Closed Bug 182460 Opened 22 years ago Closed 15 years ago

crash if XSLT-generated document contains <script> and XSLT-generated <iframe> [@ nsBoxFrame::CreateViewForFrame]

Categories

(Core :: XSLT, defect, P1)

Product:
Core
Component:
XSLT
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.6beta

People

(Reporter: sinchi, Assigned: peterv)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(6 files, 4 obsolete files)

Details from Talkback agent
18.65 KB, text/plain
Details
stacktrace
7.59 KB, text/plain
Details
iframe xsl
38 bytes, text/xml
Details
iframe xml
159 bytes, text/xml
Details
top xhtml. BE AWARE! CRASHES!
281 bytes, text/xml
Details
zip of minimal testcase
590 bytes, application/x-zip-compressed
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126

If XSLT-generated page contains both <script> and XSLT-generated <iframe>á
Mozilla crashes

Reproducible: Always

Steps to Reproduce:
1. Go to URL http://bugzilla.nm.ru/xslt/table.xml.
2. If crash doesn't appear, click reload button a few times.
Keywords: crash
Summary: crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → [crash] crash if XSLT-generated document contains <script> and XSLT-generated <iframe>
If I load these files from local disk, crash comes instantly. If you try to open
URL, click reload some times quickly.
can you post Talkback ID for this crash "mozilla/bin/components/talkback.exe" ?
Keywords: stackwanted
Details form Talkback agent report. Privacy-sensitive data were removed.

BTW, the same crash appears on fresh installation at another computer.
That's rather useless, we need the TalkBack Incident ID
Attached file stacktrace 
crash occurs with linux trunk build 20021127

###!!! ASSERTION: GetParentWithView failed: 'parent', file nsBoxFrame.cpp, line
2573
marking NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: stackwantedtestcase
OS: Windows 2000 → All
regression between linux trunk builds 2002102004 and 2002102204
Keywords: regression
Instantly crashed for me using 2002111408 nightly on Windows 98.
Talkback ID: TB14492553M
Reassigning to Sicking for now. Probably fall-out from the branch landing
(http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=MozillaTinderboxAll&branch=HEAD&branchtype=match&sortby=Date&date=explicit&mindate=10%2F21%2F2002+00%3A00%3A00&maxdate=10%2F21%2F2002+23%3A59%3A59&cvsroot=%2Fcvsroot).
Sicking: do you think you can look at this anytime soon?
Assignee: peterv → bugmail
Summary: [crash] crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → crash if XSLT-generated document contains <script> and XSLT-generated <iframe>
talkback stack for Talkback ID: TB14492553M




Stack Signature  nsBoxFrame::CreateViewForFrame 209e541c
Email Address rontilby@aol.com
Product ID MozillaTrunk
Build ID 2002111408
Trigger Time 2002-11-28 10:02:03
Platform Win32
Operating System Windows 98 4.10 build 67766222
Module GKLAYOUT.DLL
URL visited http://bugzilla.nm.ru/xslt/table.xml
User Comments Mozilla bug 182460 Page never displayed.
Trigger Reason Access violation
Source File Name c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp
Trigger Line No. 2580
Stack Trace
nsBoxFrame::CreateViewForFrame
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 2580]
nsScrollbarFrame::Init
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollbarFrame.cpp, line 90]
nsCSSFrameConstructor::InitAndRestoreFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 6806]
nsCSSFrameConstructor::ConstructXULFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 5850]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 7432]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 7307]
nsCSSFrameConstructor::CreateAnonymousFrames
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 5290]
nsCSSFrameConstructor::BuildGfxScrollFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 6230]
nsCSSFrameConstructor::BeginBuildingScrollFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 6004]
nsCSSFrameConstructor::ConstructRootFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 3876]
StyleSetImpl::ConstructRootFrame
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1507]
PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2790]
nsXMLContentSink::StartLayout
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line
1299]
nsXMLContentSink::OnTransformDone
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line
523]
txMozillaXMLOutput::SignalTransformEnd
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp,
line 762]
txMozillaXMLOutput::endDocument
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp,
line 205]
txXSLTProcessor::transform
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp,
line 1656]
txMozillaXSLTProcessor::TransformDocument
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp,
line 385]
nsTransformMediator::TryToTransform
[c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp,
line 109]
nsTransformMediator::SetStyleSheetContentModel
[c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp,
line 144]
nsXSLContentSink::DidBuildModel
[c:/builds/seamonkey/mozilla/content/xsl/document/src/nsXSLContentSink.cpp, line
134]
nsExpatDriver::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 973]
nsParser::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1265]
nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp,
line 1811]
nsParser::OnStopRequest
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2440]
nsStreamListenerTee::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66]
nsHttpChannel::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3008]
nsOnStopRequestEvent::HandleEvent
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 645]
PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c,
line 578]
_md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line
1336]
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00648b62
Summary: crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → crash if XSLT-generated document contains <script> and XSLT-generated <iframe> [@ nsBoxFrame::CreateViewForFrame]
Flags: blocking1.3a?
No patch yet, not sure we know the exact problem either, so don't nominate this
please.
Flags: blocking1.3a?
sending this over to layout since that is where this crashes. It might be that
transformiix needs to do some extra work that the contentsink usually does, but
i have no idea what that would be.
Assignee: bugmail → other
Component: XSLT → Layout
QA Contact: keith → ian
Jonas, this bug didn't persist in 1.1, 1.2b. Probably it becomes after fixing
bug 158457.
No, this was most likly caused by the landing of bug 155578, which made us
produce a HTML rather then an XML document.
Priority: -- → P2
Target Milestone: --- → Future
manko: the testcase is gone, Could you please attach it to this bug so that we
could try to fix this?
Attached file Zipped testcase (obsolete) — 
OK, there is a zipped testcase here.

Unzip file then open table.xml in Mozilla.
Attached file top xhtml. BE AWARE! CRASHES! (obsolete) — 
this is a smaller testcase properly linked to bugzilla urls. Just click and go,
but be aware, it crashes!
since this seems hard to reproduce on the bugzilla-server i've put the exact
same testcase in this .zip
cc-ing dbaron and bz. This is a 100% reproducable crasher
Looks like you managed to create an nsViewportFrame without a view.
So, I'm guessing you're somehow going through neither
DocumentViewerImpl::MakeWindow nor DocumentViewerImpl::Show.  Does this need to
be fixed in DocumentViewerImpl::SetDOMDocument?
I cannot get the testcases to crash using:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030430
loading the original testcase locally still crashes with linux trunk 20030430
OK, I'm seeing the bug on the "Zipped testcase" (the first testcase in this
bug).  Modulo asserts from bug 204319 the problem is that we have a viewmanager
with no root view:

(gdb) frame 9
#9  0x40f9adf0 in nsCSSFrameConstructor::ConstructRootFrame (this=0x87a3210, 
    aPresShell=0x87a32c0, aPresContext=0x87a73d8, aDocElement=0x87a4920, 
    aNewFrame=@0xbfffe7f8)
    at
/home/bzbarsky/mozilla/profile/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:3875

gdb) p rootView
$10 = (nsIView *) 0x0
(gdb) p (nsViewManager)*viewManager.mRawPtr     
$11 = {<nsIViewManager> = {<nsISupports> = {
      _vptr. = 0x417b0f20 <nsViewManager virtual table>}, <No data fields>},
mRefCnt = {
    mValue = 2}, _mOwningThread = {mThread = 0x80a1800}, 
  static gLastUserEventTime = 70607832, mContext = 0x863e488, 
  mTwipsToPixels = 0.0666666701, mPixelsToTwips = 15, mObserver = 0x87a32c4, 
  mRootWindow = 0x0, mTransCnt = -1, mRefreshEnabled = 0, mPainting = 0, 
  mRecursiveRefreshPending = 0, mMouseGrabber = 0x0, mKeyGrabber = 0x0,
mUpdateCnt = 10, 
  mUpdateBatchCnt = 0, mDisplayListCount = 12, mDisplayList = {<nsVoidArray> = {
      mImpl = 0x87bca60, _vptr. = 0x40694d94}, 
    mAutoBuf =
"\b\0\0\0\b\0\0\0\030Ê{\bàZ{\b\230Z{\bPZ{\bðY{\bxY{\b\030Y{\b¸X{\b"}, 
  mTranslucentViewCount = 0, mTranslucentArea = {x = 0, y = 0, width = 0, height
= 0}, 
  mRootScrollable = 0x0, mCachingWidgetChanges = 0, 
  mDefaultBackgroundColor = 4294967295, mMapPlaceholderViewToZTreeNode = {mLock
= 0x0, 
    mHashtable = {ops = 0x40694340, data = 0x0, hashShift = 28, maxAlphaFrac =
192 'À', 
      minAlphaFrac = 64 '@', entrySize = 12, entryCount = 0, removedCount = 0, 
      generation = 0, entryStore = 0x87a2ea0 ""}, mEnumerating = 0, 
    _vptr. = 0x40694308}, static mVMCount = 5, static gCleanupContext = 0x83517b8, 
  static gViewManagers = 0x8318990, mBlender = {mRawPtr = 0x0}, 
  mCompositeListeners = 0x87b5670, mRegionFactory = {mRawPtr = 0x815f6d8}, 
  mRootView = 0x0, mX = 0, mY = 0, mAllowDoubleBuffering = 1, 
  mHasPendingInvalidates = 1, mEventQueueService = {mRawPtr = 0x81002e0}, 
  mInvalidateEventQueue = {mRawPtr = 0x0}}

Over to roc, who may have some idea of what's up here....
Assignee: other → roc+moz
Component: Layout → Layout: View Rendering
Priority: P2 → --
Target Milestone: Future → ---
David is right on the money in comment 26 here. I'm just not sure which calls to
add in DocumentViewerImpl::SetDOMDocument. Should it call into
DocumentViewerImpl::Show, or should it call something else directly?
Still persists in 1.5 and 1.4.1
Flags: blocking1.6a?
Flags: blocking1.4.2?
Changing component to XSLT (since IIRC DocumentViewerImpl::SetDOMDocument is a
hack designed for the XSLT code), and I think the problem is there.  (I don't
know the answer to sicking's question in comment 30 offhand, although I could
look into it.)
Assignee: roc → peterv
Component: Layout: View Rendering → XSLT
QA Contact: ian → keith
Status: NEW → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla1.6beta
not going to block 1.6a or 1.4.2 releases for this.
Flags: blocking1.6a?
Flags: blocking1.6a-
Flags: blocking1.4.2?
Flags: blocking1.4.2-
Crash still (very-first testcase) with 1.7 Beta:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Talkback ID is TB10340Y
Captured at 04/02/04 at 12:35 AM
came across this problem this week, mozilla also crashes when xslt-generated
pages contain document.write(" ") in a <script> tag, not just <iframe>.
problems with document.write is a different bug then this one.
So what seems to be happening here is that when we start layout for the outer
document it will end up calling ::Show on the iframes documentviewer which will
perform the initial reflow including hooking up views and everything. Then the
xslt transform finishes and we tear all that down but doesn't set it up properly
again.

So either we should just call Show or something similar in SetDOMDocument, or we
should stop the source document from being shown in the first place. Seems like
the latter is the better solution since we're not interested in showing the
source document just to have it replaced.
Come to think of it. I wonder if we could hold off creating the documentviewer
entierly until the transform is done. That could be the answer for bug 281022
Depends on: 300540
Continued from discussion started in bug 312858 comment 15:

I'd rather find some other way of blocking initial reflow on xslt documents
rather then not putting content into the document. First of all we'd need to
keep a list of all root contents (comments, PIs, docElement). Second, i'm
worried about what happens once the content is put into the tree, whatever got
blocked by keeping the content out of the tree musn't trigger at that point.

We also must not create any layout objects that could be specific to the
document object since the document node too is replaced after the transformation.


Could we block the creation of the presshell and prescontext? That should block
any intial reflows right?
I suppose we could always add an nsIDocument api to get/set a boolean and the
content viewer could check that before creating a presentation...  Not sure what
the now-showing iframe would end up painting in that case... ;)
None of the attachments seem to be able to crash my session, but this URL always does it: http://timesofindia.indiatimes.com/cms.dll/xml/uncomp/articleshow?msid=167551


Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080422
QA Contact: keith → xslt
WFM on Mac.  I'll take the zipped testcase and make it into a crashtest.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsBoxFrame::CreateViewForFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: