Closed
Bug 182460
Opened 22 years ago
Closed 15 years ago
crash if XSLT-generated document contains <script> and XSLT-generated <iframe> [@ nsBoxFrame::CreateViewForFrame]
Categories
(Core :: XSLT, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.6beta
People
(Reporter: sinchi, Assigned: peterv)
References
(Depends on 1 open bug, )
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(6 files, 4 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 If XSLT-generated page contains both <script> and XSLT-generated <iframe>á Mozilla crashes Reproducible: Always Steps to Reproduce: 1. Go to URL http://bugzilla.nm.ru/xslt/table.xml. 2. If crash doesn't appear, click reload button a few times.
Keywords: crash
Summary: crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → [crash] crash if XSLT-generated document contains <script> and XSLT-generated <iframe>
If I load these files from local disk, crash comes instantly. If you try to open URL, click reload some times quickly.
Comment 2•22 years ago
|
||
can you post Talkback ID for this crash "mozilla/bin/components/talkback.exe" ?
Keywords: stackwanted
Details form Talkback agent report. Privacy-sensitive data were removed. BTW, the same crash appears on fresh installation at another computer.
Assignee | ||
Comment 4•22 years ago
|
||
That's rather useless, we need the TalkBack Incident ID
Comment 5•22 years ago
|
||
crash occurs with linux trunk build 20021127 ###!!! ASSERTION: GetParentWithView failed: 'parent', file nsBoxFrame.cpp, line 2573
Comment 6•22 years ago
|
||
marking NEW
Comment 7•22 years ago
|
||
regression between linux trunk builds 2002102004 and 2002102204
Keywords: regression
Comment 8•22 years ago
|
||
Instantly crashed for me using 2002111408 nightly on Windows 98. Talkback ID: TB14492553M
Assignee | ||
Comment 9•22 years ago
|
||
Reassigning to Sicking for now. Probably fall-out from the branch landing (http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=MozillaTinderboxAll&branch=HEAD&branchtype=match&sortby=Date&date=explicit&mindate=10%2F21%2F2002+00%3A00%3A00&maxdate=10%2F21%2F2002+23%3A59%3A59&cvsroot=%2Fcvsroot). Sicking: do you think you can look at this anytime soon?
Assignee: peterv → bugmail
Updated•22 years ago
|
Summary: [crash] crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → crash if XSLT-generated document contains <script> and XSLT-generated <iframe>
Comment 10•22 years ago
|
||
talkback stack for Talkback ID: TB14492553M Stack Signature nsBoxFrame::CreateViewForFrame 209e541c Email Address rontilby@aol.com Product ID MozillaTrunk Build ID 2002111408 Trigger Time 2002-11-28 10:02:03 Platform Win32 Operating System Windows 98 4.10 build 67766222 Module GKLAYOUT.DLL URL visited http://bugzilla.nm.ru/xslt/table.xml User Comments Mozilla bug 182460 Page never displayed. Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp Trigger Line No. 2580 Stack Trace nsBoxFrame::CreateViewForFrame [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 2580] nsScrollbarFrame::Init [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollbarFrame.cpp, line 90] nsCSSFrameConstructor::InitAndRestoreFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6806] nsCSSFrameConstructor::ConstructXULFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 5850] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7432] nsCSSFrameConstructor::ConstructFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7307] nsCSSFrameConstructor::CreateAnonymousFrames [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 5290] nsCSSFrameConstructor::BuildGfxScrollFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6230] nsCSSFrameConstructor::BeginBuildingScrollFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6004] nsCSSFrameConstructor::ConstructRootFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3876] StyleSetImpl::ConstructRootFrame [c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1507] PresShell::InitialReflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2790] nsXMLContentSink::StartLayout [c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 1299] nsXMLContentSink::OnTransformDone [c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 523] txMozillaXMLOutput::SignalTransformEnd [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp, line 762] txMozillaXMLOutput::endDocument [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp, line 205] txXSLTProcessor::transform [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1656] txMozillaXSLTProcessor::TransformDocument [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp, line 385] nsTransformMediator::TryToTransform [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp, line 109] nsTransformMediator::SetStyleSheetContentModel [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp, line 144] nsXSLContentSink::DidBuildModel [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsXSLContentSink.cpp, line 134] nsExpatDriver::DidBuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 973] nsParser::DidBuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1265] nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1811] nsParser::OnStopRequest [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2440] nsStreamListenerTee::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66] nsHttpChannel::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3008] nsOnStopRequestEvent::HandleEvent [c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 645] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 578] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 1336] KERNEL32.DLL + 0x242e7 (0xbff942e7) 0x00648b62
Updated•22 years ago
|
Summary: crash if XSLT-generated document contains <script> and XSLT-generated <iframe> → crash if XSLT-generated document contains <script> and XSLT-generated <iframe> [@ nsBoxFrame::CreateViewForFrame]
Assignee | ||
Comment 11•22 years ago
|
||
No patch yet, not sure we know the exact problem either, so don't nominate this please.
Flags: blocking1.3a?
sending this over to layout since that is where this crashes. It might be that transformiix needs to do some extra work that the contentsink usually does, but i have no idea what that would be.
Assignee: bugmail → other
Component: XSLT → Layout
QA Contact: keith → ian
Reporter | ||
Comment 13•22 years ago
|
||
Jonas, this bug didn't persist in 1.1, 1.2b. Probably it becomes after fixing bug 158457.
No, this was most likly caused by the landing of bug 155578, which made us produce a HTML rather then an XML document.
Updated•22 years ago
|
Priority: -- → P2
Target Milestone: --- → Future
manko: the testcase is gone, Could you please attach it to this bug so that we could try to fix this?
Reporter | ||
Comment 16•22 years ago
|
||
OK, there is a zipped testcase here. Unzip file then open table.xml in Mozilla.
Attachment #113391 -
Attachment is obsolete: true
this is a smaller testcase properly linked to bugzilla urls. Just click and go, but be aware, it crashes!
Attachment #113412 -
Attachment is obsolete: true
Attachment #113413 -
Attachment is obsolete: true
ok. *this* one should really work!
Attachment #113416 -
Attachment is obsolete: true
since this seems hard to reproduce on the bugzilla-server i've put the exact same testcase in this .zip
cc-ing dbaron and bz. This is a 100% reproducable crasher
Looks like you managed to create an nsViewportFrame without a view.
So, I'm guessing you're somehow going through neither DocumentViewerImpl::MakeWindow nor DocumentViewerImpl::Show. Does this need to be fixed in DocumentViewerImpl::SetDOMDocument?
Comment 27•21 years ago
|
||
I cannot get the testcases to crash using: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030430
Comment 28•21 years ago
|
||
loading the original testcase locally still crashes with linux trunk 20030430
Comment 29•21 years ago
|
||
OK, I'm seeing the bug on the "Zipped testcase" (the first testcase in this bug). Modulo asserts from bug 204319 the problem is that we have a viewmanager with no root view: (gdb) frame 9 #9 0x40f9adf0 in nsCSSFrameConstructor::ConstructRootFrame (this=0x87a3210, aPresShell=0x87a32c0, aPresContext=0x87a73d8, aDocElement=0x87a4920, aNewFrame=@0xbfffe7f8) at /home/bzbarsky/mozilla/profile/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:3875 gdb) p rootView $10 = (nsIView *) 0x0 (gdb) p (nsViewManager)*viewManager.mRawPtr $11 = {<nsIViewManager> = {<nsISupports> = { _vptr. = 0x417b0f20 <nsViewManager virtual table>}, <No data fields>}, mRefCnt = { mValue = 2}, _mOwningThread = {mThread = 0x80a1800}, static gLastUserEventTime = 70607832, mContext = 0x863e488, mTwipsToPixels = 0.0666666701, mPixelsToTwips = 15, mObserver = 0x87a32c4, mRootWindow = 0x0, mTransCnt = -1, mRefreshEnabled = 0, mPainting = 0, mRecursiveRefreshPending = 0, mMouseGrabber = 0x0, mKeyGrabber = 0x0, mUpdateCnt = 10, mUpdateBatchCnt = 0, mDisplayListCount = 12, mDisplayList = {<nsVoidArray> = { mImpl = 0x87bca60, _vptr. = 0x40694d94}, mAutoBuf = "\b\0\0\0\b\0\0\0\030Ê{\bàZ{\b\230Z{\bPZ{\bðY{\bxY{\b\030Y{\b¸X{\b"}, mTranslucentViewCount = 0, mTranslucentArea = {x = 0, y = 0, width = 0, height = 0}, mRootScrollable = 0x0, mCachingWidgetChanges = 0, mDefaultBackgroundColor = 4294967295, mMapPlaceholderViewToZTreeNode = {mLock = 0x0, mHashtable = {ops = 0x40694340, data = 0x0, hashShift = 28, maxAlphaFrac = 192 'À', minAlphaFrac = 64 '@', entrySize = 12, entryCount = 0, removedCount = 0, generation = 0, entryStore = 0x87a2ea0 ""}, mEnumerating = 0, _vptr. = 0x40694308}, static mVMCount = 5, static gCleanupContext = 0x83517b8, static gViewManagers = 0x8318990, mBlender = {mRawPtr = 0x0}, mCompositeListeners = 0x87b5670, mRegionFactory = {mRawPtr = 0x815f6d8}, mRootView = 0x0, mX = 0, mY = 0, mAllowDoubleBuffering = 1, mHasPendingInvalidates = 1, mEventQueueService = {mRawPtr = 0x81002e0}, mInvalidateEventQueue = {mRawPtr = 0x0}} Over to roc, who may have some idea of what's up here....
Assignee: other → roc+moz
Component: Layout → Layout: View Rendering
Priority: P2 → --
Target Milestone: Future → ---
Priority: -- → P3
David is right on the money in comment 26 here. I'm just not sure which calls to add in DocumentViewerImpl::SetDOMDocument. Should it call into DocumentViewerImpl::Show, or should it call something else directly?
Reporter | ||
Comment 31•21 years ago
|
||
Still persists in 1.5 and 1.4.1
Flags: blocking1.6a?
Flags: blocking1.4.2?
Changing component to XSLT (since IIRC DocumentViewerImpl::SetDOMDocument is a hack designed for the XSLT code), and I think the problem is there. (I don't know the answer to sicking's question in comment 30 offhand, although I could look into it.)
Assignee: roc → peterv
Component: Layout: View Rendering → XSLT
QA Contact: ian → keith
Assignee | ||
Updated•21 years ago
|
Status: NEW → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla1.6beta
Comment 33•21 years ago
|
||
not going to block 1.6a or 1.4.2 releases for this.
Flags: blocking1.6a?
Flags: blocking1.6a-
Flags: blocking1.4.2?
Flags: blocking1.4.2-
Comment 34•20 years ago
|
||
Crash still (very-first testcase) with 1.7 Beta: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316 Talkback ID is TB10340Y Captured at 04/02/04 at 12:35 AM
Comment 35•20 years ago
|
||
came across this problem this week, mozilla also crashes when xslt-generated pages contain document.write(" ") in a <script> tag, not just <iframe>.
problems with document.write is a different bug then this one.
So what seems to be happening here is that when we start layout for the outer document it will end up calling ::Show on the iframes documentviewer which will perform the initial reflow including hooking up views and everything. Then the xslt transform finishes and we tear all that down but doesn't set it up properly again. So either we should just call Show or something similar in SetDOMDocument, or we should stop the source document from being shown in the first place. Seems like the latter is the better solution since we're not interested in showing the source document just to have it replaced.
Come to think of it. I wonder if we could hold off creating the documentviewer entierly until the transform is done. That could be the answer for bug 281022
Depends on: 282409
Continued from discussion started in bug 312858 comment 15: I'd rather find some other way of blocking initial reflow on xslt documents rather then not putting content into the document. First of all we'd need to keep a list of all root contents (comments, PIs, docElement). Second, i'm worried about what happens once the content is put into the tree, whatever got blocked by keeping the content out of the tree musn't trigger at that point. We also must not create any layout objects that could be specific to the document object since the document node too is replaced after the transformation. Could we block the creation of the presshell and prescontext? That should block any intial reflows right?
Comment 40•19 years ago
|
||
I suppose we could always add an nsIDocument api to get/set a boolean and the content viewer could check that before creating a presentation... Not sure what the now-showing iframe would end up painting in that case... ;)
Comment 41•16 years ago
|
||
None of the attachments seem to be able to crash my session, but this URL always does it: http://timesofindia.indiatimes.com/cms.dll/xml/uncomp/articleshow?msid=167551 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080422
Updated•15 years ago
|
QA Contact: keith → xslt
Comment 42•15 years ago
|
||
WFM on Mac. I'll take the zipped testcase and make it into a crashtest.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Comment 43•15 years ago
|
||
Crashtest: http://hg.mozilla.org/mozilla-central/rev/4da43cad0331
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ nsBoxFrame::CreateViewForFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•