Closed
Bug 150459
Opened 22 years ago
Closed 22 years ago
:first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 148245
People
(Reporter: esben, Assigned: attinasi)
References
()
Details
(Keywords: crash, testcase, Whiteboard: DUPEME)
Crash Data
Attachments
(1 file)
310 bytes,
text/html
|
Details |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020609 BuildID: 2002-06-09 (CVS pull) Note: I'm not too sure as the component. The attached test-case crashes the trunk pretty often when exiting from page, e.g. by pressing back. It's not 100% reproducible, but close. As the crash is a SIGSEGV, I shutter to think what happens when it /doesn't/ crash :O) Some observations: Both style rules are required to crash. Changing the P selector to a BODY selector removes the crash. Mozilla 1.0 does *not* crash. Though some ASSERTIONS are triggered, they do not seem to relate to the crash, as similar non-crashing versions of the test-case also produce these. Attached is a stack-trace (down to the event-thingy) Reproducible: Sometimes Steps to Reproduce: 1.Open the attached test-case 2.Press Back. 3.Repeat if neccessary. Actual Results: crash Expected Results: not a crash As promised, a backtrace of the stack #0 0x00004759 in ?? () #1 0x41c1a668 in nsBlockFrame::Destroy (this=0x882b48c, aPresContext=0x882f0e8) at nsBlockFrame.cpp:423 #2 0x41c6e05a in nsLineBox::DeleteLineList (aPresContext=0x882f0e8, aLines=@0x8832600) at nsLineBox.cpp:311 #3 0x41c24f9f in DestroyOverflowLines (aPresContext=0x882f0e8, aFrame=0x882aa84, aPropertyName=0x81784a0, aPropertyValue=0x8832600) at nsBlockFrame.cpp:4613 #4 0x41c4e985 in DestroyPropertyEnumerator (table=0x87d70fc, hdr=0x8832538, number=0, arg=0x882f0e8) at nsFrameManager.cpp:2572 #5 0x401d5b18 in PL_DHashTableEnumerate (table=0x87d70fc, etor=0x41c4e930 <DestroyPropertyEnumerator(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *)>, arg=0x882f0e8) at pldhash.c:600 #6 0x41c4e9d6 in FrameManager::PropertyList::Destroy (this=0x87d70f8, aPresContext=0x882f0e8) at nsFrameManager.cpp:2582 #7 0x41c4dc77 in FrameManager::DestroyPropertyList (this=0x883bdc0, aPresContext=0x882f0e8) at nsFrameManager.cpp:2277 #8 0x41c4807d in FrameManager::Destroy (this=0x883bdc0) at nsFrameManager.cpp:516 #9 0x41c8da6c in PresShell::Destroy (this=0x883c2f0) at nsPresShell.cpp:1876 #10 0x4151d818 in DocumentViewerImpl::Destroy (this=0x887ccc0) at nsDocumentViewer.cpp:1728 #11 0x4151e8d1 in DocumentViewerImpl::Show (this=0x8703458) at nsDocumentViewer.cpp:1961 #12 0x41c9c1b2 in PresShell::UnsuppressAndInvalidate (this=0x88314d0) at nsPresShell.cpp:4898 #13 0x41c9c539 in PresShell::UnsuppressPainting (this=0x88314d0) at nsPresShell.cpp:4946 #14 0x4151cef9 in DocumentViewerImpl::LoadComplete (this=0x8703458, aStatus=0) at nsDocumentViewer.cpp:1559 #15 0x40ed434f in nsDocShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44, aChannel=0x875fa18, aStatus=0) at nsDocShell.cpp:3955 #16 0x40ee4d9a in nsWebShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44, channel=0x875fa18, aStatus=0) at nsWebShell.cpp:719 #17 0x40ed3de9 in nsDocShell::OnStateChange (this=0x8601470, aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at nsDocShell.cpp:3870 #18 0x40f4905f in nsDocLoaderImpl::FireOnStateChange (this=0x8600e30, aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at nsDocLoader.cpp:1128 #19 0x40f482fa in nsDocLoaderImpl::doStopDocumentLoad (this=0x8600e30, request=0x875fa18, aStatus=0) at nsDocLoader.cpp:760 #20 0x40f47fc2 in nsDocLoaderImpl::DocLoaderIsEmpty (this=0x8600e30) at nsDocLoader.cpp:667 #21 0x40f47cc8 in nsDocLoaderImpl::OnStopRequest (this=0x8600e30, aRequest=0x885aa68, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:597 #22 0x40a7beb1 in nsLoadGroup::RemoveRequest (this=0x8600ec8, request=0x885aa68, ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:532 #23 0x41ca14e8 in PresShell::RemoveDummyLayoutRequest (this=0x88314d0) at nsPresShell.cpp:6626 #24 0x41ca1067 in PresShell::DoneRemovingReflowCommands (this=0x88314d0) at nsPresShell.cpp:6581 #25 0x41ca071c in PresShell::ProcessReflowCommands (this=0x88314d0, aInterruptible=1) at nsPresShell.cpp:6428 #26 0x41e96988 in ReflowEvent::HandleEvent (this=0x88313f0) at nsPresShell.cpp:6231 #27 0x41c9ffbf in HandlePLEvent (aEvent=0x88313f0) at nsPresShell.cpp:6247
Reporter | ||
Comment 1•22 years ago
|
||
Reporter | ||
Updated•22 years ago
|
Comment 2•22 years ago
|
||
testcase looks almost identical to bug 148245, but the stack is different. ==>Layout, probably dupe.
Assignee: joki → attinasi
Component: DOM Events → Layout
QA Contact: vladimire → petersen
Whiteboard: DUPEME
Reporter | ||
Comment 4•22 years ago
|
||
After careful reading of bug 148245, I agree this is most likely a dupe. The patch for bug 145305 probably broke the creation of :firstletter frame and/or styleContexts, and thus we see crashes when the framed are either removed (as here) or reflowed (as bug 148245). Also, bug 145305 has not been checked in on the 1.0(.x) branch, so we don't see the bug here. How you guys spots dupes like this is beyond me :-) David, you don't say, but from the build date I presume that you're using mozilla 1.0, right? I've tried to back out the changes from this patch to nsCSSFrameConstructor.cpp, and this removes the crash, but the page doesn't render, so it's not proof positive. I can't seem to make bonsai generate a CVS script that backs out the entire patch, for some reason.
Comment 5•22 years ago
|
||
catching this was easy 'cuz I debugged 148245. :) the scripts from bonsai never work for me. To test bug 148245, I grabbed the patch (attachment 85325 [details] [diff] [review]) from bug 145305 and reverse-applied it. A couple parts of the patch won't take because the code has changed since then (a huge chunk of debugging was removed). also, if this is a dupe, builds (such as David's) before 20020528 will work fine.
Updated•22 years ago
|
Summary: :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. → :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]
Reporter | ||
Comment 6•22 years ago
|
||
I've backed out the patch for bug 148245 and sure enough, the crsh goes away. So I'm marking this a dupe. Shouldn't the patch for bug 148245 be backed out when it causes crashes? Or is it easier to just fix the crash? *** This bug has been marked as a duplicate of 148245 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•22 years ago
|
QA Contact: petersen → amar
Updated•13 years ago
|
Crash Signature: [@ nsBlockFrame::Destroy]
You need to log in
before you can comment on or make changes to this bug.
Description
•