Closed Bug 17315 Opened 25 years ago Closed 25 years ago

Crash loading page- browser/viewer crashing when viewing a bug in bugzilla.

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: michael.j.lowe, Assigned: troy)

References

(
URL
)

Details

1999102608 build.
Assignee: troy → rods
Rod, what seems to be happening is that a frame is getting destroyed and we're
not removing the content->frame mapping the frame manager maintains.

Removal of the comntent->frame mapping doesn't happen automatically when a frame
is destroyed. We could do that, but it would slow down the general case.

Instead since frames are all created and destroyed by the frame construction
code it takes care of adding and removing the mapping

In those cases where frames are destroyed through a different mechanism, there
is a frame construction call that that should be made to inform that code of
the frame's demise. Hyatt uses this for the tree view.

The function is called RemoveMappingsForFrameSubtree()

Here's the stack trace:
FindFrameWithContent(nsIFrame * 0x01c58b60, nsIContent * 0x01c3a4f8, nsIContent
* 0x01c644dc) line 8385 + 11 bytes
nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const
0x011526f0, nsIPresContext * 0x0118be00, nsIFrameManager * 0x01162a48,
nsIContent * 0x01c644dc, nsIFrame * * 0x0012ed50) line 8472 + 22 bytes
StyleSetImpl::FindPrimaryFrameFor(StyleSetImpl * const 0x01152620,
nsIPresContext * 0x0118be00, nsIFrameManager * 0x01162a48, nsIContent *
0x01c644dc, nsIFrame * * 0x0012ed50) line 1049
FrameManager::GetPrimaryFrameFor(FrameManager * const 0x01162a48, nsIContent *
0x01c644dc, nsIFrame * * 0x0012ed50) line 416
nsCSSFrameConstructor::FindPrimaryFrameFor(nsCSSFrameConstructor * const
0x011526f0, nsIPresContext * 0x0118be00, nsIFrameManager * 0x01162a48,
nsIContent * 0x01c684b4, nsIFrame * * 0x0012ede4) line 8470
StyleSetImpl::FindPrimaryFrameFor(StyleSetImpl * const 0x01152620,
nsIPresContext * 0x0118be00, nsIFrameManager * 0x01162a48, nsIContent *
0x01c684b4, nsIFrame * * 0x0012ede4) line 1049
FrameManager::GetPrimaryFrameFor(FrameManager * const 0x01162a48, nsIContent *
0x01c684b4, nsIFrame * * 0x0012ede4) line 416
PresShell::GetPrimaryFrameFor(const PresShell * const 0x011527b0, nsIContent *
0x01c684b4, nsIFrame * * 0x0012ede4) line 2005 + 32 bytes
nsCSSFrameConstructor::ContentChanged(nsCSSFrameConstructor * const 0x011526f0,
nsIPresContext * 0x0118be00, nsIContent * 0x01c684b4, nsISupports * 0x00000000)
line 7358
StyleSetImpl::ContentChanged(StyleSetImpl * const 0x01152620, nsIPresContext *
0x0118be00, nsIContent * 0x01c684b4, nsISupports * 0x00000000) line 972
PresShell::ContentChanged(PresShell * const 0x011527b8, nsIDocument *
0x00c8c210, nsIContent * 0x01c684b4, nsISupports * 0x00000000) line 1805 + 46
bytes
nsDocument::ContentChanged(nsDocument * const 0x00c8c210, nsIContent *
0x01c684b4, nsISupports * 0x00000000) line 1487
nsGenericDOMDataNode::SetText(const unsigned short * 0x0012f10c, int 3, int 1)
line 980
nsTextNode::SetText(nsTextNode * const 0x01c684b8, const unsigned short *
0x0012f10c, int 3, int 1) line 70 + 26 bytes
nsGenericDOMDataNode::SetData(const nsString & {...}) line 263 + 45 bytes
nsTextNode::SetData(nsTextNode * const 0x01c684a8, const nsString & {...}) line
51 + 18 bytes
nsCSSFrameConstructor::CreateGeneratedFrameFor(nsIPresContext * 0x0118be00,
nsIDocument * 0x00c8c210, nsIFrame * 0x01c67f50, nsIContent * 0x01c644dc,
nsIStyleContext * 0x01c68030, const nsStyleContent * 0x01c67d48, unsigned int 0,
nsIFrame * * 0x0012f1d4) line 696
nsCSSFrameConstructor::CreateGeneratedContentFrame(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIFrame * 0x01c77878, nsIContent * 0x01c644dc,
nsIStyleContext * 0x01c77338, nsIAtom * 0x0101d970, int 0, int 0, nsIFrame * *
0x0012f258) line 825 + 45 bytes
nsCSSFrameConstructor::ConstructButtonLabelFrame(nsIPresContext * 0x0118be00,
nsIContent * 0x01c644dc, nsIFrame * & 0x01c77878, nsFrameConstructorState &
{...}, nsFrameItems & {...}) line 3247 + 49 bytes
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c644dc, nsIFrame * 0x01c819c0,
nsIAtom * 0x011b51e8, nsIStyleContext * 0x01c77338, nsFrameItems & {...}) line
3780
nsCSSFrameConstructor::ConstructFrame(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c644dc, nsIFrame * 0x01c819c0,
int 0, nsFrameItems & {...}) line 5529 + 46 bytes
nsCSSFrameConstructor::CreateAnonymousFrames(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c3a4f8, nsIDocument *
0x00c8c210, nsIFrame * 0x01c819c0, nsFrameItems & {...}) line 3902
nsCSSFrameConstructor::CreateAnonymousFrames(nsIPresContext * 0x0118be00,
nsIAtom * 0x0103d720, nsFrameConstructorState & {...}, nsIContent * 0x01c3a4f8,
nsIFrame * 0x01c819c0, nsFrameItems & {...}) line 3862 + 37 bytes
nsCSSFrameConstructor::ConstructSelectFrame(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c3a4f8, nsIFrame * 0x01c83480,
nsIAtom * 0x011b8e68, nsIStyleContext * 0x01c81c28, nsIFrame * & 0x00000000, int
& 0, int 0, int & 0, int 0, nsFrameItems & {...}) line 3426
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c3a4f8, nsIFrame * 0x01c83480,
nsIAtom * 0x011b8e68, nsIStyleContext * 0x01c81c28, nsFrameItems & {...}) line
3678 + 56 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01c3a4f8, nsIFrame * 0x01c83480,
int 0, nsFrameItems & {...}) line 5529 + 46 bytes
nsCSSFrameConstructor::ProcessChildren(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01baad3c, nsIFrame * 0x01c83480,
int 1, nsFrameItems & {...}, int 0) line 8681 + 43 bytes
nsCSSFrameConstructor::ConstructInline(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, const nsStyleDisplay * 0x01c4beb4, nsIContent *
0x01baad3c, nsIFrame * 0x01bf9138, nsIStyleContext * 0x01c4bc90, nsIFrame *
0x01c83480) line 5190 + 32 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, const nsStyleDisplay * 0x01c4beb4, nsIContent *
0x01baad3c, nsIFrame * 0x01bf9138, nsIStyleContext * 0x01c4bc90, int 0,
nsFrameItems & {...}) line 4998 + 39 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresContext * 0x0118be00,
nsFrameConstructorState & {...}, nsIContent * 0x01baad3c, nsIFrame * 0x01bf9138,
int 0, nsFrameItems & {...}) line 5561 + 45 bytes
nsCSSFrameConstructor::ContentAppended(nsCSSFrameConstructor * const 0x011526f0,
nsIPresContext * 0x0118be00, nsIContent * 0x01ba8840, int 66) line 6085
StyleSetImpl::ContentAppended(StyleSetImpl * const 0x01152620, nsIPresContext *
0x0118be00, nsIContent * 0x01ba8840, int 66) line 935
PresShell::ContentAppended(PresShell * const 0x011527b8, nsIDocument *
0x00c8c210, nsIContent * 0x01ba8840, int 66) line 1848 + 46 bytes
nsDocument::ContentAppended(nsDocument * const 0x00c8c210, nsIContent *
0x01ba8840, int 66) line 1526
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x00c8c210, nsIContent *
0x01ba8840, int 66) line 1041
nsGenericHTMLContainerElement::AppendChildTo(nsIContent * 0x01baad3c, int 1)
line 2974
nsHTMLTableCellElement::AppendChildTo(nsHTMLTableCellElement * const 0x01ba8840,
nsIContent * 0x01baad3c, int 1) line 109 + 22 bytes
SinkContext::DemoteContainer(const nsIParserNode & {...}) line 1362 + 18 bytes
HTMLContentSink::CloseForm(HTMLContentSink * const 0x01155ca0, const
nsIParserNode & {...}) line 2419 + 15 bytes
CNavDTD::CloseForm(const nsIParserNode & {...}) line 2462 + 31 bytes
CNavDTD::CloseContainer(const nsIParserNode & {...}, nsHTMLTag eHTMLTag_form,
int 0) line 2714 + 12 bytes
CNavDTD::HandleEndToken(CToken * 0x01147258) line 1443 + 24 bytes
CNavDTD::HandleToken(CNavDTD * const 0x01165e40, CToken * 0x01147258, nsIParser
* 0x01155948) line 656 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x01165e40, nsIParser * 0x01155948,
nsITokenizer * 0x01166520, nsITokenObserver * 0x00000000, nsIContentSink *
0x01155ca0) line 458 + 20 bytes
nsParser::BuildModel() line 1038 + 34 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 949 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x0115594c, nsIChannel * 0x011c43b0,
nsISupports * 0x00000000, nsIInputStream * 0x011c4920, unsigned int 0, unsigned
int 8192) line 1376 + 19 bytes
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x01bea450,
nsIChannel * 0x011c43b0, nsISupports * 0x00000000, nsIInputStream * 0x011c4920,
unsigned int 0, unsigned int 8192) line 1200 + 32 bytes
nsChannelListener::OnDataAvailable(nsChannelListener * const 0x0114c3d0,
nsIChannel * 0x011c43b0, nsISupports * 0x00000000, nsIInputStream * 0x011c4920,
unsigned int 0, unsigned int 8192) line 1386
nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const
0x01afae48, nsIChannel * 0x01158cd8, nsISupports * 0x011c43b0, nsIInputStream *
0x011c4920, unsigned int 16384, unsigned int 8192) line 186 + 47 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x01c0b430)
line 413
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x01b64d10) line 169 + 12 bytes
PL_HandleEvent(PLEvent * 0x01b64d10) line 526 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00c19f20) line 487 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000402c6, unsigned int 49390, unsigned int 0,
long 12689184) line 961 + 9 bytes
USER32! 77e135f8()
USER32! 77e13769()
USER32! 77e17b9a()
main(int 1, char * * 0x00a82fa8) line 135 + 11 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL3
Assignee: rods → troy
Looking at this some more I think there's a problem in the DST code so I'm
reassigning the bug back to me
Status: NEW → ASSIGNED
I fixed a DST problem, but that didn't help this problem. It seems we really are
deleting a frame without first calling DeletingFrameSubtree()
Purify shows we have a free memory read, although it's not obvious exactly why.
Here's the Purify information:

[E] FMR: Free memory read in FindFrameWithContent {1 occurrence}
    Reading 4 bytes from 0x038d8fc8 (4 bytes at 0x038d8fc8 illegal)
    Address 0x038d8fc8 is at the beginning of a 200 byte block
    Address 0x038d8fc8 points to a C++ new block in heap 0x03660000
    Thread ID: 0x1d4
    Error location
        FindFrameWithContent [nsCSSFrameConstructor.cpp:7998]
        nsCSSFrameConstructor::FindPrimaryFrameFor(nsIPresContext
*,nsIFrameManager *,nsIContent *,nsIFrame * *) [nsCSSFrameConstructor.cpp:8085]
        StyleSetImpl::FindPrimaryFrameFor(nsIPresContext *,nsIFrameManager
*,nsIContent *,nsIFrame * *) [nsStyleSet.cpp:1048]
        FrameManager::GetPrimaryFrameFor(nsIContent *,nsIFrame * *)
[nsFrameManager.cpp:415]
        nsCSSFrameConstructor::FindPrimaryFrameFor(nsIPresContext
*,nsIFrameManager *,nsIContent *,nsIFrame * *) [nsCSSFrameConstructor.cpp:8082]
        StyleSetImpl::FindPrimaryFrameFor(nsIPresContext *,nsIFrameManager
*,nsIContent *,nsIFrame * *) [nsStyleSet.cpp:1048]
        FrameManager::GetPrimaryFrameFor(nsIContent *,nsIFrame * *)
[nsFrameManager.cpp:415]
        PresShell::GetPrimaryFrameFor(nsIContent *,nsIFrame * *)const
[nsPresShell.cpp:2002]
        nsCSSFrameConstructor::ContentChanged(nsIPresContext *,nsIContent
*,nsISupports *) [nsCSSFrameConstructor.cpp:6922]
        StyleSetImpl::ContentChanged(nsIPresContext *,nsIContent *,nsISupports
*) [nsStyleSet.cpp:971]
        PresShell::ContentChanged(nsIDocument *,nsIContent *,nsISupports *)
[nsPresShell.cpp:1802]
        nsDocument::ContentChanged(nsIContent *,nsISupports *)
[nsDocument.cpp:1484]
        nsGenericDOMDataNode::SetText(WORD const*,int,int)
[nsGenericDOMDataNode.cpp:978]
        nsTextNode::SetText(WORD const*,int,int) [nsTextNode.cpp:70]
        nsGenericDOMDataNode::SetData(nsString const&)
[nsGenericDOMDataNode.cpp:263]
        nsTextNode::SetData(nsString const&) [nsTextNode.cpp:51]
        nsCSSFrameConstructor::CreateGeneratedFrameFor(nsIPresContext
*,nsIDocument *,nsIFrame *,nsIContent *,nsIStyleContext *,nsStyleContent
const*,UINT,nsIFrame * *) [nsCSSFrameConstructor.cpp:696]
        nsCSSFrameConstructor::CreateGeneratedContentFrame(nsIPresContext
*,nsFrameConstructorState&,nsIFrame *,nsIContent *,nsIStyleContext *,nsIAtom
*,int,nsIFrame * *) [nsCSSFrameConstructor.cpp:825]
        nsCSSFrameConstructor::ConstructButtonLabelFrame(nsIPresContext
*,nsIContent *,nsIFrame *&,nsFrameConstructorState&,nsFrameItems&)
[nsCSSFrameConstructor.cpp:2951]
        nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsFrameItems&) [nsCSSFrameConstructor.cpp:3479]
        nsCSSFrameConstructor::ConstructFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&)
[nsCSSFrameConstructor.cpp:5233]
        nsCSSFrameConstructor::CreateAnonymousFrames(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIDocument *,nsIFrame *,nsFrameItems&)
[nsCSSFrameConstructor.cpp:3605]
        nsCSSFrameConstructor::CreateAnonymousFrames(nsIPresContext *,nsIAtom
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&)
[nsCSSFrameConstructor.cpp:3566]
        nsCSSFrameConstructor::ConstructSelectFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsIFrame *&,int&,int,int&,int,nsFrameItems&) [nsCSSFrameConstructor.cpp:3127]
        nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsFrameItems&) [nsCSSFrameConstructor.cpp:3382]
    Allocation location
        new(UINT)      [new.cpp:23]
        nsFrame::new(UINT) [nsFrame.cpp:193]
        NS_NewComboboxControlFrame(nsIFrame * *) [nsComboboxControlFrame.cpp:83]
        nsCSSFrameConstructor::ConstructSelectFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsIFrame *&,int&,int,int&,int,nsFrameItems&) [nsCSSFrameConstructor.cpp:3069]
        nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsFrameItems&) [nsCSSFrameConstructor.cpp:3382]
        nsCSSFrameConstructor::ConstructFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&)
[nsCSSFrameConstructor.cpp:5233]
        nsCSSFrameConstructor::ProcessChildren(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&,int)
[nsCSSFrameConstructor.cpp:8265]
        nsCSSFrameConstructor::ConstructInline(nsIPresContext
*,nsFrameConstructorState&,nsStyleDisplay const*,nsIContent *,nsIFrame
*,nsIStyleContext *,nsIFrame *) [nsCSSFrameConstructor.cpp:4894]
        nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresContext
*,nsFrameConstructorState&,nsStyleDisplay const*,nsIContent *,nsIFrame
*,nsIStyleContext *,int,nsFrameItems&) [nsCSSFrameConstructor.cpp:4702]
        nsCSSFrameConstructor::ConstructFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&)
[nsCSSFrameConstructor.cpp:5265]
        nsCSSFrameConstructor::ProcessChildren(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&,int)
[nsCSSFrameConstructor.cpp:8265]
        nsCSSFrameConstructor::ConstructFrameByTag(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,nsIStyleContext
*,nsFrameItems&) [nsCSSFrameConstructor.cpp:3474]
        nsCSSFrameConstructor::ConstructFrame(nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&)
[nsCSSFrameConstructor.cpp:5233]
        nsCSSFrameConstructor::ContentAppended(nsIPresContext *,nsIContent
*,int) [nsCSSFrameConstructor.cpp:5748]
        StyleSetImpl::ContentAppended(nsIPresContext *,nsIContent *,int)
[nsStyleSet.cpp:934]
        PresShell::ContentAppended(nsIDocument *,nsIContent *,int)
[nsPresShell.cpp:1845]
        nsDocument::ContentAppended(nsIContent *,int) [nsDocument.cpp:1523]
        nsHTMLDocument::ContentAppended(nsIContent *,int)
[nsHTMLDocument.cpp:1040]
        HTMLContentSink::NotifyAppend(nsIContent *,int)
[nsHTMLContentSink.cpp:3457]
        SinkContext::FlushTags(void) [nsHTMLContentSink.cpp:1718]
        HTMLContentSink::WillInterrupt(void) [nsHTMLContentSink.cpp:2043]
        CNavDTD::WillInterruptParse(void) [CNavDTD.cpp:3143]
        nsParser::ResumeParse(nsIDTD *,int) [nsParser.cpp:1012]
        nsParser::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream
*,UINT,UINT) [nsParser.cpp:1400]
        nsDocumentBindInfo::OnDataAvailable(nsIChannel *,nsISupports
*,nsIInputStream *,UINT,UINT) [nsDocLoader.cpp:1216]
    Free location
        delete(void *) [dbgdel.cpp:35]
        nsFrame::delete(void *) [nsFrame.cpp:193]
        nsComboboxControlFrame::`scalar deleting destructor'(UINT) [gkhtml.dll]
        nsFrame::Destroy(nsIPresContext&) [nsFrame.cpp:368]
        nsContainerFrame::Destroy(nsIPresContext&) [nsContainerFrame.cpp:92]
        nsBlockFrame::Destroy(nsIPresContext&) [nsBlockFrame.cpp:1121]
        nsAreaFrame::Destroy(nsIPresContext&) [nsAreaFrame.cpp:82]
        nsComboboxControlFrame::Destroy(nsIPresContext&)
[nsComboboxControlFrame.cpp:1251]
        nsFrameList::DestroyFrames(nsIPresContext&) [nsFrameList.cpp:28]
        nsInlineFrame::Destroy(nsIPresContext&) [nsInlineFrame.cpp:341]
        nsBlockFrame::DoRemoveFrame(nsIPresContext *,nsIFrame *)
[nsBlockFrame.cpp:4932]
        nsBlockFrame::RemoveFrame(nsIPresContext&,nsIPresShell&,nsIAtom
*,nsIFrame *) [nsBlockFrame.cpp:4813]
        FrameManager::RemoveFrame(nsIPresContext&,nsIPresShell&,nsIFrame
*,nsIAtom *,nsIFrame *) [nsFrameManager.cpp:625]
        nsCSSFrameConstructor::ContentRemoved(nsIPresContext *,nsIContent
*,nsIContent *,int) [nsCSSFrameConstructor.cpp:6661]
                      } else {
                        // Notify the parent frame that it should delete the
frame
                        rv = frameManager->RemoveFrame(*aPresContext, *shell,
parentFrame,
             =>                                        nsnull, childFrame);
                      }
                    }

        StyleSetImpl::ContentRemoved(nsIPresContext *,nsIContent *,nsIContent
*,int) [nsStyleSet.cpp:962]
        PresShell::ContentRemoved(nsIDocument *,nsIContent *,nsIContent *,int)
[nsPresShell.cpp:1900]
        nsDocument::ContentRemoved(nsIContent *,nsIContent *,int)
[nsDocument.cpp:1586]
        nsHTMLDocument::ContentRemoved(nsIContent *,nsIContent *,int)
[nsHTMLDocument.cpp:1093]
        nsGenericHTMLContainerElement::RemoveChildAt(int,int)
[nsGenericHTMLElement.cpp:2987]
        nsHTMLFormElement::RemoveChildAt(int,int) [nsHTMLFormElement.cpp:106]
        SinkContext::DemoteContainer(nsIParserNode const&)
[nsHTMLContentSink.cpp:1363]
        HTMLContentSink::CloseForm(nsIParserNode const&)
[nsHTMLContentSink.cpp:2425]
        CNavDTD::CloseForm(nsIParserNode const&) [CNavDTD.cpp:2469]
        CNavDTD::CloseContainer(nsIParserNode const&,nsHTMLTag,int)
[CNavDTD.cpp:2721]
        CNavDTD::HandleEndToken(CToken *) [CNavDTD.cpp:1443]
Priority: P3 → P1
*** Bug 17852 has been marked as a duplicate of this bug. ***
*** Bug 17817 has been marked as a duplicate of this bug. ***
*** Bug 17900 has been marked as a duplicate of this bug. ***
Summary: Crash loading page → Crash loading page- browser/viewer crashing when viewing a bug in bugzilla.
Target Milestone: M11
putting on the m11 radar.  lust for a fix in the next few days.
No chance of me getting to it until next week (Tuesday at the earliest). I'm off
to a W3C style meeting
Simple test case that reproduces the problem:

<FORM>
 <FONT size=1><BR><FONT color=#cc0000></FONT>
 <SELECT></SELECT>
</FORM>
Vidur, that little test case that demonstrates the problem results in 2
ContentRemoved() calls to the frame construction code. www.eetimes.com results
in a very large number

Can we do anything about that? It's not very good for performance
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Okay, I checked in a fix for this problem. What was happening was that
DeletingFrameSubtree() wasn't looking at continuing frames and so child frames
in the next-in-flow frames weren't getting removed from the content->frame map

Because the SELECT was inside of a FONT element and it was in the continuing
FONT frame (there was a BR element in front of it) it wasn't getting removed
from the map

Note that this fixes www.eetimes.com, however, it does not seem to fix all of
the bugs that are marked DUP of this bug
Status: RESOLVED → VERIFIED
I re-opened 17852, since that crash still occurs. bug 17817 and bug 17900, the
bugzilla crash bugs, still occur also but are probably a dup of 17852 as they
have the same stack trace.

Marking this bug verified, since the simple test case and the eetimes page are
ok now.
You need to log in before you can comment on or make changes to this bug.