Closed Bug 152755 Opened 22 years ago Closed 22 years ago

Browser crash on viewing page - M130A, N701, Trunk[@ nsLineLayout::ReflowFrame]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: bugzilla, Assigned: alexsavulov)

References

(
URL
)

Details

(4 keywords, Whiteboard: WORKSFORME?)

Crash Data

Attachments

(3 files, 2 obsolete files)

User comments
12.33 KB, text/plain
Details
zipped testcase
32.83 KB, application/zip
Details
Patch
808 bytes, patch
alexsavulov
: review+
dbaron
: superreview+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1a) Gecko/20020611
BuildID:    2002061104

Go to
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0

Browser crashes in GKLAYOUT.DLL at 0167:6072a62f

Talkback ID TB 7485489M



Reproducible: Always
Steps to Reproduce:
1. Goto
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0
2.
3.

Actual Results:  Browser crash.

Expected Results:  Not crash.

Talkback ID 7485489M. Happens on Win98 and Win 95.
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 935] 
nsFirstLetterFrame::Reflow [nsFirstLetterFrame.cpp, line 255] 
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] 
nsInlineFrame::ReflowInlineFrame [nsInlineFrame.cpp, line 717] 
nsInlineFrame::ReflowFrames [nsInlineFrame.cpp, line 552] 
nsInlineFrame::Reflow [nsInlineFrame.cpp, line 436] 
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] 
nsInlineFrame::ReflowInlineFrame [nsInlineFrame.cpp, line 717] 
nsInlineFrame::ReflowFrames [nsInlineFrame.cpp, line 522] 
nsFirstLineFrame::Reflow [nsInlineFrame.cpp, line 1066] 
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] 
nsBlockFrame::ReflowInlineFrame [nsBlockFrame.cpp, line 3780] 
nsBlockFrame::DoReflowInlineFrames [nsBlockFrame.cpp, line 3606] 
nsBlockFrame::DoReflowInlineFramesAuto [nsBlockFrame.cpp, line 3496] 
nsBlockFrame::ReflowInlineFrames [nsBlockFrame.cpp, line 3441] 
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2594] 
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] 
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] 
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] 
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] 
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] 
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460] 
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] 
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableCellFrame::Reflow [nsTableCellFrame.cpp, line 946] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableRowFrame::ReflowChildren [nsTableRowFrame.cpp, line 1040] 
nsTableRowFrame::Reflow [nsTableRowFrame.cpp, line 1458] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableRowGroupFrame::ReflowChildren [nsTableRowGroupFrame.cpp, line 447] 
nsTableRowGroupFrame::Reflow [nsTableRowGroupFrame.cpp, line 1211] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableFrame::ReflowChildren [nsTableFrame.cpp, line 3313] 
nsTableFrame::ReflowTable [nsTableFrame.cpp, line 2207] 
nsTableFrame::Reflow [nsTableFrame.cpp, line 2073] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableOuterFrame::OuterReflowChild [nsTableOuterFrame.cpp, line 1027] 
nsTableOuterFrame::Reflow [nsTableOuterFrame.cpp, line 1612] 
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] 
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] 
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] 
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460] 
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] 
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableCellFrame::Reflow [nsTableCellFrame.cpp, line 946] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableRowFrame::ReflowChildren [nsTableRowFrame.cpp, line 1040] 
nsTableRowFrame::Reflow [nsTableRowFrame.cpp, line 1458] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableRowGroupFrame::ReflowChildren [nsTableRowGroupFrame.cpp, line 447] 
nsTableRowGroupFrame::Reflow [nsTableRowGroupFrame.cpp, line 1211] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableFrame::ReflowChildren [nsTableFrame.cpp, line 3313] 
nsTableFrame::ReflowTable [nsTableFrame.cpp, line 2207] 
nsTableFrame::Reflow [nsTableFrame.cpp, line 2073] 
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] 
nsTableOuterFrame::OuterReflowChild [nsTableOuterFrame.cpp, line 1027] 
nsTableOuterFrame::Reflow [nsTableOuterFrame.cpp, line 1612] 
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] 
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] 
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] 
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460] 

The problem is:

nsLineLayout::ReflowFrame        
this = Register variable - data not available
aFrame = 0x00000000
(*aFrame) = Data not available

That |aFrame = 0| is no good...  It looks like nsFirstLetterFrame::Reflow never
checks that the mFrames.FirstChild() is non-null...
Assignee: Matti → attinasi
Component: Browser-General → Layout
Keywords: crash
QA Contact: imajes-qa → petersen
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Browser crash in GKLAYOUT.DLL on viewing page → Browser crash in GKLAYOUT.DLL on viewing page [@ nsLineLayout::ReflowFrame]
I was about to configm too. submitted talkback number: TB7488408G
yep, same stack.
I've got the same problem with tabbed surfing. 3 browser windows are okay,
opening a 4th will crash in GKLAYOUT.DLL 

Moz 2002061908
Talkback ID: TB7510448Z
That stack is different; please file a separate bug on Image: layout and cc me....
I have the same problem after I empty the "Junk Mail" folder of my Hotmail account.
I get the same problem when visiting http://www.hostsearch.com/
MOZILLA caused an invalid page fault in
module GKLAYOUT.DLL at 017f:6072fdb7.
Registers:
EAX=00649f34 CS=017f EIP=6072fdb7 EFLGS=00010206
EBX=0201832c SS=0187 ESP=00649c7c EBP=00649c88
ECX=020183d4 DS=0187 ESI=00000000 FS=12a7
EDX=021721d4 ES=0187 EDI=00649cac GS=0000
Bytes at CS:EIP:
83 26 00 51 ff 70 04 e8 02 67 ff ff 83 c4 10 85 
Stack dump:
0201832c 00649c9c 020183e8 00649d1c 6075dd52 00649f34 00649e70 0201832c 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 

Hope that's what you wanted . . .
Original test case is no longer crashing in build 2002070310 on Win95 and Win
98. Huh.
Jay Patel: Could you look if there are incidents with nsLineLayout::ReflowFrame
signature for trunk builds? Original page is no longer crashing, but maybe was
HTML code changed.
From looking at Talkback data, a few people have been crashing with Mozilla 1.1
Alpha (MozillaTrunk build 2002061108).  Here are some user comments and urls
from that data:

(8067095)	URL: www.songworm.com
     (8067095)	Comments: Click on "Three planets" and crash
     (8038838)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (8023406)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (8023362)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (8006852)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (7997908)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0
     (7957883)	URL:
http://66.154.81.226/ubbthreads/showflat.php?Cat=&Board=UBB1&Number=82107&page=0&view=collapsed&sb=5&o=21&fpart=
     (7957859)	Comments: b0rn bages with lots of jpgs  banners  three tabs
     (7941042)	URL: http://www.velvetrope.com/
     (7941042)	Comments: looks like mozilla dies when you try to show "all" of a
thread.
     (7940489)	URL: http://www.velvetrope.com/
     (7940489)	Comments: just loading the page for one of the threads.
     (7940401)	URL: http://www.velvetrope.com/
     (7940401)	Comments: The above URL was reloading  and I clicked on the
"chatzilla" icon in the status bar.
     (7931752)	URL: http://empeg.comms.net
     (7926261)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (7905952)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (7905952)	Comments: %(((
     (7905930)	URL:
http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part=
     (7905930)	Comments: Mozilla crashed %(
     (7897634)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0
     (7889839)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0
     (7811040)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0
     (7806299)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0
     (7776791)	URL:
http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0

It looks like only a couple of people are really haveing problems with this
crash.   There has only been 1 crash submitted on the MozillaTrunk since Mozilla
1.1 Alpha went out:
Incident ID 7963625
Stack Signature nsLineLayout::ReflowFrame ed4e58a9
Email Address craigbel@apex.net
Product ID MozillaTrunk
Build ID 2002070204
Trigger Time 2002-07-03 03:55:43
Platform Win32
Operating System Windows 98 4.90 build 73010104
Module GKLAYOUT.DLL
URL visited
User Comments
Trigger Reason Access violation
Source File Name c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp
Trigger Line No. 973
Stack Trace
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 973]
nsInlineFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 719]
nsInlineFrame::ReflowFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 524]
nsInlineFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1082]
nsBlockFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3806]
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3632]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3522]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3467]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2616]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951]
nsBlockReflowContext::DoReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
570]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
348]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951]
nsBlockReflowContext::DoReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
570]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
348]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951]
nsBlockReflowContext::DoReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
570]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
348]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 825]
CanvasFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLFrame.cpp, line 566]
nsBoxToBlockAdaptor::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 886]
nsBoxToBlockAdaptor::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 627]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062]
nsScrollBoxFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp, line 394]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062]
nsContainerBox::LayoutChildAt
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 649]
nsGfxScrollFrameInner::LayoutBox
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1082]
nsGfxScrollFrameInner::Layout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1241]
nsGfxScrollFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1090]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062]
nsBoxFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1002]
nsGfxScrollFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 779]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 825]
ViewportFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 577]
PresShell::ResizeReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 3001]
PresShell::ResizeReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6268]
nsViewManager::SetWindowDimensions
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 589]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1697]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1037]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1054]
nsWindow::OnResize [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp,
line 4818]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4034]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1299]
KERNEL32.DLL + 0x3613 (0xbff63613)
KERNEL32.DLL + 0x248f7 (0xbff848f7) 

This is a crash still, but definitely not a topcrasher.  Adding topcrash- to
keep it on our radar, and qawanted to see if anyone can reproduce this.  If not,
this one might be worth marking worksforme.
Keywords: qawanted, topcrash-
Summary: Browser crash in GKLAYOUT.DLL on viewing page [@ nsLineLayout::ReflowFrame] → Browser crash in GKLAYOUT.DLL on viewing page - M11A [@ nsLineLayout::ReflowFrame]
I've been getting a couple crashes in gklayout.dll a day minimum both at work
and at home with win98se.  Most recent one on 2002070904, GKLAYOUT.DLL at
0167:60797d76

See TB8140527W, TB8138888W

Sure would be nice if we could cut/paste TB ids out of talkback.exe ;-)
Those are both already known (other) crash bugs -- the crash in
nsImageListener::FrameChanged and the one in 
nsImageBoxListener::OnStopDecode
I assume comment 13 is refering to the TBs in comment 12....  Unfortunately, for
those of us who havn't done any programming, it's hard to find some of these
crash bugs.  This bug is the ONLY one that shows up on a search for gklayout,
which is why I posted my comments here.  Should gklayout be added to the summary
of the two other crash bugs mentioned in comment 13?
There are tons of crashes that are in gklayout.dll.
Summary: Browser crash in GKLAYOUT.DLL on viewing page - M11A [@ nsLineLayout::ReflowFrame] → Browser crash on viewing page - M11A [@ nsLineLayout::ReflowFrame]
Priority: -- → P2
Target Milestone: --- → Future
This bug has gone stale. It needs a new owner and a milestone. The crash is
still happening on the branch is large numbers. (not on Trunk)

Reassigning to Kevin for help.
Assignee: attinasi → kmcclusk
Keywords: topcrash-topcrash
Attached file User comments 
There are almost 300 unique N7.0 users who have reported crashes with this
stack. Most of them point to crashes on the nfl.com site. That would be the
place to start to look for a testcase.
-> Alex
Assignee: kmcclusk → alexsavulov
from talkback i can see that this is both trunk and branch. is this correct?
Alex: Yes, there are incidents in M1.20a and M1.1 (MozillaTrunk) as well as
incidents on branch releases. However, there are no incidents with this
signature in the last ten days of data on the Trunk.
Attached file zipped testcase 
zipped test case!

got lucky with this one. it doesn't happen always. the first time i tested
couple of weeks ago, everything worked fine. now it crashed and i captured this
with IE :-( (yes, that one does not crash). i see the crash on the trunk so is
real.
i get a slightly diferent stack than in comment 1. i paste here the difference
only. underneath nsFirstLineFrame::Reflow everything is the same (afaict). 

VerifyStyleTree(nsIPresContext * 0x0398dc20, nsIFrame * 0x03a78470,
nsIStyleContext * 0x00000000) line 1459
VerifyStyleTree(nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8,
nsIStyleContext * 0x03afba68) line 1473 + 15 bytes
FrameManager::DebugVerifyStyleTree(FrameManager * const 0x03a4b830,
nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8) line 1508 + 22 bytes
FrameManager::ReParentStyleContext(FrameManager * const 0x03a4b830,
nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8, nsIStyleContext *
0x03a7bd50) line 1527
nsPresContext::ReParentStyleContext(nsPresContext * const 0x0398dc20, nsIFrame *
0x03a784e8, nsIStyleContext * 0x03a7bd50) line 1028 + 35 bytes
ReParentChildListStyle(nsIPresContext * 0x0398dc20, nsIStyleContext *
0x03a7bd50, nsFrameList & {...}) line 930
nsFirstLineFrame::Reflow(nsFirstLineFrame * const 0x03a7c0e0, nsIPresContext *
0x0398dc20, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 270) line 1011 + 20 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x03a7c0e0, unsigned int & 270,
nsHTMLReflowMetrics * 0x00000000, int & 0) line 1047 + 43 bytes
.
.
.

there is a style context resolution problem, i get this warning in the debug
window a lot of times:

frame: Text(**) (03AFB488) style: 03A782D8 :-moz-non-element {}
Wrong parent style context:  style: 03A7BD50 :-moz-line-frame {}
should be using:  style: 03AFBA68 :first-line {}

and this one is there too:

###!!! ASSERTION: bad geometric parent: 'mFrames.ContainsFrame(aNextInFlow)',
file s:/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 1063
###!!! ASSERTION: failed to remove frame: 'result', file
s:/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 1095

in my stack i can see 

ReParentChildListStyle(....

this might have causes the troubles i guess.
Attached patch PatchSplinter Review 
Don't assume that the frame is the parent of its child's nextInFlow.
Comment on attachment 103895 [details] [diff] [review]
Patch

yep, that's it. good catch.
r= alexsavulov
Attachment #103895 - Flags: review+
anyone sr= this please. thanks a lot guys!
Comment on attachment 103895 [details] [diff] [review]
Patch

sr=dbaron.  However, this is fixing a regression from bug 163614, so is
obviously not the original reason that this bug was filed.
Attachment #103895 - Flags: superreview+
yeah, dbaron is right. i fetched the source code of 2002-10-07 and it does not
crash with this testcase. hmm, opening a new bug would be the right thing to do
since it looks like we have 2 different issues here. however MOntagu's patch
will be checked in no matter where the old issue will be placed.
Attached patch Alternative patch (obsolete) — Splinter Review 
I hate to do this after getting r/sr without even asking, but after reading
comment 26 I thought a more solid approach would be to fix
DeleteNextInFlowChild rather than the caller.

alex and dbaron: please transfer your reviews if you agree. If not, let me know
and I'll request a= for the original patch.

Does anyone have a reproducable crash on a branch build for further
investigation?
Comment on attachment 103986 [details] [diff] [review]
Alternative patch

r= alexsavulov
yeah, it looks more secure to me to go with this one. i'm wondering if we
should have an assertion there in the debug version just to point to the fact
that the wrong frame was assumed to be the parent of the aNextInFlow. BTW: i
think that we should move the the testcase and patch to another bug (i can do
that) and let this bug point to the previous issue since Greer tracks it. let's
wait for dbaron first.
Attachment #103986 - Flags: review+
Comment on attachment 103986 [details] [diff] [review]
Alternative patch

This approach seems fine, but there are some callsites that are doing
unnecessary work given this patch, and that should be cleaned up.  See the
patch that I mentioned above caused this (second) bug.
attachment 103895 [details] [diff] [review] fixes a place that I forgot to change in the patch in bug
163614 (there aren't too many places where DeleteNextInFlowChild is called).
Maybe attachment 103986 [details] [diff] [review] should be put inside #ifdef DEBUG and and assertion added.  
I have no problems with the alternative patch as long as DeleteNextInFlowChild()
is called consistently ... along the lines of what dbaron mentions.

Also, if you go the alternative route, nsBlockFrame has it's own version of
DeleteNextInFlowChild() so it might need the same check that was added to the
nsContainerFrame version. Note that also "correcting" the problem inside
DeleteNextInFlowChild() means that any class that wants to override the current
versions needs to have the same correction code.
Is it really necessary to put non debug code in that makes sure that callers are
calling methods correctly. If we are going to start doing this, then where does
it stop.
So, I favor the patch over the alternative patch.
Attached patch Combined patch (obsolete) — Splinter Review 
What karnaze said, plus another assertion to investigate comment 2
Attachment #103895 - Attachment is obsolete: true
Attachment #103986 - Attachment is obsolete: true
Maybe it would be better to not correct the problem in debug mode (but just
assert), because then we get different behavior than from an optimized build. 
In that case, do we even need the assertion? We already have

 NS_PRECONDITION(mFrames.ContainsFrame(aNextInFlow), "bad geometric parent");
I guess not, if when you originally found the problem, the assertion failed.
Yes, that assertion failed for me and Alex (see comment 22). It looks like we
have a consensus forming round attachment 103895 [details] [diff] [review], so I am going to request a=
for it and move on.
Attachment #103895 - Attachment is obsolete: false
Attachment #104005 - Attachment is obsolete: true
Simon,

if attachment 103895 [details] [diff] [review] is the one we have chosen, then let's move it to another
bug (including the testcase) and let it open for the initial issue. do you agree
with that?
I assume you mean "leave this one open for the initial issue", in which case I
agree :-)
yes, that is what i meant (it was the phone that bothered me :-) ok, i will move
that.
ok, i opened bug 176595 for the second issue, moved the patch and the testcase
there so that issue can be handled separately. i will copy the cc's too.
Keywords: testcase
WFM in 12/16/02 and 1/03/03 Trunk builds, but did crash with 6/11 Trunk.
David, can you still reproduce the bug on a recent build? If not, I propose we
mark this as WFM.
Making topcrash+ since we have a testcase.  Adding M130A and N701 to summary for
future reference.  This has been a topcrasher for Mozilla 1.3 Alpha and Netscape
7.01.  I'm digging through Talkback data to see if this is still a problem with
the latest MozillaTrunk builds.
Keywords: topcrashtopcrash+
Summary: Browser crash on viewing page - M11A [@ nsLineLayout::ReflowFrame] → Browser crash on viewing page - M130A N701 [@ nsLineLayout::ReflowFrame]
Well, although there are quite a few crashes with Mozilla 1.3 Alpha...I only see
a few incidents with recent MozillaTrunk builds.  Here is a recent crash on the
Trunk:
Incident ID 16485223
Stack Signature 	nsLineLayout::ReflowFrame 8581dc79
Email Address 	mscott@netscape.com
Product ID 	MozillaTrunk
Build ID 	2003011308
Trigger Time 	2003-01-22 11:59:16
Platform 	Win32
Operating System 	Windows NT 5.1 build 2600
Module 	gklayout.dll
URL visited 	
User Comments 	
Trigger Reason 	Access violation
Source File Name 	c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp
Trigger Line No. 	1097
Stack Trace 	
nsLineLayout::ReflowFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1097]
nsBlockFrame::ReflowInlineFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3899]
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3727]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3629]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3574]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2665]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsTableCellFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 947]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsTableRowFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1054]
nsTableRowFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1478]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsTableRowGroupFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 447]
nsTableRowGroupFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1336]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsTableFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3311]
nsTableFrame::ReflowTable
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2213]
nsTableFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2074]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsTableOuterFrame::OuterReflowChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1343]
nsTableOuterFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1989]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
547]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3332]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2533]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
547]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3332]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2533]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsPageContentFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageContentFrame.cpp, line 109]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsPageFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageFrame.cpp, line 222]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
nsSimplePageSequenceFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsSimplePageSequence.cpp, line
447]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941]
ViewportFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 581]
PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2795]
nsPrintEngine::ReflowPrintObject
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2825]
nsPrintEngine::ReflowDocList
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2574]
nsPrintEngine::SetupToPrintContent
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2396]
nsPrintEngine::DocumentReadyForPrinting
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2222]
nsPrintEngine::Observe
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 4631]
nsPrintProgress::DoneIniting
[c:/builds/seamonkey/mozilla/embedding/components/printingui/src/win/nsPrintProgress.cpp,
line 228]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
XPC_WN_CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1293]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 841]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2804]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 857]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 932]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1043]
GlobalWindowImpl::RunTimeout
[c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 4749]
GlobalWindowImpl::TimerCallback
[c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 5105]
nsTimerImpl::Fire [c:/builds/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp,
line 383]
nsAppShell::Run [c:/builds/seamonkey/mozilla/widget/src/windows/nsAppShell.cpp,
line 176]
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 471]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1559]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1907


If noone is able to reproduce this, we should probably mark this worksforme.
Summary: Browser crash on viewing page - M130A N701 [@ nsLineLayout::ReflowFrame] → Browser crash on viewing page - M130A, N701, Trunk[@ nsLineLayout::ReflowFrame]
The testcase in question worksforme.  That said, there might be other bugs with
this stack.
Attachment #103829 - Attachment mime type: application/octet-stream → application/zip
Alrighty...it looks like enough people are seeing a worksforme here using the
attached testcase...so marking it so.

If we see any new crashes with this stack signature/trace...we should just log a
new bug.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsLineLayout::ReflowFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: