Closed Bug 138725 Opened 22 years ago Closed 22 years ago

Trunk M1RC2 Crash going to this Harvard link [@ nsFormFrame::AddFormControlFrame]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: greer, Assigned: karnaze)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: [adt2] PATCH)

Crash Data

Attachments

(3 files, 2 obsolete files)

reduced testcase
941 bytes, text/html
Details
patch to fix the bug
3.25 KB, patch
alexsavulov
: review+
waterson
: superreview+
Details | Diff | Splinter Review
patch to negate alternate patch which caused bug 167915
1.90 KB, patch
Details | Diff | Splinter Review 
I've been able to crash at will on the Trunk and the release candidate going to
these links:

http://jobs.boston.com/texis/js/+Zwwzm1wwwqFqm5w5ozmqwwwMFqtxd5BdDDzm1wwwdzmxww
wpzm-wwwBFqtxd5BdD/job.html?id=3ca887a44

http://jobs.boston.com/texis/js/+Zwwzm1wwwqFqm5w5ozmqww
wMFqtxd5BdDDzm1wwwdzmxwwwpzm-wwwBFqtxd5BdD/job.html?id=3c7a63b1

Which generate some significant recursion:

nsFormFrame::AddFormControlFrame
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp, line 198]
nsFormFrame::AddFormControlFrame
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp, line 166]
nsHTMLButtonControlFrame::SetInitialChildList
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsHTMLButtonControlFrame.cpp,
line 389]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4860]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7175]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessBlockChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13183]
nsCSSFrameConstructor::ConstructBlock
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13132]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6320]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7214]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11999]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4838]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7175]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11999]
nsCSSFrameConstructor::ConstructTableCellFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2741]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3005]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableRowFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2585]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2991]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2476]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2985]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2357]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6380]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7214]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 11999]
nsCSSFrameConstructor::ConstructTableCellFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2741]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3005]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableRowFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2585]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2991]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2476]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2985]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2899]
nsCSSFrameConstructor::ConstructTableFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2357]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6380]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7214]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13483]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13264]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6340]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7214]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ProcessBlockChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13183]
nsCSSFrameConstructor::ConstructBlock
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13132]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6320]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7214]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7063]
nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8768]
nsCSSFrameConstructor::ContentReplaced
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8914]
nsCSSFrameConstructor::WipeContainingBlock
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13650]
nsCSSFrameConstructor::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8256]
StyleSetImpl::ContentAppended
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1500]
PresShell::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5171]
nsDocument::ContentAppended
[d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1897]
nsHTMLDocument::ContentAppended
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line
1338]
HTMLContentSink::NotifyAppend
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 4826]
SinkContext::CloseContainer
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 1572]
HTMLContentSink::CloseContainer
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 3470]
Nominating, since this one seems easy to reproduce.
Keywords: crash, nsbeta1, testcase, topcrash+
crashes on linux builds back to at least 20020114
OS->All
OS: Windows 2000 → All
Attached file reduced testcase 
if one set of <span> tags is removed, it loads ok, but crashes on exit.

this does look like bug 121591.
Changing QA Contact
QA Contact: petersen → amar
Reassigning to John
Assignee: attinasi → jkeiser
 Setting the priority to P2.
Priority: -- → P2
*** Bug 139221 has been marked as a duplicate of this bug. ***
*** Bug 140057 has been marked as a duplicate of this bug. ***
nsbeta1+.
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt1]
Target Milestone: --- → mozilla1.0
Status: NEW → ASSIGNED
OK, this has to do with the PFM not being updated for one reason or another. 
Specifically, GetPrimaryFrameFor in nsFormFrame::AddFormControlFrame() is
returning the old, destroyed primary frame.

I put some printfs in the constructors / destructors and here is what I see:

0x86d29ac::nsFormFrame()
0x86d2be8::nsHTMLButtonControlFrame
0x86d29ac::Destroy()
0x86d2be8::Destroy()
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
nsFrameManager.cpp, line 1051
###!!! Break: at file nsFrameManager.cpp, line 1051
0x86d2be8::~nsHTMLButtonControlFrame
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
nsFrameManager.cpp, line 1051
###!!! Break: at file nsFrameManager.cpp, line 1051
0x86d29ac::~nsFormFrame()
0x86d1004::nsFormFrame()
0x86d2be8::nsHTMLButtonControlFrame
0x86d2be8::SetFormFrame(0x86d29ac)
0x86d29ac::AddFormControlFrame(0x86d2c20)
0x86d1004::Destroy()
0x86d2be8::Destroy()
0x86d29ac::RemoveFormControlFrame(0x86d2c20)

This patch avoids reframing when an inline is appended to an inline block. It
fixes the test case but not the url.
Taking the bug. I will be attaching a patch after some more testing.
Assignee: jkeiser → karnaze
Status: ASSIGNED → NEW
The patch (1) fixes a flaw in DoCleanupFrameReferences where a placeholder's
out of flow frame was not being used to recurse its children and (2) avoids
reframing when an inline is appended to the last inline frame of an inline that
contains a block. All of the regression tests passed except there were some
cases where frames were now not marked as being special, probably because of
not having to reframe them. If this is important, I guess the patch could be
changed to set the bit when the reframe is avoided.
Attachment #81828 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Whiteboard: [adt1] → [adt1]PATCH
The `sacred triad'? LOL!

WRT your changes to DoCleanupFrameReferences, it seems like we'll end up calling
DoCleanupFrameReferences twice on out-of-flow frames that have been constructed
in the current session. Specifically, WipeContainingBlock calls
CleanupFrameReferences for each of the frame ctor state's three lists
mAbsoluteItems, mFixedItems, and mFloatedItems. Does this matter? (It looks like
DoCleanupFrameReferences is idempotent, so my guess is `no, this won't matter'.)
In WipeContainingBlock I tried calling CleanupFrameReferences on the floaters 
before the originals and there were still problems. So, although the patch may 
be calling CleanupFrameReferences twice for frames with placeholders, it doesn't 
seem to be a problem. I guess WipeContainingBlock doesn't even need to call 
CleanupFrameReferences any more for things with placeholder frames. I'm a bit 
afraid to remove that though, since I'm not sure how many tests cases we have.
Comment on attachment 81893 [details] [diff] [review]
patch to fix the bug

r= alexsavulov

i spoke with chris about this patch he wrote and based on his observations + 
watersons comment + i looked yesterday at the stack as john started to look at
the bug, yes, we need to do this.
Attachment #81893 - Flags: review+
This patch is similar to the previous one except that the calls to
CleanupFrameReferences have been removed for the absolute, fixed, and floater
lists (which should be taken care of in the modifications to
DoCleanupFrameReferences). This patch seems better, but is it?
Keywords: adt1.0.0, approval
sr=waterson on both patches.

I think the first version (attachment 81893 [details] [diff] [review]) ought to go on the branch:
DoCleanupFrameReferences seems to be idempotent so calling it more than once is
just a bit of a performance hit. (Add an XXX comment saying that we probably
_don't_ need to make the extra calls in WipeContainingBlock.)

Check the second version (attachment 81937 [details] [diff] [review]) in on the trunk, and we'll see if
we're right. :-)

Anyway, my $0.02.
Keywords: adt1.0.0, approval
Comment on attachment 81893 [details] [diff] [review]
patch to fix the bug

sr=waterson
Attachment #81893 - Flags: superreview+
Comment on attachment 81937 [details] [diff] [review]
alternate patch avoiding multiple calls to DoCleanupFrameReferences

sr=waterson
Attachment #81937 - Flags: superreview+
Keywords: approval
Whiteboard: [adt1]PATCH → [adt2] PATCH [Needs a=, & adt1.0.0+]
Adding back a keyword I whacked.
Keywords: adt1.0.0
Comment on attachment 81937 [details] [diff] [review]
alternate patch avoiding multiple calls to DoCleanupFrameReferences

r= alexsavulov

cool ideea to apply the previous patch on the branch.
Attachment #81937 - Flags: review+
Has this landed on the trunk? It looks like a pretty sizeable patch, that
touches layout, so I'd like to verify the fix first, and make sure we don't
introduce any regressions.
Karnaze - Can you land this on the trunk today? We'd like to take this one, but,
we'd also like it to bake for a day or 2.
i get a very similar stack testing url in bug 142198
http://www.internetwines.com/spirits.html

but top of stack (on a non-debug cvs, linux) is

#0 0x40138cb2 in nsVoidArray::InsertElementAt () from libxpcom.so
#1 0x417b2465 in nsFormFrame::AddFormControlFrame () from libgklayout.so
#2 0x417b21d7 in nsFormFrame::AddFormControlFrame () from libgklayout.so
#3 0x417bd0b8 in nsHTMLButtonControlFrame::SetInitialChildList () from
libgklayout.so
*** Bug 142198 has been marked as a duplicate of this bug. ***
FIXED_ON_TRUNK
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [adt2] PATCH [Needs a=, & adt1.0.0+] → [adt2] PATCH [Needs a=, & adt1.0.0+][FIXED_ON_TRUNK]
amar - can you verify this fix on the trunk, and make sure it did not cause any
regressions?

we should look @ taking this topcrasher fix for RC2, if it is verified.
Comment on attachment 81937 [details] [diff] [review]
alternate patch avoiding multiple calls to DoCleanupFrameReferences

a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Attachment #81937 - Flags: approval+
Verified - Talkback shows no crashes in the Trunk builds following checkin. I
have tried all of the links and testcases with the 0509 build. No crash. 

Great job, karnaze, et. al.
Status: RESOLVED → VERIFIED
Updating summary with M1RC2, since this is a topcrasher for Mozilla 1.0 RC2. 
Since we have verified this fix on the Trunk, it'll be a good idea to get this
checked onto the branch soon.
Summary: Trunk M10RC1 Crash going to this Harvard link [@ nsFormFrame::AddFormControlFrame] → Trunk M1RC2 Crash going to this Harvard link [@ nsFormFrame::AddFormControlFrame]
adding adt1.0.0+ for checkin to Mozilla 1.0 Branch.  Please get drivers approval
again before checking in since it's been more than 3 days since their previous
approval, and then add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Blocks: 143047
reapproval a=chofmann for the 1.0 branch for rc3.  let's get it in today.
Blocks: 143200
Maybe it would be better to check the 2nd patch into the branch, since it has 
been on the trunk for over a week now.
Checked the alternate (2nd) patch into the m1.0 branch.
Keywords: fixed1.0.0
Whiteboard: [adt2] PATCH [Needs a=, & adt1.0.0+][FIXED_ON_TRUNK] → [adt2] PATCH
No longer blocks: 143200
Keywords: verified1.0.0
The alternate patch was installed on the trunk and branch, but it caused bug
167915. This patch undoes it and installs the 1st patch. This patch is also an
attachment in bug 167915.
Attachment #81937 - Attachment is obsolete: true
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsFormFrame::AddFormControlFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: