Closed Bug 134508 Opened 23 years ago Closed 23 years ago

crash during page load [@ DeletingFrameSubtree]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.0

People

(Reporter: ajschult784, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files, 2 obsolete files)

stacktrace
5.86 KB, text/plain
Details
testcase
35.55 KB, text/html
Details
one more tweak
2.64 KB, patch
attinasi
: review+
waterson
: superreview+
asa
: approval+
Details | Diff | Splinter Review
originally reported in bug 129013 Mozilla crashes if you scroll around while the above URL is loading. This bug regressed sometime between build 2002032608 and 2002032808. The crash occurs in nsCSSFrameConstructor.cpp. http://lxr.mozilla.org/seamonkey/source/layout/html/style/src/nsCSSFrameConstructor.cpp#9047 9047 if (IsFrameSpecial(aFrame)) { 9048 nsIFrame* specialSibling; 9049 GetSpecialSibling(aFrameManager, aFrame, &specialSibling); 9050 DeletingFrameSubtree(aPresContext, aPresShell, aFrameManager, 9051 specialSibling); 9052 } IsFrameSpecial is true, but GetSpeicalSibling sets specialSibling to null. Calling DeleteFrameSubtree crashes.
Keywords: crash, regression
Attached file stacktrace
Attached patch patch (obsolete) — Splinter Review
throw an assertion and don't crash.
With the patch, the window goes blank when bad stuff happens, but does not crash. When the page is fully loaded, everything is back to normal. This is the same behavior as before the regression (20020326).
Keywords: patch
I am NOT able to force mozilla to crash... WFM Mozilla 0.9.9 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310 RH6.2 kernel 2.2.14-5
0.9.9 is pre-regression (20020326)... It seems that the crash now occurs during load without scrolling (same build, so I'm confused), but only if it loads slowly enough that Mozilla does reflow during load. I'm working on a testcase, but the crash seems dependent on load speed (loading locally, or from my localhost web server works fine). stacktrace is still the same.
Summary: crash while scrolling and loading of page → crash during page load
Attached file testcase
crash seems to depend on lines containing <a name="____"><em><li></em>"_______"</a> scrolling increases the reproducibility of the crash, but is not always required.
also crashes with linux build 20020327 (RPM) regression is between 2002032608 and 2002032709
Changing QA contact
QA Contact: petersen → amar
I cannot duplicate the crash on the URL or the testcase, but the assertion / check done in the patch looks reasonable to me anyway.
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.0.1
I still crash with build 20020402. The URL is easier to reproduce than the testcase. Neither may be reproducible with broadband. I was unable to reproduce the bug locally and even over my 56K modem, I downloaded Mozilla source in the background to get the testcase to crash more reproducibly.
here's a longer testcase: http://turbo.che.ncsu.edu/andrew/134508_long.html this is 40x as long (1.5MB of html) as the attached testcase and crashes for me even loading locally.
URL: http://epguides.com/dilbert/guide.shtmlhttp://turbo.che.ncsu.edu/andrew/1345...
Summary: crash during page load → crash during page load [@DeletingFrameSubtree]
This looks like it might be a regression from my changes for bug 129350.
Keywords: topcrash
Summary: crash during page load [@DeletingFrameSubtree] → crash during page load [@ DeletingFrameSubtree]
Yes, I did cause this, because I made |DeletingFrameSubtree| no longer null-safe. I don't see why it should be null-safe, but it just happened to be written that it was. We shouldn't assert that a frame has a special sibling. I think we should assert that the argument to DeletingFrameSubtree is non-null, but for now I think we should also check in release builds in case there are other callers passing null. I'll attach a revised patch and take the bug.
Assignee: attinasi → dbaron
Status: ASSIGNED → NEW
Target Milestone: mozilla1.0.1 → mozilla1.0
Attached patch revised patch (obsolete) — Splinter Review
Attachment #76952 - Attachment is obsolete: true
Attached patch one more tweakSplinter Review
One more tweak: now that we null-check at the beginning, change while-do to do-while. Also a diff -u10 for easier reading.
Attachment #77913 - Attachment is obsolete: true
Comment on attachment 77914 [details] [diff] [review] one more tweak r=/sr=waterson
Attachment #77914 - Flags: superreview+
Comment on attachment 77914 [details] [diff] [review] one more tweak r=attinasi
Attachment #77914 - Flags: review+
Comment on attachment 77914 [details] [diff] [review] one more tweak a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #77914 - Flags: approval+
Fix checked in 2002-04-08 18:11 PDT.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Crash Signature: [@ DeletingFrameSubtree]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: