Closed Bug 150459 Opened 22 years ago Closed 22 years ago

:first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 148245

People

(Reporter: esben, Assigned: attinasi)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: DUPEME)

Crash Data

Attachments

(1 file)

This crashes mozilla 2002-06-09 on exit!
310 bytes, text/html
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020609
BuildID:    2002-06-09 (CVS pull)

Note: I'm not too sure as the component.

The attached test-case crashes the trunk pretty often when exiting from page,
e.g. by pressing back. It's not 100% reproducible, but close. As the crash is a
SIGSEGV, I shutter to think what happens when it /doesn't/ crash :O)

Some observations: 
Both style rules are required to crash. 
Changing the P selector to a BODY selector removes the crash.
Mozilla 1.0 does *not* crash.
Though some ASSERTIONS are triggered, they do not seem to relate to the crash,
as similar non-crashing versions of the test-case also produce these.
Attached is a stack-trace (down to the event-thingy)

Reproducible: Sometimes
Steps to Reproduce:
1.Open the attached test-case
2.Press Back.
3.Repeat if neccessary.

Actual Results:  crash

Expected Results:  not a crash

As promised, a backtrace of the stack

#0  0x00004759 in ?? ()
#1  0x41c1a668 in nsBlockFrame::Destroy (this=0x882b48c, aPresContext=0x882f0e8)
at nsBlockFrame.cpp:423
#2  0x41c6e05a in nsLineBox::DeleteLineList (aPresContext=0x882f0e8,
aLines=@0x8832600) at nsLineBox.cpp:311
#3  0x41c24f9f in DestroyOverflowLines (aPresContext=0x882f0e8,
aFrame=0x882aa84, aPropertyName=0x81784a0, aPropertyValue=0x8832600) at
nsBlockFrame.cpp:4613
#4  0x41c4e985 in DestroyPropertyEnumerator (table=0x87d70fc, hdr=0x8832538,
number=0, arg=0x882f0e8) at nsFrameManager.cpp:2572
#5  0x401d5b18 in PL_DHashTableEnumerate (table=0x87d70fc, etor=0x41c4e930
<DestroyPropertyEnumerator(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void
*)>,
    arg=0x882f0e8) at pldhash.c:600
#6  0x41c4e9d6 in FrameManager::PropertyList::Destroy (this=0x87d70f8,
aPresContext=0x882f0e8) at nsFrameManager.cpp:2582
#7  0x41c4dc77 in FrameManager::DestroyPropertyList (this=0x883bdc0,
aPresContext=0x882f0e8) at nsFrameManager.cpp:2277
#8  0x41c4807d in FrameManager::Destroy (this=0x883bdc0) at nsFrameManager.cpp:516
#9  0x41c8da6c in PresShell::Destroy (this=0x883c2f0) at nsPresShell.cpp:1876
#10 0x4151d818 in DocumentViewerImpl::Destroy (this=0x887ccc0) at
nsDocumentViewer.cpp:1728
#11 0x4151e8d1 in DocumentViewerImpl::Show (this=0x8703458) at
nsDocumentViewer.cpp:1961
#12 0x41c9c1b2 in PresShell::UnsuppressAndInvalidate (this=0x88314d0) at
nsPresShell.cpp:4898
#13 0x41c9c539 in PresShell::UnsuppressPainting (this=0x88314d0) at
nsPresShell.cpp:4946
#14 0x4151cef9 in DocumentViewerImpl::LoadComplete (this=0x8703458, aStatus=0)
at nsDocumentViewer.cpp:1559
#15 0x40ed434f in nsDocShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44,
aChannel=0x875fa18, aStatus=0) at nsDocShell.cpp:3955
#16 0x40ee4d9a in nsWebShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44,
channel=0x875fa18, aStatus=0) at nsWebShell.cpp:719
#17 0x40ed3de9 in nsDocShell::OnStateChange (this=0x8601470,
aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at
nsDocShell.cpp:3870
#18 0x40f4905f in nsDocLoaderImpl::FireOnStateChange (this=0x8600e30,
aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at
nsDocLoader.cpp:1128
#19 0x40f482fa in nsDocLoaderImpl::doStopDocumentLoad (this=0x8600e30,
request=0x875fa18, aStatus=0) at nsDocLoader.cpp:760
#20 0x40f47fc2 in nsDocLoaderImpl::DocLoaderIsEmpty (this=0x8600e30) at
nsDocLoader.cpp:667
#21 0x40f47cc8 in nsDocLoaderImpl::OnStopRequest (this=0x8600e30,
aRequest=0x885aa68, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:597
#22 0x40a7beb1 in nsLoadGroup::RemoveRequest (this=0x8600ec8, request=0x885aa68,
ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:532
#23 0x41ca14e8 in PresShell::RemoveDummyLayoutRequest (this=0x88314d0) at
nsPresShell.cpp:6626
#24 0x41ca1067 in PresShell::DoneRemovingReflowCommands (this=0x88314d0) at
nsPresShell.cpp:6581
#25 0x41ca071c in PresShell::ProcessReflowCommands (this=0x88314d0,
aInterruptible=1) at nsPresShell.cpp:6428
#26 0x41e96988 in ReflowEvent::HandleEvent (this=0x88313f0) at nsPresShell.cpp:6231
#27 0x41c9ffbf in HandlePLEvent (aEvent=0x88313f0) at nsPresShell.cpp:6247
testcase looks almost identical to bug 148245, but the stack is different.

==>Layout, probably dupe.
Assignee: joki → attinasi
Component: DOM Events → Layout
QA Contact: vladimire → petersen
Whiteboard: DUPEME
WFM with build 2002052306 under Windows ME.
After careful reading of bug 148245, I agree this is most likely a dupe. The
patch for bug 145305 probably broke the creation of :firstletter frame and/or
styleContexts, and thus we see crashes when the framed are either removed (as
here) or reflowed (as bug 148245). Also, bug 145305 has not been checked in on
the 1.0(.x) branch, so we don't see the bug here. 

How you guys spots dupes like this is beyond me :-) David, you don't say, but
from the build date I presume that you're using mozilla 1.0, right?

I've tried to back out the changes from this patch to nsCSSFrameConstructor.cpp,
and this removes the crash, but the page doesn't render, so it's not proof
positive. I can't seem to make bonsai generate a CVS script that backs out the
entire patch, for some reason.
catching this was easy 'cuz I debugged 148245.  :)

the scripts from bonsai never work for me.  To test bug 148245, I grabbed the
patch (attachment 85325 [details] [diff] [review]) from bug 145305 and reverse-applied it.  A couple parts
of the patch won't take because the code has changed since then (a huge chunk of
debugging was removed).

also, if this is a dupe, builds (such as David's) before 20020528 will work fine.
Summary: :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. → :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]
I've backed out the patch for bug 148245 and sure enough, the crsh goes away. So
I'm marking this a dupe.
Shouldn't the patch for bug 148245 be backed out when it causes crashes? Or is
it easier to just fix the crash?

*** This bug has been marked as a duplicate of 148245 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
QA Contact: petersen → amar
 Verified dupe  of 148245
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsBlockFrame::Destroy]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: