Closed
Bug 1252
Opened 26 years ago
Closed 25 years ago
[CRASH]Crash in initial layout of empty framesets
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect, P1)
Tracking
()
VERIFIED
FIXED
M7
People
(Reporter: morse, Assigned: karnaze)
References
()
Details
(Whiteboard: fixed long ago but has since regressed - 06/01/99)
Bringing up the browswer on a page containing the following html results in a
gp-trap:
<HTML>
<HEAD>
<TITLE>Cookies</TITLE>
<SCRIPT>
function loadButtons(){
top.frames[0].document.open();
top.frames[0].document.close();
}
</SCRIPT>
</HEAD>
<FRAMESET onLoad=loadButtons()>
<FRAME>
<FRAME>
</FRAMESET>
</HTML>
If the document.open and document.close is commented out, the trap doesn't
occur.
This is blocking a lot of other implementation work from happening.
The stack trace at the time of the trap is as follows:
GlobalWindowImpl::GetDocument(GlobalWindowImpl * const 0x01340128,
nsIDOMDocument * * 0x00129e40) line 269 + 13 bytes
GetWindowProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long
0xfffffffb, long * 0x0012a2c4) line 149 + 16 bytes
js_GetProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long
0x01318a10, long * 0x0012a2c4) line 1623 + 25 bytes
js_Interpret(JSContext * 0x01310670, long * 0x0012a41c) line 2153 + 801
bytes
js_Invoke(JSContext * 0x01310670, unsigned int 0x00000000, int
0x00000000) line 657 + 13 bytes
js_Interpret(JSContext * 0x01310670, long * 0x0012a974) line 2187 + 15
bytes
js_Invoke(JSContext * 0x01310670, unsigned int 0x00000001, int
0x00000000) line 657 + 13 bytes
js_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long
0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long *
0x0012aac4) line 726 + 15 bytes
JS_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long
0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long *
0x0012aac4) line 2336 + 29 bytes
nsJSEventListener::ProcessEvent(nsIDOMEvent * 0x01336c60) line 97 + 34
bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012ac18, nsIDOMEvent * * 0x0012ab8c, nsEventStatus &
nsEventStatus_eIgnore) line 491 + 17 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x013154e4,
nsIPresContext & {...}, nsEvent * 0x0012ac18, nsIDOMEvent * *
0x0012ab8c, unsigned int 0x00000001, nsEventStatus &
nsEventStatus_eIgnore) line 1724
nsWebShell::OnConnectionsComplete(nsWebShell * const 0x012856f0) line
1655 + 34 bytes
nsDocLoaderImpl::LoadURLComplete(nsIURL * 0x013032c0, nsISupports *
0x013031b0, int 0x00000000) line 966
nsDocumentBindInfo::OnStopBinding(nsDocumentBindInfo * const 0x013031b0,
nsIURL * 0x013032c0, int 0x00000000, const nsString & {...}) line 1416
OnStopBindingProxyEvent::HandleEvent(OnStopBindingProxyEvent * const
0x0130b280) line 538 + 45 bytes
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x0130b284) line 421 +
12 bytes
PL_HandleEvent(PLEvent * 0x0130b284) line 395 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01235f60) line 357 + 9 bytes
_md_EventReceiverProc(void * 0x01270110, unsigned int 0x0000c084,
unsigned int 0x00000000, long 0x01235f60) line 675 + 9 bytes
USER32! 77e71250()
01235f60()
|
||
Updated•26 years ago
|
Status: NEW → ASSIGNED
Summary: javascript and frames: document.open causes gp-trap → js doc object needs to be reflected before doc load
|
|
||
Comment 2•26 years ago
|
||
Updating summary
|
||
Comment 4•26 years ago
|
||
per leger, assigning QA contacts to all open bugs without QA contacts according
to list at http://bugzilla.mozilla.org/describecomponents.cgi?product=Browser
|
|
||
Updated•26 years ago
|
Assignee: joki → troy
Summary: js doc object needs to be reflected before doc load → Crash in initial layout of empty framesets
|
|
||
Comment 5•26 years ago
|
||
Changing subject from
js doc object needs to be reflected before doc load
I think that bug may still exist but theres a different one now that hits
first. Document dies in a reflow stack during initial document layout. Troy
can you look at this and if the reflow gets fixed and load event crash recurs
send it back.
Chris, we're hitting an assert in the nsHTMLOuterFrame code. Here's the stack
trace:
NTDLL! 77f76148()
nsDebug::Assertion(const char * 0x007bd5a0, const char * 0x007bd580, const char
* 0x007bd548, int 348) line 140 + 13 bytes
nsHTMLFrameOuterFrame::Reflow(nsHTMLFrameOuterFrame * const 0x01133604,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 4294967295) line 348 + 38 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x01133600, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
4294967295) line 388 + 28 bytes
nsHTMLFramesetFrame::ReflowPlaceChild(nsIFrame * 0x01133600, nsIPresContext &
{...}, const nsHTMLReflowState & {...}, nsPoint & {x=0 y=0}, nsSize &
{width=9180 height=4470}, nsPoint * 0x0012e954 {x=0 y=0}) line 751
nsHTMLFramesetFrame::Reflow(nsHTMLFramesetFrame * const 0x01132054,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 6483869) line 1140
nsLineLayout::ReflowFrame(nsIFrame * 0x01132050, nsIFrame * * 0x0012f564,
unsigned int & 6483869) line 842
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineBox *
0x01133f60, nsIFrame * 0x01132050, unsigned char * 0x0012ebe0) line 2729 + 26
bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox *
0x01133f60, int * 0x0012ec70) line 2610 + 24 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x01133f60, int
* 0x0012ec70) line 1717 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1522 + 20 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x011324b4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 892 + 18 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x011324b4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 509 + 28 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x011324b0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 388 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x011328a4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 253
nsContainerFrame::ReflowChild(nsIFrame * 0x011328a0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 388 + 28 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x0112ae14, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 434
PresShell::InitialReflow(PresShell * const 0x01109f90, int 9180, int 4470) line
878
HTMLContentSink::StartLayout() line 1980
HTMLContentSink::CloseFrameset(HTMLContentSink * const 0x010e7850, const
nsIParserNode & {...}) line 1822
CNavDTD::CloseFrameset(const nsIParserNode & {...}) line 2232 + 31 bytes
CNavDTD::CloseContainer(const nsIParserNode & {...}, nsHTMLTag
eHTMLTag_frameset, int 1) line 2366 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_frameset, int 1) line 2402
+ 26 bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_frameset, int 1) line 2423 + 20
bytes
CNavDTD::HandleEndToken(CToken * 0x01128460) line 1231 + 14 bytes
NavDispatchTokenHandler(CToken * 0x01128460, nsIDTD * 0x010a4050) line 245 + 12
bytes
CTokenHandler::operator()(CToken * 0x01128460, nsIDTD * 0x010a4050) line 80 + 14
bytes
CNavDTD::HandleToken(CNavDTD * const 0x010a4050, CToken * 0x01128460, nsIParser
* 0x010e7fa0) line 604 + 18 bytes
CNavDTD::BuildModel(CNavDTD * const 0x010a4050, nsIParser * 0x010e7fa0,
nsITokenizer * 0x010a3840, nsITokenObserver * 0x00000000, nsIContentSink *
0x010e7850) line 502 + 20 bytes
nsParser::BuildModel() line 804 + 34 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000) line 756 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x010e7fa4, nsIURL * 0x010ae6f0,
nsIInputStream * 0x010a3b70, unsigned int 306) line 968 + 17 bytes
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x010ae7f0,
nsIURL * 0x010ae6f0, nsIInputStream * 0x010a3b70, unsigned int 306) line 1783 +
24 bytes
OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const
0x010a0c70) line 632
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x010a0c74) line 471 + 12
bytes
PL_HandleEvent(PLEvent * 0x010a0c74) line 476 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0104e950) line 437 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0011052a, unsigned int 49403, unsigned int 0,
long 17099088) line 799 + 9 bytes
USER32! 77e71250()
0104e950()
|
Assignee | |
Updated•26 years ago
|
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 7•26 years ago
|
||
This works on my 3/29 pm WinNT debug build. I fixed another frameset bug
yesterday which fixes the crash here. In the test case, the <frameset> has no
rows or cols, so it will never display anything. If the intent is to eventually
use the dom to add rows and/or cols, Eric Pollman is currently working on that.
|
Reporter | |
Comment 8•26 years ago
|
||
The crash is back except now the stack trace is completely different. So rather
than reopening this report, I've created a new report. See bug 5643.
|
||
Updated•25 years ago
|
Status: RESOLVED → REOPENED
QA Contact: glynn → claudius
Hardware: PC → All
Summary: Crash in initial layout of empty framesets → [CRASH]Crash in initial layout of empty framesets
Whiteboard: awaiting stable win32 3/30 build to verify → fixed long ago but has since regressed - 06/01/99
|
|
||
Comment 9•25 years ago
|
||
This bug is now crashing again. All platforms, with the 1999060108 builds (5/25 on Mac). It is reopened and I'll post a stack trace
to compare.
*Interesting note changing <FRAME> to <FRAME SRC=about:blank> prevents this from crashing although that was a related issue
- see bug 5643
|
|
||
Updated•25 years ago
|
Resolution: FIXED → ---
|
|
||
Comment 10•25 years ago
|
||
OK Talkback is acting up but my Linux box says we're crashing in nsHTMLFrameInnerFrame whereas before it was
nsHTMLFrameOuterFrame.
Program received signal SIGSEGV, Segmentation fault.
0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow ()
#0 0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow ()
#1 0x409b57e9 in nsContainerFrame::DidReflow ()
#2 0x40a4aebc in nsHTMLFramesetFrame::ReflowPlaceChild ()
#3 0x40a4be38 in nsHTMLFramesetFrame::Reflow ()
#4 0x409c86a0 in nsLineLayout::ReflowFrame ()
#5 0x409b06c3 in nsBlockFrame::ReflowInlineFrame ()
#6 0x409b0551 in nsBlockFrame::ReflowInlineFrames ()
#7 0x409af5ff in nsBlockFrame::ReflowLine ()
#8 0x409af332 in nsBlockFrame::ReflowDirtyLines ()
#9 0x409aebb7 in nsBlockFrame::Reflow ()
#10 0x409ace94 in nsAreaFrame::Reflow ()
#11 0x409b5ddf in nsContainerFrame::ReflowChild ()
#12 0x409bd6a7 in RootFrame::Reflow ()
#13 0x409b5ddf in nsContainerFrame::ReflowChild ()
#14 0x409daeb8 in ViewportFrame::Reflow ()
#15 0x409cf2d3 in PresShell::InitialReflow ()
#16 0x40a409fc in HTMLContentSink::StartLayout ()
#17 0x40a4068b in HTMLContentSink::CloseFrameset ()
#18 0x40284c31 in CNavDTD::CloseFrameset ()
#19 0x4028518a in CNavDTD::CloseContainer ()
#20 0x4028528e in CNavDTD::CloseContainersTo ()
#21 0x40285388 in CNavDTD::CloseContainersTo ()
#22 0x40283bfd in CNavDTD::HandleEndToken ()
#23 0x40281acb in CNavDTD::Release ()
#24 0x4028e97b in CTokenHandler::operator() ()
#25 0x402825ba in CNavDTD::HandleToken ()
#26 0x402821be in CNavDTD::BuildModel ()
#27 0x4028c981 in nsParser::BuildModel ()
#28 0x4028c8bb in nsParser::ResumeParse ()
#29 0x4028cc25 in nsParser::OnDataAvailable ()
#30 0x4025b766 in nsDocumentBindInfo::OnDataAvailable ()
#31 0x40247ec4 in XP_FindContextOfType ()
#32 0x402029c6 in NET_GetMaxMemoryCacheSize ()
#33 0x40179da1 in net_ResumeHTTP ()
#34 0x40179762 in NET_getInternetKeyword ()
#35 0x4017a65e in net_ResumeHTTP ()
#36 0x40224f3f in NET_ProcessNet ()
#37 0x4022a5d7 in NET_PollSockets ()
#38 0x4024329d in nsNetlibService::NetPollSocketsCallback ()
#39 0x400f727a in TimerImpl::FireTimeout ()
#40 0x400f75dc in nsTimerExpired ()
#41 0x80e6b53 in g_main_iteration ()
#42 0x80e60d8 in g_list_length ()
#43 0x80e6553 in g_list_length ()
#44 0x80e666d in g_main_iteration ()
#45 0x8084593 in gtk_main ()
#46 0x400b12c3 in nsAppShell::Run ()
#47 0x40018fb6 in nsAppShellService::Run ()
#48 0x8051327 in main ()
|
|
Assignee | |
Updated•25 years ago
|
Status: REOPENED → RESOLVED
Closed: 26 years ago → 25 years ago
Resolution: --- → FIXED
Target Milestone: M5 → M7
|
|
Assignee | |
Comment 11•25 years ago
|
||
Fixed with latest checkin.
|
|
||
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 12•25 years ago
|
||
VERIFIED fixed fro WinNT, MacOS, and RHLinux with 1999060708 builds
|
||
Comment 13•22 years ago
|
||
As far as i can tell, this bug has been back again for a while.
Over the past few months i have successfully repeatedly crashed
mozilla 0.9.9, 1.1.0 and now mozilla-1.2b-0_rh7 (all on redhat).
The following HTML is all you need to re-create this crash:
<html>
<frameset rows="0" cols="0">
<frame src="">
</frameset>
</body>
</html>
-jonny
|
|
Assignee | |
Comment 14•22 years ago
|
||
wfm on 11/26/2 win2k debug.
|
|
||
Comment 15•22 years ago
|
||
it's nice to hear it works okay on w2k.
on linux - it doesn't.
just tested it again on a fresh rh 8.0 install with moz 1.2 stable (xft).
crashed like a crashing thing.
cheers,
-jonny
|
||
Comment 16•22 years ago
|
||
crashes on Redhat 7.3 1.2b
works on win2k
|
||
Comment 17•19 years ago
|
||
Revised delivery date - 07/21
|
||
Updated•6 years ago
|
Product: Core → Core Graveyard
|
||
Updated•6 years ago
|
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•