[inspector] deleting a *{ display: -moz-box } rule from css style rules and then switching to dom node crashes (GetParentBox outs null causing bad callers to crash) [@ nsBoxFrame::AttributeChanged] [@ nsMenuPopupFrame::RelayoutDirtyChild]

RESOLVED WORKSFORME

Status

()

Core
XUL
--
critical
RESOLVED WORKSFORME
16 years ago
6 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

({crash})

Trunk
x86
Windows 2000
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Assignee)

Description

16 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20020924
Modern Skin, 22056 manually applied with a bit of debugging
mozilla.exe -P n7 -console
     nsBoxFrame::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1471]
     nsTreeColFrame::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/xul/base/src/tree/src/nsTreeColFrame.cpp,
line 190]
     nsCSSFrameConstructor::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10755]
     StyleSetImpl::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1588]
     PresShell::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5266]
     nsXULDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2206]
     nsXULElement::SetAttr
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 2750]
     nsXULElement::SetAttribute
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 1330]
     XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 106]
     XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 1996]
     XPC_WN_CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1267]
     js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 841]
     js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2804]
     js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 857]
     js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 932]
     JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433]
     nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1044]
     nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 184]
     nsXBLPrototypeHandler::ExecuteHandler
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 457]
     nsXBLPrototypeHandler::BindingAttached
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 545]
     nsXBLPrototypeBinding::BindingAttached
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp, line 442]
     nsXBLBinding::ExecuteAttachedHandler
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLBinding.cpp, line 1046]
     nsBindingManager::ProcessAttachedQueue
[c:/builds/seamonkey/mozilla/content/xbl/src/nsBindingManager.cpp, line 913]
     nsCSSFrameConstructor::ContentInserted
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8988]
     StyleSetImpl::ContentInserted
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1537]
     PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2795]
     nsXULDocument::StartLayout
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 4628]
     nsXULDocument::ResumeWalk
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 5762]
     nsXULDocument::CachedChromeStreamListener::OnStopRequest
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 7025]
     nsDocumentOpenInfo::OnStopRequest
[c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 257]
     nsCachedChromeChannel::HandleStopLoadEvent
[c:/builds/seamonkey/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp, line 472]
     PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 647]
     _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c,
line 1330]
     0x778b0c24

1468                        GetParentBox(&parent);
1469                        parent->RelayoutChildAtOrdinal(state, this);
1470                        nsIFrame* parentFrame;
1471                        parent->GetFrame(&parentFrame);

could GetParentBox have failed and parent be null?
answer: yes
517 nsBoxObject::GetParentBox(nsIDOMElement * *aParentBox)
529   NS_IF_ADDREF(*aParentBox);
530   return NS_OK;
531 }
(Assignee)

Comment 1

16 years ago
CallQueryInterface is not null safe although it does assert in debug.

nsMenuPopupFrame::RelayoutDirtyChild
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsMenuPopupFrame.cpp, line 381]
nsBoxFrame::ReflowDirtyChild
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 831]
nsMathMLContainerFrame::ReflowDirtyChild
[c:/builds/seamonkey/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp,
line 1072]
nsMathMLContainerFrame::ReflowDirtyChild
[c:/builds/seamonkey/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp,
line 1072]
nsInlineFrame::AppendFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 212]
FrameManager::AppendFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsFrameManager.cpp, line 962]
nsCSSFrameConstructor::AppendFrames
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 7846]
nsCSSFrameConstructor::ContentInserted
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9215]
nsCSSFrameConstructor::ContentAppended
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8336]
StyleSetImpl::ContentAppended
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1527]
PresShell::ContentAppended
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5286]
nsXULDocument::ContentAppended
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2255]
nsXULElement::AppendChildTo
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 2359]
nsXULElement::InsertBefore
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 1056]
nsXULElement::AppendChild
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 1141]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 106]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 1996]
XPC_WN_CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1267]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 841]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2804]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 857]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 932]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1044]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 184]
nsXBLPrototypeHandler::ExecuteHandler
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 457]
nsXBLPrototypeHandler::BindingAttached
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 545]
nsXBLPrototypeBinding::BindingAttached
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp, line 442]
nsXBLBinding::ExecuteAttachedHandler
[c:/builds/seamonkey/mozilla/content/xbl/src/nsXBLBinding.cpp, line 1046]
nsBindingManager::ProcessAttachedQueue
[c:/builds/seamonkey/mozilla/content/xbl/src/nsBindingManager.cpp, line 913]
nsCSSFrameConstructor::ContentInserted
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8988]
StyleSetImpl::ContentInserted
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1537]
PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2795]
nsXULDocument::StartLayout
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 4628]
nsXULDocument::ResumeWalk
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 5762]
nsXULDocument::CachedChromeStreamListener::OnStopRequest
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 7025]
nsDocumentOpenInfo::OnStopRequest
[c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 257]
nsCachedChromeChannel::HandleStopLoadEvent
[c:/builds/seamonkey/mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp, line 472]
PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 647]
_md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line
1330]
0x778b0c24

I'm reviewing all 
Status: NEW → ASSIGNED
Summary: [inspector] deleting a *{ display: -moz-box } rule from css style rules and then switching to dom node crashes [@nsBoxFrame::AttributeChanged] → [inspector] deleting a *{ display: -moz-box } rule from css style rules and then switching to dom node crashes (GetParentBox outs null causing bad callers to crash) [@nsBoxFrame::AttributeChanged][@nsMenuPopupFrame::RelayoutDirtyChild]
(Assignee)

Comment 2

16 years ago
Created attachment 100568 [details] [diff] [review]
-wu patch

ok, i reviewed all of the GetParentBox callers, many were fine, these seemed
questionable.

Note that GetParentBox returns NS_OK and nsnull so checking its return value
wouldn't help.
(Assignee)

Comment 3

16 years ago
Created attachment 100569 [details] [diff] [review]
the real patch

The preceding was for review, this includes all of the gory details (lots of
whitespace changes, tabs, 2/3 space indents, trailing whitespace, ...)
Just at a quick look, some of those changes are a little suspect... the first
hunk should probably do _something_ when there's no parent, no?  Same for the
last hunk... if those situations should never happen, at least NS_ERROR or
something...
(Assignee)

Comment 5

16 years ago
1. run mozilla (modern) navigator
2. run inspector
3. file>inspect a window>navigator
4. select css style rules *
5. click the first style rule:
*      chrome://global/content/xul.css    0       15
6. right click the second style
display     -moz-box
7. select delete

steps diverge past this point depending on where you want to crash.

A. first stack
1. select dom node *

B. second stack
1. close inspector
2. open inspector

* the button looks like an explorer view toggle.

Updated

16 years ago
Keywords: crash
(Assignee)

Updated

16 years ago
Keywords: topcrash

Comment 6

16 years ago
No talkback incidents since November builds.  Marking worksforme.
Reopen as needed.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Keywords: topcrash → topcrash-
Resolution: --- → WORKSFORME
Summary: [inspector] deleting a *{ display: -moz-box } rule from css style rules and then switching to dom node crashes (GetParentBox outs null causing bad callers to crash) [@nsBoxFrame::AttributeChanged][@nsMenuPopupFrame::RelayoutDirtyChild] → [inspector] deleting a *{ display: -moz-box } rule from css style rules and then switching to dom node crashes (GetParentBox outs null causing bad callers to crash) [@ nsBoxFrame::AttributeChanged] [@ nsMenuPopupFrame::RelayoutDirtyChild]
This doesn't look like it was filed as a topcrash.
Status: RESOLVED → REOPENED
Keywords: topcrash-
Resolution: WORKSFORME → ---

Comment 8

14 years ago
Timeless: Related and/or dup of bug 271945?  What's the status on this bug? 
Seems like we have more traction in the other bug...
Keywords: topcrash
(Assignee)

Updated

10 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: shrir → xptoolkit.widgets
Crash Signature: [@ nsBoxFrame::AttributeChanged] [@ nsMenuPopupFrame::RelayoutDirtyChild]

Comment 9

7 years ago
nsMenuPopupFrame::RelayoutDirtyChild doesn't appear on any version in the past 4 weeks. I still see nsBoxFrame::AttributeChanged but in very low volume. Removing topcrash keyword.
Crash Signature: [@ nsBoxFrame::AttributeChanged] [@ nsMenuPopupFrame::RelayoutDirtyChild] → [@ nsBoxFrame::AttributeChanged] [@ nsMenuPopupFrame::RelayoutDirtyChild]
Keywords: topcrash

Comment 10

6 years ago
Re-resolving WFM per comment #6. Looks like the reopen in comment #7 was accidental.
Status: REOPENED → RESOLVED
Last Resolved: 16 years ago6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.