Closed Bug 178855 Opened 22 years ago Closed 22 years ago

crash when calling this XML url

Categories

(Core :: Layout: Tables, defect, P2)

Product:
Core
Component:
Layout: Tables
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.3alpha

People

(Reporter: dewildt, Assigned: karnaze)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [PATCH])

Attachments

(2 files)

Minimal testcase
112 bytes, text/xml
Details
patch to fix the crash
2.14 KB, patch
dbaron
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021107
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021107

Mozilla crashes when calling the URL
http://www.xmlguru.de/html/_d/03demo/demo11.xml

talkback ID : TB13630462K

Reproducible: Always

Steps to Reproduce:
1. call http://www.xmlguru.de/html/_d/03demo/demo11.xml


Actual Results:  
Crash

Expected Results:  
Show xml page

I used a fresh install with a new created user without any additional plugins etc.
This bug also exists in Mozilla 1.2b
(Is this a dup of bug 174709 ?)
Summary: crash when calling the url → crash when calling this XML url
Keywords: crash
confirmed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b)
Gecko/20021107.  the problem is with the xsl file
(http://www.xmlguru.de/html/_d/03demo/demo11.xsl). when the line to include the
xsl file is not included, the xml file opens fine.
Marking confirmed using Win2k 1106 cvs.  Not a dupe of 174709 it looks like.  
Here's the stack:

nsIFrame::GetFrameState(unsigned int * 0x0012e610) line 795 + 6 bytes
nsCSSFrameConstructor::CreatePlaceholderFrameFor(nsIPresShell * 0x0510e1a8, 
nsIPresContext * 0x04bd4578, nsIFrameManager * 0x04fa46e0, nsIContent * 
0x0523dbc0, nsIFrame * 0x00000000, nsIStyleContext * 0x0492e070, nsIFrame * 
0x050fed3c, nsIFrame * * 0x0012e69c) line 4025
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x0510e1a8, 
nsIPresContext * 0x04bd4578, nsFrameConstructorState & {...}, const 
nsStyleDisplay * 0x050feec8, nsIContent * 0x0523dbc0, int 0x00000003, nsIAtom * 
0x03105fd0, nsIFrame * 0x050fed3c, nsIStyleContext * 0x0492e070, nsFrameItems & 
{...}) line 6713
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x0510e1a8, 
nsIPresContext * 0x04bd4578, nsFrameConstructorState & {...}, nsIContent * 
0x0523dbc0, nsIFrame * 0x050fed3c, nsIAtom * 0x03105fd0, int 0x00000003, 
nsIStyleContext * 0x0492e070, nsFrameItems & {...}, int 0x00000000) line 7441 + 
53 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x0510e1a8, nsIPresContext 
* 0x04bd4578, nsFrameConstructorState & {...}, nsIContent * 0x0523dbc0, 
nsIFrame * 0x050fed3c, nsFrameItems & {...}) line 7292 + 56 bytes
nsCSSFrameConstructor::ConstructDocElementTableFrame(nsIPresShell * 0x0510e1a8, 
nsIPresContext * 0x04bd4578, nsIContent * 0x0523dbc0, nsIFrame * 0x050fed3c, 
nsIFrame * & 0x00000000, nsILayoutHistoryState * 0x00000000) line 3269
nsCSSFrameConstructor::ConstructDocElementFrame(nsIPresShell * 0x0510e1a8, 
nsIPresContext * 0x04bd4578, nsFrameConstructorState & {...}, nsIContent * 
0x0523dbc0, nsIFrame * 0x050fed3c, nsIStyleContext * 0x04f54f98, nsIFrame * & 
0x00000000) line 3432 + 43 bytes
nsCSSFrameConstructor::ContentInserted(nsCSSFrameConstructor * const 
0x043c5f48, nsIPresContext * 0x04bd4578, nsIContent * 0x00000000, nsIContent * 
0x0523dbc0, int 0x00000000, nsILayoutHistoryState * 0x00000000, int 0x00000000) 
line 8980
StyleSetImpl::ContentInserted(StyleSetImpl * const 0x0450b620, nsIPresContext * 
0x04bd4578, nsIContent * 0x00000000, nsIContent * 0x0523dbc0, int 0x00000000) 
line 1531
PresShell::InitialReflow(PresShell * const 0x0510e1a8, int 0x00004eb1, int 
0x00003c4b) line 2796
nsXMLContentSink::StartLayout() line 1298
nsXMLContentSink::OnTransformDone(nsXMLContentSink * const 0x043509b4, unsigned 
int 0x00000000, nsIDOMDocument * 0x04ad6ab4) line 523
txMozillaXMLOutput::SignalTransformEnd() line 762
txMozillaXMLOutput::endDocument() line 205
txXSLTProcessor::transform(ProcessorState * 0x0012f5bc) line 1654
txMozillaXSLTProcessor::TransformDocument(txMozillaXSLTProcessor * const 
0x05153328, nsIDOMNode * 0x0434dc6c, nsIDOMNode * 0x050ae6c4, 
nsITransformObserver * 0x043509b4, nsIDOMDocument * * 0x043ac8f8) line 383 + 12 
bytes
nsTransformMediator::TryToTransform() line 107 + 86 bytes
nsTransformMediator::SetStyleSheetContentModel(nsTransformMediator * const 
0x043ac8d8, nsIDOMNode * 0x050ae6c4) line 144
nsXSLContentSink::DidBuildModel(nsXSLContentSink * const 0x04a36fe8, int 
0x00000000) line 134
nsExpatDriver::DidBuildModel(nsExpatDriver * const 0x04c0cc30, unsigned int 
0x00000000, int 0x00000001, nsIParser * 0x04c59be0, nsIContentSink * 
0x04a36fe8) line 972 + 23 bytes
nsParser::DidBuildModel(unsigned int 0x00000000) line 1262 + 41 bytes
nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 1811
nsParser::OnStopRequest(nsParser * const 0x04c59be4, nsIRequest * 0x04c107d0, 
nsISupports * 0x00000000, unsigned int 0x00000000) line 2432 + 21 bytes
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x04c0cba0, 
nsIRequest * 0x04c107d0, nsISupports * 0x00000000, unsigned int 0x00000000) 
line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x04c107d4, nsIRequest * 
0x04fa4944, nsISupports * 0x00000000, unsigned int 0x00000000) line 3020
nsOnStopRequestEvent::HandleEvent() line 213
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x04a928fc) line 116
PL_HandleEvent(PLEvent * 0x04a928fc) line 644 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f314a8) line 574 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x02780160, unsigned int 0x0000c0da, unsigned 
int 0x00000000, long 0x00f314a8) line 1335 + 9 bytes
USER32! 77e3a290()
USER32! 77e145b1()
USER32! 77e15b1d()
nsAppShellService::Run(nsAppShellService * const 0x031137d0) line 472
main1(int 0x00000001, char * * 0x002c6d90, nsISupports * 0x002c6df8) line 1541 
+ 32 bytes
main(int 0x00000001, char * * 0x002c6d90) line 1902 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e9ca90()
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file Minimal testcase 
This rips out the irrelevant xslt...
The testcase in its entirety:

<table style="position: absolute;" xmlns="http://www.w3.org/1999/xhtml">
 <tr>
  <td>a test</td>
 </tr>
</table>

(note that the <table> is the root element).  The table frame construction code
does not seem to deal well:

(gdb) frame
#0  nsIFrame::GetFrameState (this=0x0, aResult=0xbfffdfd8)
    at
/home/bzbarsky/mozilla/debug/mozilla/layout/svg/base/src/../../../base/public/nsIFrame.h:795
795         *aResult = mState;
(gdb) p this
$1 = (nsIFrame *) 0x0
(gdb) frame 1
#1  0x41fd11a2 in nsCSSFrameConstructor::CreatePlaceholderFrameFor (this=0x87d3cc0, 
    aPresShell=0x87d3d90, aPresContext=0x87c1448, aFrameManager=0x87d4f60, 
    aContent=0x879aa20, aFrame=0x0, aStyleContext=0x87e84e0,
aParentFrame=0x87dc664, 
    aPlaceholderFrame=0xbfffe1a8)
    at
/home/bzbarsky/mozilla/debug/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:4039
4039        aFrame->GetFrameState(&frameState);
(gdb) p aFrame
$2 = (nsIFrame *) 0x0
(gdb) frame 2
#2  0x41fd7e47 in nsCSSFrameConstructor::ConstructFrameByDisplayType
(this=0x87d3cc0, 
    aPresShell=0x87d3d90, aPresContext=0x87c1448, aState=@0xbfffe370, 
    aDisplay=0x87dc76c, aContent=0x879aa20, aNameSpaceID=3, aTag=0x816f298, 
    aParentFrame=0x87dc664, aStyleContext=0x87e84e0, aFrameItems=@0xbfffe368)
    at
/home/bzbarsky/mozilla/debug/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:6725
6725                                  newFrame, aStyleContext, adjParentFrame,
&placeholderFrame);
(gdb) p newFrame
$3 = (nsIFrame *) 0x0

This last part is in the "nearly_done:" section of ConstructFrameByDisplayType
and in particular after the ConstructTableFrame call.... for some reason
ConstructTableFrame is returning a null pointer.

Perhaps this is because we coopted the table outer frame and made it a canvas
frame instead?  (just a thought)
Assignee: heikki → table
Component: XML → Layout: Tables
OS: Windows 2000 → All
QA Contact: ian → amar
This feels like a duplicate of an old bug about tables being the root.

Perhaps the solution here, rather than making tables support being the root
frame (which I think there's already some code to do), is to put a dummy block
around the root element's frame when that frame is not a block?
Yeah... I've been considering doing something like that anyway... right now the
root content's frame is a CanvasFrame; we should be giving it a "real" frame too.  
taking
Assignee: table → karnaze
Priority: -- → P2
Whiteboard: [PATCH]
Target Milestone: --- → mozilla1.3alpha
The patch fixes the crash, the testcase (because it has no positional
coordinates) and contains XXX comments regarding how to fully support a
positioned table which is the doc root (we could open another for that).
Status: NEW → ASSIGNED
Attachment #105920 - Flags: superreview?(bzbarsky)
Attachment #105920 - Flags: review?(dbaron)
Attachment #105920 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 105920 [details] [diff] [review]
patch to fix the crash

r=dbaron
Attachment #105920 - Flags: review?(dbaron) → review+
fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Keywords: nsbeta1+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: