:first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]

VERIFIED DUPLICATE of bug 148245

Status

()

Core
Layout
--
critical
VERIFIED DUPLICATE of bug 148245
16 years ago
16 years ago

People

(Reporter: Esben Mose Hansen, Assigned: Marc Attinasi)

Tracking

({crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME, crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020609
BuildID:    2002-06-09 (CVS pull)

Note: I'm not too sure as the component.

The attached test-case crashes the trunk pretty often when exiting from page,
e.g. by pressing back. It's not 100% reproducible, but close. As the crash is a
SIGSEGV, I shutter to think what happens when it /doesn't/ crash :O)

Some observations: 
Both style rules are required to crash. 
Changing the P selector to a BODY selector removes the crash.
Mozilla 1.0 does *not* crash.
Though some ASSERTIONS are triggered, they do not seem to relate to the crash,
as similar non-crashing versions of the test-case also produce these.
Attached is a stack-trace (down to the event-thingy)

Reproducible: Sometimes
Steps to Reproduce:
1.Open the attached test-case
2.Press Back.
3.Repeat if neccessary.

Actual Results:  crash

Expected Results:  not a crash

As promised, a backtrace of the stack

#0  0x00004759 in ?? ()
#1  0x41c1a668 in nsBlockFrame::Destroy (this=0x882b48c, aPresContext=0x882f0e8)
at nsBlockFrame.cpp:423
#2  0x41c6e05a in nsLineBox::DeleteLineList (aPresContext=0x882f0e8,
aLines=@0x8832600) at nsLineBox.cpp:311
#3  0x41c24f9f in DestroyOverflowLines (aPresContext=0x882f0e8,
aFrame=0x882aa84, aPropertyName=0x81784a0, aPropertyValue=0x8832600) at
nsBlockFrame.cpp:4613
#4  0x41c4e985 in DestroyPropertyEnumerator (table=0x87d70fc, hdr=0x8832538,
number=0, arg=0x882f0e8) at nsFrameManager.cpp:2572
#5  0x401d5b18 in PL_DHashTableEnumerate (table=0x87d70fc, etor=0x41c4e930
<DestroyPropertyEnumerator(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void
*)>,
    arg=0x882f0e8) at pldhash.c:600
#6  0x41c4e9d6 in FrameManager::PropertyList::Destroy (this=0x87d70f8,
aPresContext=0x882f0e8) at nsFrameManager.cpp:2582
#7  0x41c4dc77 in FrameManager::DestroyPropertyList (this=0x883bdc0,
aPresContext=0x882f0e8) at nsFrameManager.cpp:2277
#8  0x41c4807d in FrameManager::Destroy (this=0x883bdc0) at nsFrameManager.cpp:516
#9  0x41c8da6c in PresShell::Destroy (this=0x883c2f0) at nsPresShell.cpp:1876
#10 0x4151d818 in DocumentViewerImpl::Destroy (this=0x887ccc0) at
nsDocumentViewer.cpp:1728
#11 0x4151e8d1 in DocumentViewerImpl::Show (this=0x8703458) at
nsDocumentViewer.cpp:1961
#12 0x41c9c1b2 in PresShell::UnsuppressAndInvalidate (this=0x88314d0) at
nsPresShell.cpp:4898
#13 0x41c9c539 in PresShell::UnsuppressPainting (this=0x88314d0) at
nsPresShell.cpp:4946
#14 0x4151cef9 in DocumentViewerImpl::LoadComplete (this=0x8703458, aStatus=0)
at nsDocumentViewer.cpp:1559
#15 0x40ed434f in nsDocShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44,
aChannel=0x875fa18, aStatus=0) at nsDocShell.cpp:3955
#16 0x40ee4d9a in nsWebShell::EndPageLoad (this=0x8601470, aProgress=0x8600e44,
channel=0x875fa18, aStatus=0) at nsWebShell.cpp:719
#17 0x40ed3de9 in nsDocShell::OnStateChange (this=0x8601470,
aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at
nsDocShell.cpp:3870
#18 0x40f4905f in nsDocLoaderImpl::FireOnStateChange (this=0x8600e30,
aProgress=0x8600e44, aRequest=0x875fa18, aStateFlags=131088, aStatus=0) at
nsDocLoader.cpp:1128
#19 0x40f482fa in nsDocLoaderImpl::doStopDocumentLoad (this=0x8600e30,
request=0x875fa18, aStatus=0) at nsDocLoader.cpp:760
#20 0x40f47fc2 in nsDocLoaderImpl::DocLoaderIsEmpty (this=0x8600e30) at
nsDocLoader.cpp:667
#21 0x40f47cc8 in nsDocLoaderImpl::OnStopRequest (this=0x8600e30,
aRequest=0x885aa68, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:597
#22 0x40a7beb1 in nsLoadGroup::RemoveRequest (this=0x8600ec8, request=0x885aa68,
ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:532
#23 0x41ca14e8 in PresShell::RemoveDummyLayoutRequest (this=0x88314d0) at
nsPresShell.cpp:6626
#24 0x41ca1067 in PresShell::DoneRemovingReflowCommands (this=0x88314d0) at
nsPresShell.cpp:6581
#25 0x41ca071c in PresShell::ProcessReflowCommands (this=0x88314d0,
aInterruptible=1) at nsPresShell.cpp:6428
#26 0x41e96988 in ReflowEvent::HandleEvent (this=0x88313f0) at nsPresShell.cpp:6231
#27 0x41c9ffbf in HandlePLEvent (aEvent=0x88313f0) at nsPresShell.cpp:6247
(Reporter)

Comment 1

16 years ago
Created attachment 87039 [details]
This crashes mozilla 2002-06-09 on exit!
(Reporter)

Updated

16 years ago
Keywords: crash, testcase

Comment 2

16 years ago
testcase looks almost identical to bug 148245, but the stack is different.

==>Layout, probably dupe.
Assignee: joki → attinasi
Component: DOM Events → Layout
QA Contact: vladimire → petersen
Whiteboard: DUPEME

Comment 3

16 years ago
WFM with build 2002052306 under Windows ME.
(Reporter)

Comment 4

16 years ago
After careful reading of bug 148245, I agree this is most likely a dupe. The
patch for bug 145305 probably broke the creation of :firstletter frame and/or
styleContexts, and thus we see crashes when the framed are either removed (as
here) or reflowed (as bug 148245). Also, bug 145305 has not been checked in on
the 1.0(.x) branch, so we don't see the bug here. 

How you guys spots dupes like this is beyond me :-) David, you don't say, but
from the build date I presume that you're using mozilla 1.0, right?

I've tried to back out the changes from this patch to nsCSSFrameConstructor.cpp,
and this removes the crash, but the page doesn't render, so it's not proof
positive. I can't seem to make bonsai generate a CVS script that backs out the
entire patch, for some reason.

Comment 5

16 years ago
catching this was easy 'cuz I debugged 148245.  :)

the scripts from bonsai never work for me.  To test bug 148245, I grabbed the
patch (attachment 85325 [details] [diff] [review]) from bug 145305 and reverse-applied it.  A couple parts
of the patch won't take because the code has changed since then (a huge chunk of
debugging was removed).

also, if this is a dupe, builds (such as David's) before 20020528 will work fine.

Updated

16 years ago
Summary: :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. → :first-letter { float:left ]+background-attachment:fixed crashes mozilla on page-exit. [@ nsBlockFrame::Destroy]
(Reporter)

Comment 6

16 years ago
I've backed out the patch for bug 148245 and sure enough, the crsh goes away. So
I'm marking this a dupe.
Shouldn't the patch for bug 148245 be backed out when it causes crashes? Or is
it easier to just fix the crash?

*** This bug has been marked as a duplicate of 148245 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE

Updated

16 years ago
QA Contact: petersen → amar

Comment 7

16 years ago
 Verified dupe  of 148245
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsBlockFrame::Destroy]
You need to log in before you can comment on or make changes to this bug.