Closed Bug 140275 Opened 22 years ago Closed 22 years ago

drag-selecting over unclosed font tags freezes mozilla

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: torgeir, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: hang, regression)

Attachments

(6 files, 3 obsolete files)

screenshot of page for non-norwegian readers describing steps to reproduce
211.31 KB, image/png
Details
tar file containing a snapshot of the page
335.49 KB, application/octet-stream
Details
stacktrace during hang
6.09 KB, text/plain
Details
simpler testcase
435 bytes, text/html
Details
patch (diff -u, for testing or checking in)
15.58 KB, patch
attinasi
: review+
waterson
: superreview+
jud
: approval+
Details | Diff | Splinter Review
patch (diff -uw, for review)
11.02 KB, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020424
BuildID:    2002042412

I am able to freeze mozilla completely by just selecting text multiple times
rapidly. It is not easy to reproduce, but happens several times a day for me. 

Reproducible: Sometimes
Steps to Reproduce:
1. select text
2. select text again, drag mouse around a lot
3. selecte text again, freeze

Happens on different machines.
when you select text again and again, you also drag and drop the text?

Can't reproduce this with marking text very fast.. but when i try to do that, i
automaticly drag some text:

Dup of 81779 ? okay?
Going from rc1 to 2002042412 (which supposedly has the fix from bug 81779)
doesn't change anything. It happens mostly on complex pages, eg. dagbladet.no
(norwegian newspaper). 
I just reproduced this and noticed, that it indeed seem to be while dragging,
but it happens both when there is text selected, and when there is no text selected.
Here's a way to reproduce it;

1. Go to the page http://db.no. 
2. Scroll down to the topic "Får ikke si 'palestinskje ofre'"
3. select part of the text to the left of the image
4. press the mouse in the are to the left with the title "blink", eg. just right
of the image contained within
5. drag into the area where there is text selected.
6. complete freeze 
Actually, the page mentioned changes quite often. The "blink" area seem to stay
though. The important thing is to drag from within that area, just right of the
image.
just checked with build id 2002042510, same reproducible result.
Win2000, Build 2002042510

Test with page http://db.no results in freeze of all Mozilla windows.
Ok, bug 81779 was linux (gtk?) only..

then it has nothing to do with this bug
Able to reproduce it with 2002042510 and with RC1 (Win2k): freeze, 99% CPU usage
for minutes. Once there even was no text selected first, I only pressed the
mouse button at the bottom of the blue box on the left (kind of weather
thing...) and moved the mouse cursor to the lower right. While moving, a part of
"Chamonix" was selected, the mouse cursor turned into a vertical bar (text
cursor) and stayed like that - mozilla freezed.
After reproducing it 2 or three times now it seems not to work (=freeze) anymore
for me... strange. 
Perhaps the page has been changed. I thought, the 'palestinskje  part was near
to the blue weather box when I was able to reproduce. Now it isn't anymore...
It would be very helpful it is was possible to get a "thread dump" or something
similar when mozilla crashes, if it was started from the console, and one
pressed a key combination of some sort. Under java, one can press ctrl-\ to get
a stack / thread dump. I use this all the time to find GUI deadlocks in netbeans
development releases.
Keywords: hang
Summary: selecting text rappidly freezes mozilla → selecting text rapidly freezes mozilla
Target Milestone: --- → mozilla1.0
I seem to be unable to reproduce this on OS X Mozilla 1.0 branch build 2002042605 
To reproduce the bug in the site snapshot; find the left column box with the
title "blink". Select text in the article to the right of this box. Then click
just to the right of the image contained within the blink box and drag.

It might be that the bug is caused by the complexity of the site and that the
drag freezes when crossing the border between some parts of the page.

Anyway, I'll try to remove all unnecessary parts of the page and see when the
problem disappears.
Attached file stacktrace during hang 

    
    

    
  
marking NEW
OS=>All

this started happening between build 2002032608 and 2002032712.  also, I did not
need to select any text on the right side before drag-selecting across frames
from the left.  base on the stacktrace, it looks like a frames problem...

==> HTML Frames
Assignee: mjudge → jkeiser
Status: UNCONFIRMED → NEW
Component: Selection → HTMLFrames
Ever confirmed: true
OS: Linux → All
QA Contact: tpreston → amar

    
    

    
  
adding URL, updating summary

ok, so there aren't any frames in the page, it's just tables.  I dunno where
this should be...

regression happened during the time window of the checkin for bug 129350, which
modified nsCSSFrameConstructor.cpp (which is where the hang seems to happens).

cc'ing dbaron.
URL: http://db.no/
Summary: selecting text rapidly freezes mozilla → drag-selecting between table cells rapidly freezes mozilla

    
    

    
  
Very unlikely to be related.  nsCSSFrameConstructor.cpp is a huge file.  This
looks like it might be a malformed frame tree.

    
    

    
  

      
      
      
      

        Attached file
          
        testcase (obsolete)
        — 
      

    


  
start at "start here" (either inside or after).  drag select down.
result: nothing happens for a few seconds.  eventually, it will select the rest
of the text.

it appears that it's just *really* slow.  if I delete parts of the page below
"start here", it gets faster even if those parts aren't selected.

also of interest:  there is a comment in the testcase "<!--henvisninger-->". 
if the comment is deleted, it works fine.

    
    

    
  

      
      
      
      

        Attached file
          
        simpler testcase
      

    


  
unbalanced <font> tags seem to also be necessary.  removing (or closing) them
fixes the problem.  the (empty) table at the bottom is also necessary.

        Attachment #81291 -
        Attachment is obsolete: true

    
    

    
  
Those problems both relate to parser/content sink (though I'm betting on content
sink).
Assignee: jkeiser → harishd
Component: HTMLFrames → Parser
QA Contact: amar → moied

    
    

    
  
I'm able to reproduce the hang and every time the stack points to 
nsCSSFrameConstructor::FindFrameWithContent(). I'm not sure how this could be a
parser/sink problem. Giving bug to layout gurus for further investigation.
Assignee: harishd → attinasi
Component: Parser → Layout
QA Contact: moied → petersen

    
    

    
  
Changing QA Contact
QA Contact: petersen → moied

    
  
Priority: -- → P3

    
    

    
  
Hi,
you also can reproduce the problem in http://www.assistance4all.de/new/ - simply
select some text from the list in the middle an drag'n'drop it somewhere: crash.

Bye,
Peter

    
    

    
  
Re,
I forgot: there are _no_ font tags and _no_ tables in this document.

Bye,
Peter

    
    

    
  
Peter: you are seeing a different bug (perhaps bug 139629).  this bug is a hang,
not crash, and occurs when selecting text, not drag&drop.

    
    

    
  
Hi,
ok. Where's the difference between "hang" an "crash"?
BTW: The problem on my page also occurs when you drop the selected text part
into the text part itself.

Bye,
Peter

    
    

    
  
Hi,
thanks.

Bye,
Peter

    
    

    
  
The attached simpified test case makes Mozilla unresponsive for me every time I
try. I am using
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc2) Gecko/20020504

I was able to "unfreeze" Navigator once using Norton Crash Guard, but Mail which
was also open became progressively worse, which resulted in the whole system
crashing.

When I "terminate" Mozilla, I can restart it okay.

    
    

    
  
regression from bug 129350
CVS 2002-03-26 14:35 does not exhibit this bug
CVS 2002-03-26 14:40 does exhibit this bug

==> Style System
Assignee: attinasi → dbaron
Component: Layout → Style System
Keywords: regression
QA Contact: moied → ian
Summary: drag-selecting between table cells rapidly freezes mozilla → drag-selecting over unclosed font tags freezes mozilla

    
    

    
  
I meant between 18:35 / 18:40

    
    

    
  
The problem here is an apparently, based on my stopwatch, O(4^n) (where "n" is
the number of repeated lines in the testcase) algorithm in FindFrameWithContent.

I don't see how my fix would have caused this (although I haven't looked back at
what I did yet).  However, I decided to try and fix this from "first
principles".  So I looked at FindFrameWithContent, and proceeded to "fix"
everything that "looked broken" until the bug went away.  On my fourth or so
try, the bug did go away.  But I think my other changes are good too. :-)

Essentially I fixed it by undoing part of the patch for:
----------------------------
revision 1.394
date: 2000/03/23 23:18:55;  author: nisheeth%netscape.com;  state: Exp;  lines:
+25 -19
r=buster.  bug 31644.  FindPrimaryFrameFor() now accounts for "special" frames
created when blocks are encountered within inlines.
----------------------------
so that we don't recur when we hit |IsFrameSpecial|, which I don't think makes
sense given the current methods for handling special frames.  (IIRC, we always
create a frame hierarchy that corresponds to the parent-child relations in the
content tree by creating an "anonymous" block for each of the inlines in the
ancestor chain of the block within inlines.

I also made some other changes (in the following order, with the change above last):
 * Changed the |GetNextInFlow| to a function that gets the special sibling if
there is no next-in-flow and removed some "don't use the hint if
|IsFrameSpecial|" code.
 * Removed all the funky gotos and turned them into while loops.  There was no
need for gotos.  Also removed the need for the |firstTime| variable by nulling
out |aHint|.  I'm almost wondering if they were used so someone didn't need to
reindent the code.
 * Turned some funky code that double-checked that we weren't about to return an
":after" frame, and, if we were, just silently returned the ":before" frame
instead of the ":after" frame into a real assertion, with no non-DEBUG checking
(i.e., if we hit the assert, I'll be changing the behavior in DEBUG builds to
return the ":after" frame instead of the ":before" frame, which I don't think is
a problem since either would be pretty bad).
 * Fixed code that was modifying |aParentFrame| but I think shouldn't have been.
 * Finally (the fix above), removed the other |IsFrameSpecial| check so that we
don't automatically search the child too (see above).

Two patches to be attached (diff -u, and diff -uw, since I did a lot of
reindenting).

I'm thinking this is a little scary a patch for mozilla1.0, though, so maybe I
should start banging on a reduced version of it for the branch, if we think we
need to fix this on the branch...
Status: NEW → ASSIGNED
Priority: P3 → P2

    
    

    
  
I guess what could have caused this in my patch for bug 129350 was my patch to
ensure that we copied the NS_FRAME_IS_SPECIAL bit to continuing frames when we
split frames, which I thought was the right thing to do, since we marked
continuing frames if they already existing when creating special frames.

    
    

    
  
> * Fixed code that was modifying |aParentFrame| but I think shouldn't have been.

Ditto for modifying |parentContent|, which I therefore removed in favor of
|aParentContent|.

    
    

    
  
... and an assertion that the next-in-flow or special sibling had the same
content. (Is that too silly to assert?  It almost seems like it to me, but the
old code wasn't even assuming it was true.)

    
    

    
  


  
with the comment changed too, this time...

        Attachment #82413 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 82411 [details] [diff] [review]
patch (diff -u, for testing or checking in)

sr=waterson

        Attachment #82411 -
        Flags: superreview+

    
    

    
  
Comment on attachment 82414 [details] [diff] [review]
proposed branch fix (minimal changes to fix bug)

sr=waterson

        Attachment #82414 -
        Flags: superreview+

    
    

    
  
Comment on attachment 82414 [details] [diff] [review]
proposed branch fix (minimal changes to fix bug)

r=attinasi

        Attachment #82414 -
        Flags: review+

    
    

    
  
Comment on attachment 82411 [details] [diff] [review]
patch (diff -u, for testing or checking in)

r=attinasi

        Attachment #82411 -
        Flags: review+

    
    

    
  
nominating for nsbeta1 (fix for rtm)
Keywords: nsbeta1

    
    

    
  
Fix checked in to trunk 2002-05-16 06:39 PDT.

    
    

    
  
cc'ing myself

    
    

    
  
This patch caused bug 145224, which has been fixed.

    
    

    
  
I still see this bug on rc3 on http://dagbladet.no. Will the fix be in 1.0?

    
    

    
  
This was never nominated for 1.0 and it's too late now.

Unless this is wanted for 1.0.1, shouldn't this be marked FIXED?

    
    

    
  
I don't understand why this isn't 1.0 material. It's a crash, which makes me
loose data if it happens simultaneously with composing mail or editing pages.
This looks bad if it's still present in 1.0.

    
    

    
  
We have thousands of crashes, we can't wait til we've fixed every single one of
them before releasing. We'd be here for decades.

    
    

    
  
Should be marked fixed since it's fixed on the trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [open1.0.1]

    
    

    
  
Comment on attachment 82414 [details] [diff] [review]
proposed branch fix (minimal changes to fix bug)

This simple branch fix actually scares me a bit.  I'd rather take the whole fix
that's been on the trunk.

        Attachment #82414 -
        Attachment is obsolete: true

    
  

        Attachment #82414 -
        Flags: approval+

    
    

    
  
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1+

    
  

        Attachment #82411 -
        Flags: approval+

    
    

    
  
Fix checked in to MOZILLA_1_0_BRANCH, 2002-06-20 20:04 PDT.
Keywords: mozilla1.0.1+fixed1.0.1
Whiteboard: [open1.0.1]
Target Milestone: mozilla1.0 → mozilla1.0.1

    
    

    
  
verified fixed on win20000 build -  2002-07-01-08-1.0 branch 
changing  keyword to verified1.0.1
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1verified1.0.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: