303 ComputeLineHeight(nsIRenderingContext * 0x14d395f0, nsIStyleContext * 0x14ce7cfc) line 2179 + 63 bytes nsHTMLReflowState::CalcLineHeight(nsIPresContext * 0x14cf65b8, nsIRenderingContext * 0x14d395f0, nsIFrame * 0x14ce7d8c) line 2219 + 18 bytes nsBlockReflowState::nsBlockReflowState(const nsHTMLReflowState & {...}, nsIPresContext * 0x14cf65b8, nsBlockFrame * 0x14ce7d8c, const nsHTMLReflowMetrics & {...}, int 4194304) line 174 + 26 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x14ce7d8c, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 735 nsContainerFrame::ReflowChild(nsIFrame * 0x14ce7d8c, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 761 + 31 bytes CanvasFrame::Reflow(CanvasFrame * const 0x14ce776c, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 561 nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 0, int 0, int 1) line 836 nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x14ce7ba4, nsBoxLayoutState & {...}) line 620 + 46 bytes nsBox::Layout(nsBox * const 0x14ce7ba4, nsBoxLayoutState & {...}) line 1052 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x14ce78ac, nsBoxLayoutState & {...}) line 395 nsBox::Layout(nsBox * const 0x14ce78ac, nsBoxLayoutState & {...}) line 1052 nsBoxFrame::Reflow(nsBoxFrame * const 0x14ce7874, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 991 nsContainerFrame::ReflowChild(nsIFrame * 0x14ce7874, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 761 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x14ce7730, nsIPresContext * 0x14cf65b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 574 PresShell::InitialReflow(PresShell * const 0x14cf1920, int 0, int 0) line 2674 but then we plunder on and end up assuming that the mNormalFont in the TextStyle struct is valid and crash with the stack already posted to the bug. I am wallpapering the crash for now, and investigating the complexity of handling the failure at the source (RBS - help!)
Looking like a problem with system exhaustion of font resources. The cavedog page causes it because it is recursively loading the frames and the system is bound to get exhausted at some time. The other sites listed in the talkbacks are probably just the victims of general font leakage (a guess, but I cannot get any other site to crash with this stack).
Assignee: attinasi → attinasi_layout
Status: ASSIGNED → NEW
Check out this patch - it just stops the crash byt checking for a null normal font instead of assuming it is non-null. I defer to RBS on why the fallback is failing in the font resolution, I am just not as intimate with that code as he is.
Status: NEW → ASSIGNED
Summary: Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText] → [PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText]
[...] nsFontMetricsWin::Init(nsFontMetricsWin * const 0x14d3a648, const nsFont & {...}, nsIAtom * 0x02034568, nsIDeviceContext * 0x14cf6388) line 484 nsFontCache::GetMetricsFor(nsFontCache * const 0x14d3a5f0, const nsFont & {...}, [...] There are extreme circumstances where the font substitute fallback can fail since there are fixed limits on the number of resources that GDI allows. But we do have another last minute desperate fallback where we return any available cached font rather than returning no font all (bug 109974). http://lxr.mozilla.org/seamonkey/source/gfx/src/nsDeviceContext.cpp#639 That's why I am generally dubious about the usefullness of just wall papering null fonts that come out -- although it has been observed that, due to bigger architectural issues, these can happen in transient cases where the world is being torn down without stopping layout first -- causing GFX to rely on dead objects, or in recursive situations like this frameset that you alluded to. And null checks have sometimes proved to have a positive palliative effect in such cases. Do you get the page to layout properly with the null checks?
The page has recursive framesets, so no, it never lays out properly as it never stops loading, at least not in the 10 minutes I gave it. I could never get the crash on any other page either. Regarding the extreme fallback, where we get any font in the font cache: what I am seeing is that the fontCache has NO fonts in it (mFontMetrics.Count() == 0), so that code is failing too.
RBS: is the font cache per webshell? In the case where we cannot get a font at all, and the font cache is empty, can we grab fonts from other webshells' font caches? Even better, cna the font caches be shared across webshells? If I understand this correctly, we are guaranteed to run out of font resources if there are enough webshells, as the recursive frameset shows.
That's right. I was thinking of doing a little patch just to print out the grand total number of fonts (but the smoketest blocker has spoiled all that). The zero that you saw is a local zero -- in that particular font-cache. In principle yes, it is possible to increase the sharing. There are some bugzilla bugs about that (e.g., bug 91956). They need some thinking to decide who should own what and the associated impact, e.g., the effect of the underlying DC (i.e., likely something for the Future).
So, can we get this wallpaper reviewed, and then deal with the improved sharing of fonts across webshells later?
r=rbs
Comment on attachment 68592 [details] [diff] [review] wallpaper to prevent the crash when a font cannot be realized sr=shaver, and recording rbs's r= via the patch manager (tsk, tsk!). So, uh, when's "later" for solving this properly?
Attachment #68592 - Flags: superreview+
Attachment #68592 - Flags: review+
Thanks Mike. Judging from bug 91956, when is not known (no milestone set) the real fix will be devised. Opening a 'perf' bug for sharing the font cache across webshells may be a good way to go - bug 91956 covers the execution costs, the new one could cover the memory benefits. But, they are really the same issue, so I'll hold off on opening it.
a=asa (on behalf of drivers) for checkin to 0.9.9
Keywords: mozilla0.9.9+
Comment on attachment 68592 [details] [diff] [review] wallpaper to prevent the crash when a font cannot be realized a=asa (migrating from comment)
Attachment #68592 - Flags: approval+
Fix in: /cvsroot/mozilla/layout/html/base/src/nsTextFrame.cpp,v <-- nsTextFrame.cpp new revision: 1.358; previous revision: 1.357
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
re: "later" It occurred to me that perhaps there could be an "ultimate fallback font" that is a single, sharable/static dummy font that does nothing, e.g, has a null DC -- i.e., depends on no device context, returns 0 for GetWitdh, draws nothing, etc. This way, people may not have to test for a null font everywhere. (It would be a nightmare if the entire application has to be wallpapered against null fonts).
Under Windows, isn't the System font something like this- I believe it can render almost any low-memory situation.
verified fixed. talkback shows this last crashed with builds from 2/25.
Status: RESOLVED → VERIFIED
*** Bug 129486 has been marked as a duplicate of this bug. ***
*** Bug 121444 has been marked as a duplicate of this bug. ***
Updating summary for future reference with nsInlineFrame::ReflowFrames | nsInlineFrame::ReflowInlineFrame, the stack signatures from duped bug 121444.
Summary: [PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText] → [PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText | nsInlineFrame::ReflowFrames | nsInlineFrame::ReflowInlineFrame]
The font leakage crashes at nsTextFrame::MeasureText have gone away (per Talkback data) following the fix on 2-25. However, the crashes resulting from recursive framesets continue in M099 and the Trunk. Reopening the bug for that issue: bug 121444. (Removing signatures nsInlineFrame::ReflowFrames & nsInlineFrame::ReflowInlineFrame from the summary.)
Summary: [PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText | nsInlineFrame::ReflowFrames | nsInlineFrame::ReflowInlineFrame] → [PATCH] Trunk M098 Crash while loading the above url [@ nsTextFrame::MeasureText]
Keywords: testcase
Crash Signature: [@ nsTextFrame::MeasureText]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: