Closed Bug 185357 Opened 22 years ago Closed 20 years ago

crash printing / print previewing ign.com due to view tree mangling

Categories

(Core :: Printing: Output, defect, P1)

Product:
Core
Component:
Printing: Output
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: mozilla, Assigned: roc)

References

Details

(Keywords: regression, testcase, topcrash+, Whiteboard: [patch] partly fixed, but still some crashes -dbaron one last look)

Attachments

(11 files, 3 obsolete files)

test case
149 bytes, text/html
Details
Testcase #2
145 bytes, text/html
Details
Testcase #3
124 bytes, text/html
Details
patch for this crash
2.20 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
debugging printfs
3.13 KB, patch
Details | Diff | Splinter Review
Minimzed IGN.com testcase
487 bytes, text/html
Details
screenshot of James' print preview of minimized IGN.com testcase
28.01 KB, image/png
Details
simple testcase for crashing
1.27 KB, text/html
Details
stack of two destroy call to same nsView
12.27 KB, text/plain
Details
reduced testcase
289 bytes, text/html
Details
revised patch
4.03 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 6.02 [en] Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.2.1) Gecko/20021130 When print previewing an iframe that will not fit on one page after scaling, moz crashes. See test case (based on http://www.pcmag.com/article2/0,4149,715464,00.asp). Reproducible: Always Steps to Reproduce: 1. Print preview the test case. Actual Results: Crash. See TB15027476Z May be linked to other iframe print layout bugs e.g. 113217, tho they do not crash.
Attached file test case
Does need the first table row and iframe align="right".
confirming using build 2002121404 on Win2k. Loaded testcase, Print Preview, Close Print Preview, crash.
Keywords: crash, stackwanted, testcase
Whiteboard: TB15027476Z
Really confirming as per comment #2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 185584
Works fine when not in a table Null pointer in table reflow: nsIFrame::GetNextSibling(nsIFrame * * 0x0012a0f4) line 697 + 6 bytes nsLineBox::LastChild() line 255 nsBlockFrame::PushLines(nsBlockReflowState & {...}, nsLineList_iterator {...}) line 4690 + 17 bytes nsBlockFrame::PushTruncatedPlaceholderLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, nsIFrame * 0x00000000, int & 1) line 3694 nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, int * 0x0012a8f0, unsigned char * 0x0012a6b0, int 0, int 0) line 3797 nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a8f0, unsigned char * 0x0012a6b0, int 0, int 0) line 3675 + 46 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a8f0, int 0, int 0) line 3619 + 36 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a8f0, int 0) line 2711 + 33 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2355 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x045b5838, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 944 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x045b5838, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 15, int 15, unsigned int 0, unsigned int & 0) line 928 + 31 bytes nsTableCellFrame::Reflow(nsTableCellFrame * const 0x045b57d8, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 950 nsContainerFrame::ReflowChild(nsIFrame * 0x045b57d8, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 30, int 0, unsigned int 0, unsigned int & 0) line 928 + 31 bytes nsTableRowFrame::ReflowChildren(nsTableRowFrame * const 0x045b5788, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0, int 0) line 1054 + 45 bytes nsTableRowFrame::Reflow(nsTableRowFrame * const 0x045b5788, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1468 + 37 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x045b5788, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 3, unsigned int & 0) line 928 + 31 bytes nsTableRowGroupFrame::SplitRowGroup(nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame * 0x045d6d1c, unsigned int & 0) line 1130 + 43 bytes nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x045b5154, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1368 nsContainerFrame::ReflowChild(nsIFrame * 0x045b5154, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 30, unsigned int 0, unsigned int & 0) line 928 + 31 bytes nsTableFrame::ReflowChildren(nsTableFrame * const 0x045d6d1c, nsIPresContext * 0x045866d8, nsTableReflowState & {...}, int 1, int 0, unsigned int & 0, nsIFrame * & 0x00000000, int * 0x00000000) line 3310 + 50 bytes nsTableFrame::ReflowTable(nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 13770, nsReflowReason eReflowReason_Resize, nsIFrame * & 0x00000000, int & 0, int & 1, unsigned int & 0) line 2214 nsTableFrame::Reflow(nsTableFrame * const 0x045d6d1c, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 2072 nsContainerFrame::ReflowChild(nsIFrame * 0x045d6d1c, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 3, unsigned int & 0) line 928 + 31 bytes nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x045d6ba8, nsIPresContext * 0x045866d8, nsIFrame * 0x045d6d1c, const nsHTMLReflowState & {...}, nsHTMLReflowMetrics & {...}, int 10099, nsSize & {width=73231580 height=1228880}, nsMargin & {top=0 right=0 bottom=0 left=0}, nsMargin & {top=1228772 right=30175530 bottom=6 left=73227976}, nsMargin & ...) line 1344 + 47 byte nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x045d6ba8, nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1989 + 74 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {x=0 y=0 width=10099 height=13781}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {top=0 right=0 bottom=0 left=0}, nsHTMLReflowState & {...}, unsigned int & 0) line 548 + 42 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c69c) line 3377 + 56 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c69c, int 0) line 2573 + 27 bytes
Assignee: rods → karnaze
Summary: iframe can crash printing if will not fit on one page → iframe (in a table) can crash printing if will not fit on one page
asserts and stack on Linux debug build 20021203: Trying to position a sizeless window; caller should have called sizeToContent() or sizeTo(). See bug 75649. ###!!! ASSERTION: bad push: 'overBegin != begin_lines()', file nsBlockFrame.cpp, line 4664 Break: at file nsBlockFrame.cpp, line 4664 ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file nsLineBox.h, line 539 Break: at file nsLineBox.h, line 539 ###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480 Break: at file nsContainerFrame.cpp, line 480 ###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480 Break: at file nsContainerFrame.cpp, line 480 ###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480 Break: at file nsContainerFrame.cpp, line 480 ###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480 Break: at file nsContainerFrame.cpp, line 480 WARNING: data loss - complete row needed more height than available, on top of page, file nsTableRowGroupFrame.cpp, line 1174 WEBSHELL- = 4 [New Thread 11276 (LWP 2539)] GTK theme failed for widget type 1, error was 3, state was [active=1,focused=2,inHover=4,disabled=0] WARNING: GTK theme failed; disabling unsafe widget, file nsNativeThemeGTK.cpp, line 368 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 2525)] 0x00000061 in ?? () Current language: auto; currently c (gdb) bt #0 0x00000061 in ?? () #1 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777f28, aPresContext=0x875e768) at nsFrameList.cpp:130 #2 0x41a84e26 in nsBlockFrame::Destroy (this=0x8777ee4, aPresContext=0x875e768) at nsBlockFrame.cpp:421 #3 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777eb8, aPresContext=0x875e768) at nsFrameList.cpp:130 #4 0x41a9a04d in nsContainerFrame::Destroy (this=0x8777e84, aPresContext=0x875e768) at nsContainerFrame.cpp:142 #5 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777e68, aPresContext=0x875e768) at nsFrameList.cpp:130 dupe of bug 178781 ?
No longer blocks: 185584
Keywords: stackwantedclean-report
OS: Windows 98 → All
Hardware: PC → All
Summary: iframe (in a table) can crash printing if will not fit on one page → iframe (in a table) can crash printing if will not fit on one page [@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ]
Whiteboard: TB15027476Z
*** Bug 185705 has been marked as a duplicate of this bug. ***
*** Bug 186839 has been marked as a duplicate of this bug. ***
*** Bug 186027 has been marked as a duplicate of this bug. ***
-> jkeiser
Assignee: karnaze → jkeiser
Priority: -- → P1
Target Milestone: --- → Future
Keywords: mozilla1.3
*** Bug 191379 has been marked as a duplicate of this bug. ***
the testcase regressed between linux trunk builds 2002052808 and 2002052908, indicating the culprit is bug 145305
Keywords: regression
*** Bug 194365 has been marked as a duplicate of this bug. ***
*** Bug 194871 has been marked as a duplicate of this bug. ***
gisburn noted that this smells like a topcrash; it sure looks like it from the reports on climate (a whole lot of ::LastChild, with all comments related to printing, maybe 4 a day average).
Status: NEW → ASSIGNED
Keywords: crashtopcrash
As shown in duplicate bug 185705, this crash is occurring in phpBB forums, among other places.
Making this topcrash+ since we have a testcase that make this easily reproducible. Here is my incident: Incident ID 17700244 Stack Signature nsLineBox::LastChild e5906a94 Email Address jpatel@netscape.com Product ID MozillaTrunk Build ID 2003022610 Trigger Time 2003-03-03 15:33:55 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll URL visited http://bugzilla.mozilla.org/attachment.cgi?id=109295&action=view User Comments Just opend up testcase for bug 185357 and did a print preview. Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineBox.cpp Trigger Line No. 249 Stack Trace nsLineBox::LastChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineBox.cpp, line 249] nsBlockFrame::PushLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4538] nsBlockFrame::PushTruncatedPlaceholderLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3644] nsBlockFrame::DoReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3752] nsBlockFrame::DoReflowInlineFramesAuto [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3626] nsBlockFrame::ReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3571] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2669] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsTableCellFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 947] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsTableRowFrame::ReflowChildren [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1054] nsTableRowFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1478] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsTableRowGroupFrame::SplitRowGroup [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1132] nsTableRowGroupFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1370] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsTableFrame::ReflowChildren [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3310] nsTableFrame::ReflowTable [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2212] nsTableFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2073] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsTableOuterFrame::OuterReflowChild [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1342] nsTableOuterFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1987] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 547] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3336] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2537] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 547] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3336] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2537] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsPageContentFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageContentFrame.cpp, line 108] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsPageFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageFrame.cpp, line 223] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] nsSimplePageSequenceFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsSimplePageSequence.cpp, line 447] nsBoxToBlockAdaptor::Reflow [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 905] nsBoxToBlockAdaptor::DoLayout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 647] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073] nsScrollBoxFrame::DoLayout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp, line 360] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073] nsContainerBox::LayoutChildAt [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 647] nsGfxScrollFrameInner::LayoutBox [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1154] nsGfxScrollFrameInner::Layout [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1313] nsGfxScrollFrame::DoLayout [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1162] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073] nsBoxFrame::Reflow [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 902] nsGfxScrollFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 848] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944] ViewportFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 263] PresShell::InitialReflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2806] nsPrintEngine::ReflowPrintObject [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2823] nsPrintEngine::ReflowDocList [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2575] nsPrintEngine::SetupToPrintContent [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2397] nsPrintEngine::DocumentReadyForPrinting [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2223] nsPrintEngine::FinishPrintPreview [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 4533] nsPrintEngine::PrintPreview [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 1274] DocumentViewerImpl::PrintPreview [c:/builds/seamonkey/mozilla/content/base/src/nsDocumentViewer.cpp, line 3091] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025] Adding [@ nsLineBox::LastChild] to summary since that is the stack signature Talkback is reporting back for this crash.
Keywords: topcrashtopcrash+
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ] → iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ]
*** Bug 194771 has been marked as a duplicate of this bug. ***
*** Bug 188688 has been marked as a duplicate of this bug. ***
No incident reports for nsIFrame::GetNextSibling in the talkback database. None of these stack signatures are in the topcrash reports. Marking topcrash-
Keywords: topcrash+topcrash-
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ] → iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
I'm getting crash-on-print as well on this page with 2003041609 on Win2k: http://www.thecounter.com/stats/2003/March/browser.php Talkback IDs: TB19242224M and TB19242190X. Would that be a dupe of this bug?
janc, by we are still getting the crashers at nsLineBox::LastChild (not terribly frequently but still in the top 100) It looks like one of the most reported print crashers. http://warp.mcom.com/u/talkback/reports/M140A/keyword/print-keyword.html
Flags: blocking1.4b?
Flags: blocking1.4?
Keywords: mozilla1.3nsbeta1
Flags: blocking1.4b? → blocking1.4b-
not as high as many other crashers, we'd certainly consider a fix if one happens in the next few weeks.
Flags: blocking1.4? → blocking1.4-
is Bug 206099 a possible dupe?
*** Bug 206099 has been marked as a duplicate of this bug. ***
*** Bug 206232 has been marked as a duplicate of this bug. ***
adt: nsbeta1+/adt2
Keywords: nsbeta1nsbeta1+, topembed
Whiteboard: [adt2]
*** Bug 211069 has been marked as a duplicate of this bug. ***
*** Bug 208590 has been marked as a duplicate of this bug. ***
*** Bug 212548 has been marked as a duplicate of this bug. ***
*** Bug 216484 has been marked as a duplicate of this bug. ***
I did some research into this one and what I found was that in nsLineBox::LastChild, GetChildCount is returning an outrageously large value (seemingly random) It appears that for some reason in this case, mFlags.mChildCount in nsLineBox is uninitialized. The strange part is that SetChildCount is called in the constructor for nsLineBox, so it should never be uninitailized. I'll do some logging and post it.
Flags: blocking1.5+
OK, here's the relevant log. Notice the last entry. That this ptr (38d5888) was never actually constructed, but somehow it's getting a "GetChildCount" called on it. So it returns junk. Help. [38d5768] Setting child count to 1 in constructor for nsLineBox [38d5768] SetChildCount is being set with 1 [38d5768] SetChildCount is set with 1 [38d5768] Child count after SetChild count is 1 in constructor for nsLineBox [38d5b78] Setting child count to 1 in constructor for nsLineBox [38d5b78] SetChildCount is being set with 1 [38d5b78] SetChildCount is set with 1 [38d5b78] Child count after SetChild count is 1 in constructor for nsLineBox [38cc4d8] Setting child count to 1 in constructor for nsLineBox [38cc4d8] SetChildCount is being set with 1 [38cc4d8] SetChildCount is set with 1 [38cc4d8] Child count after SetChild count is 1 in constructor for nsLineBox [38cc508] Setting child count to 1 in constructor for nsLineBox [38cc508] SetChildCount is being set with 1 [38cc508] SetChildCount is set with 1 [38cc508] Child count after SetChild count is 1 in constructor for nsLineBox [38cc538] Setting child count to 1 in constructor for nsLineBox [38cc538] SetChildCount is being set with 1 [38cc538] SetChildCount is set with 1 [38cc538] Child count after SetChild count is 1 in constructor for nsLineBox [38cc568] Setting child count to 1 in constructor for nsLineBox [38cc568] SetChildCount is being set with 1 [38cc568] SetChildCount is set with 1 [38cc568] Child count after SetChild count is 1 in constructor for nsLineBox [38cc568] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc508] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38cc508] GetChildCount is 1 [38cc4d8] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5768] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5b78] GetChildCount is 1 [38d5888] GetChildCount is 14549
Another thing to note. We hit this assertion: ###!!! ASSERTION: bad push: 'overBegin != begin_lines()', file c:/builds/current /mozilla/layout/html/base/src/nsBlockFrame.cpp in nsBlockFrame::PushLines
Who can help here?
Flags: blocking1.5+ → blocking1.5-
*** Bug 220638 has been marked as a duplicate of this bug. ***
*** Bug 216734 has been marked as a duplicate of this bug. ***
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
*** Bug 225625 has been marked as a duplicate of this bug. ***
Blocks: 140948
Blocks: 156982
Blocks: 204372
Blocks: 206259
Blocks: 207310
Blocks: 212315
Attached file Testcase #2
Attached file Testcase #3
No longer blocks: 140948
Flags: blocking1.6b?
->me
Assignee: john → dbaron
Status: ASSIGNED → NEW
We'd consider a reviewed patch for 1.6 bug we're not going to block for this.
Flags: blocking1.6b? → blocking1.6b-
Blocks: 210944
Blocks: 215760
*** Bug 228272 has been marked as a duplicate of this bug. ***
*** Bug 228821 has been marked as a duplicate of this bug. ***
My memory from debugging this a few weeks ago was that it is a regression from bug 145305 -- and that the whole idea of PushTruncatedPlaceholderLine doesn't make sense to me -- if a float needs to be split, that doesn't change anything about the block containing it, or, for that matter, anything up to the root of the block formatting context.
*** Bug 229184 has been marked as a duplicate of this bug. ***
*** Bug 215818 has been marked as a duplicate of this bug. ***
Keywords: crash
This fixes the crash described in this bug, although the first testcase still crashes when the frame tree is destroyed.
Whiteboard: [adt2] → [patch]
*** Bug 232551 has been marked as a duplicate of this bug. ***
Here's what I see in the nsFrame::Destroy methods where there's a view: nsFrame[0xa583d0c, nif=(nil)]::Destroy: view is 0xa580e28 (vptr=0x1ad16e8) View 0xa580e28 being destroyed frame=(nil). View 0xa580e28 destroying child 0xa581298 View 0xa581298 being destroyed frame=0xa584e9c. View 0xa581298 destroying child 0xa581300 View 0xa581300 being destroyed frame=(nil). nsFrame[0xa583c50, nif=(nil)]::Destroy: view is 0xa580d70 (vptr=0x1ad16e8) View 0xa580d70 being destroyed frame=(nil). nsFrame[0xa584e9c, nif=(nil)]::Destroy: view is 0xa581298 (vptr=0xa57c948) View 0xa581298 being destroyed frame=(nil). I suspect view pointers aren't being fixed up when something is pushed to the next page.
Comment on attachment 140102 [details] [diff] [review] patch for this crash I think this patch will probably fix some crashes that are ending up on this bug. I'm working on the view parenting problem (the view of a floating IFRAME that's being pushed isn't being reparented). There were a few obvious problems, some of which had easy fixes (which didn't fix the problem), and some of which I haven't tried yet.
Attachment #140102 - Flags: superreview?(roc)
Attachment #140102 - Flags: review?(roc)
Attachment #140102 - Flags: superreview?(roc)
Attachment #140102 - Flags: superreview+
Attachment #140102 - Flags: review?(roc)
Attachment #140102 - Flags: review+
Comment on attachment 140102 [details] [diff] [review] patch for this crash Checked in to trunk 2004-02-03 10:19 -0800.
*** Bug 233277 has been marked as a duplicate of this bug. ***
Print preview on attached Testcase #2 or Testcase #3 hangs 1.7a/W2K.
Still crashing on first testcase (after closing the preview): Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316 Talkback ID is TB10888W Captured at 04/02/04 at 05:13 PM Hang on 2nd testcase. Hang on 3rd testcase. Both hang while still preparing the preview. I see most of this data (like dbaron noting that it still crashes on testcase #1) already mentioned, but I figured it couldn't hurt to show it still happens, and give some Talkback on it too.
The problems I mention in comment 50 are documented in some of the XXX comments in attachment 144685 [details] [diff] [review].
Looks like the stack trace has changed a little since this bug was filed. Here is my crash from testcase1: Incident ID: 47784 Stack Signature 0x00000000 ed8b9339 Email Address jay@mozilla.org Product ID Mozilla17 Build ID 2004042109 Trigger Time 2004-05-14 15:26:36.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module URL visited http://bugzilla.mozilla.org/show_bug.cgi?id=185357 User Comments again...trying to close tab of print preview of testcase #1 Since Last Crash sec Total Uptime sec Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace 0x00000000 nsIView::Destroy [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 253] nsFrame::Destroy [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrame.cpp, line 646] Which I'm pretty sure is the same as bug 230417 (which was fixed on 5/4/2004). Marking this a dup since the most recent work was done in bug 230417. *** This bug has been marked as a duplicate of 230417 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: topcrash-topcrash+
Resolution: --- → DUPLICATE
Summary: nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 [@ nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
Just adding nsLineBox::LastChild to summary for tracking and reopening. I'll let dbaron decide whether this should remain open or if it's a dup/related to bug 230417.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: M17rc1 [@ nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
I meant I added [@ nsIView::Destroy] since that's what my recent crash showed as the stack signature for testcase 1.
Summary: M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
So you're saying that this bug is NOT fixed?
Well, the first testcase still crashes for me, so this should probably still stay open.
Updating summary: M17rc1 -> M17rc2. Testcase 1 still crashing for me with the same stack.
Summary: M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc2 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
*** Bug 243674 has been marked as a duplicate of this bug. ***
It looks like bug 230417 fixed the crash in print preview with testcase 1 from this bug and http://www.linuxworld.com/story/32629.htm from that bug. But both of those cases now crash when closing print preview with Mozilla 1.7 rc2. I also get the same stack when loading print preview for www.ign.com with rc2.
These tests all work for me on the trunk. Is this branch only?
Nope. Windows XP, trunk Seamonkey build 2004-05-21. Steps: 1. Load www.ign.com (go past the ad page) 2. Print Preview, switch from Landscape to Portrait orientation (or vice-versa) Crash...
1.7rc2 topcrash
Flags: blocking1.7?
OK, I see the ign crash. Almost certainly a bad view hierarchy. The testcases 2 and 3 throw me into an infinite loop, hanging the browser, but no crash, it's just stuck.
I think these are two completely different bugs. The latter is presumably something to do with the line containing the IFRAME being pushed infinitely often because it doesn't fit on any page. We need to avoid the creation of an empty page, and force at least *some* content to fit on it even if it overflows. The bad view hierarchy (www.ign.com) is probably easier to fix, but for that we really need a minimized testcase.
Flags: blocking1.6b-
Flags: blocking1.5-
Flags: blocking1.4b-
Flags: blocking1.4-
Flags: blocking1.7? → blocking1.7+
If someone else has more HTML/CSS knowledge than I do, and can reduce this even further, that would rock. As it stands, this is a lot smaller than the original HTML, but still contains probably too many DIVs. However, removing even one link or div causes the testcase to NOT crash in most cases.
Whiteboard: [patch] → [patch] partly fixed, but still some crashes
Attached file more reduced testcase for IGN.com (obsolete) —
I managed to reduce Stephen's testcase even further (and it could probably still be reduced a little more). It looks like the culprit involves some combination of nested DIV's with position:relatives's, float's, and images, all over a page break. You can see my stacktrace for Stephen's testcase at http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=63676, and my stacktrace for this testcase at http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=63929. Both are basically the same, but neither involve nsIView::Destroy.
I managed to reduce my testcase for IGN further, to only a few lines. <div style="height:1228px; border: none;"></div><!-- this is just a spacer--> <div style="position: relative; float: left; width:120px; height:90px;"></div> <br> <div style="position: relative; width: 987px; height: 45px;"></div> <br> <div style="position: relative; float: right; width:57px; height: 18px"></div> Just load it up in print preview and keep hitting Portrait and/or Landscape (although for me I only needed to hit Portrait once). (BTW, I am using Moz 1.7rc2 on win98se.)
Attachment #149366 - Attachment is obsolete: true
Attachment #149468 - Attachment is obsolete: true
Keywords: crash, nsbeta1+, topembed
dbaron, think there is a shot a fixing this in the next couple of days?
James, that testcase rocks!
I can't reproduce my crashing on any of the testcases, with build 2004-06-01 on Windows XP.
Hmm, neither can I, on Linux.
I'm spinning off bug 245300 to handle the hanging print preview problem (infinite loop in reflow) based on Mats' testcase #3. This bug here needs to continue to focus on the crasher at ign.com and related testcases. Please keep discussion here focused on the cases that actually crash hard! We desperately need a small, reliable, reproducible testcase that crashes on Linux...
Odd, now, with the same exact build, I'm crashing again on attachment 149366 [details] (testcase for IGN.com's print preview crash), however on neither of James' attachments do I crash.
(In reply to comment #78) If you can't get my last testcase to crash, try varying the height of the spacer div (the 1228px); the key to the testcase is that the other divs are positioned over the page break. (That's why you found that removing even one element from your testcase made the page no longer crash). However, since my stacktrace seems to be different from the one described in comment 64, it is possible that I made a testcase for a different crash, perhaps something win98-specific. Can anyone reproduce a crash with my "minized IGN.com testcase"?
Yeah, I assumed the height of the spacer might need tweaking, and I tried several different values, but I couldn't get it to crash. Can you get it to preview one time? Can you describe exactly the configuration of the DIVs? Or even post a screenshot of around the pagebreak?
Blocks: 245312
*** Bug 245312 has been marked as a duplicate of this bug. ***
I'm not able to reproduce the crash with the minimized ign.com testcase either with Mozilla 1.7 rc2.
for comment81. i use latest trunk build with "Minimzed IGN.com testcase", it's ok. however, with "http://it.sohu.com/2004/03/23/27/article219552770.shtml", print still causes crash. stack is (gdb) bt #0 0x71ce4cd6 in ?? () #1 0x40e9041f in nsFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #2 0x40ed9d16 in nsSubDocumentFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #3 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #4 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #5 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #6 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #7 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #8 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #9 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #10 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #11 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so ---Type <return> to continue, or q <return> to quit--- #12 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #13 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #14 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #15 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #16 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #17 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #18 0x40e8103e in nsBlockFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #19 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #20 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #21 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #22 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #23 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () ---Type <return> to continue, or q <return> to quit--- from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #24 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #25 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #26 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #27 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #28 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #29 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #30 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #31 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #32 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #33 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #34 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so ---Type <return> to continue, or q <return> to quit--- #35 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #36 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #37 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #38 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #39 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #40 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #41 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #42 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #43 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #44 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #45 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #46 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) () ---Type <return> to continue, or q <return> to quit--- from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #47 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #48 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #49 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #50 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #51 0x40e80080 in nsAreaFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #52 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #53 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #54 0x40ed85ac in ViewportFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #55 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #56 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #57 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so ---Type <return> to continue, or q <return> to quit--- #58 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #59 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #60 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #61 0x40ed85ac in ViewportFrame::Destroy(nsIPresContext*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #62 0x40e96663 in nsFrameManager::Destroy() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #63 0x40ebe034 in PresShell::Destroy() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #64 0x40fa2d45 in nsPrintObject::DestroyPresentation() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #65 0x40f9d310 in nsPrintEngine::SetupToPrintContent(nsIDeviceContext*, nsIDOMWindow*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #66 0x40f9c153 in nsPrintEngine::DocumentReadyForPrinting() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #67 0x40fa179d in nsPrintEngine::Observe(nsISupports*, char const*, unsigned short const*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #68 0x40b1459a in nsPrintProgress::DoneIniting() () ---Type <return> to continue, or q <return> to quit--- from /home/neoliu/work/trunk/mozilla/dist/bin/components/libembedcomponents.so #69 0x40ab3171 in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so #70 0x41297087 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libxpconnect.so #71 0x4129ce99 in XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libxpconnect.so #72 0x40047bfe in js_Invoke () from ./dist/bin/libmozjs.so #73 0x4004f529 in js_Interpret () from ./dist/bin/libmozjs.so #74 0x40047c53 in js_Invoke () from ./dist/bin/libmozjs.so #75 0x40047e60 in js_InternalInvoke () from ./dist/bin/libmozjs.so #76 0x40028479 in JS_CallFunctionValue () from ./dist/bin/libmozjs.so #77 0x41155cd4 in nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned, long*, long*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #78 0x41164dd2 in GlobalWindowImpl::RunTimeout(nsTimeoutImpl*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #79 0x411654f2 in GlobalWindowImpl::TimerCallback(nsITimer*, void*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so #80 0x40a9e1cc in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so ---Type <return> to continue, or q <return> to quit--- #81 0x40a9e2a2 in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so #82 0x40a9a236 in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so #83 0x40a9a162 in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so #84 0x40a9bb20 in ?? () from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so #85 0x4160b812 in event_processor_callback(_GIOChannel*, GIOCondition, void*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libwidget_gtk2.so #86 0x404d91f9 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0 #87 0x404b7656 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0 #88 0x404b8789 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #89 0x404b8ac3 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0 #90 0x404b90c8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #91 0x401e747b in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #92 0x4160bc1a in nsAppShell::Run() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libwidget_gtk2.so #93 0x4155fef6 in nsAppShellService::Run() () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libnsappshell.so #94 0x08054c05 in main1(int, char**, nsISupports*) () #95 0x0805551c in main () ---Type <return> to continue, or q <return> to quit--- #96 0x406ff4c2 in __libc_start_main () from /lib/i686/libc.so.6
roc: Here is the screenshot you requested. The bottom half shows the page break, and top half shows the top of page 1. The weird part is the bottom half of the wide div, which be positioned over the top of page 2, is actually on the top of page 1! I am able to view the print preview, but after I hit 'Portrait' once, Moz crashes reliably. (just recently, right after hitting Print Preview, I hit Close without hitting Potrait, and then when I hit View Source, Moz crashed also).
> The weird part is the bottom half of the wide div, which be positioned over the > top of page 2, is actually on the top of page 1! heheh. It's a laugh a minute over here in Gecko land. You see this right away when you first do print preview, right? (Linux doesn't let you change portrait<->landscape in print preview, so I can't reproduce that part of your test.)
(In reply to comment #85) > You see this right away when you first do print preview, right? Correct.
Whiteboard: [patch] partly fixed, but still some crashes → [patch] partly fixed, but still some crashes -dbaron one last look
Hmmm. I'm not seeing crashes on any of the testcases anymore (branch or trunk), but on the branch (I haven't tried the trunk yet) testcases 2 and 3 hang.
Alright, I tested my IGN.com testcase on Windows 2000 with the 20040605 nightly Firefox build (rv. 1.8a2) and got the same basic behavior as I did with Moz 1.7rc2 on Win98: could view print preview, but crash when hit Portrait.
The infinite loop on testcase #2 is: page 0x91905b8 r=0 a=13008,16608 c=13008,UC pif=0x91901d0 cnt=687 PageContent(-1) 0x9190624 r=0 a=10800,14400 c=10800,UC cnt=688 area 0x9190678 r=0 a=10800,14400 c=10800,UC pif=0x9190290 cnt=689 block 0x9190534 r=0 a=10800,14400 c=10608,UC pif=0x919014c cnt=690 tblO 0x9190430 r=0 a=10608,14400 c=0,UC pif=0x9190048 cnt=691 tbl 0x919047c r=0 a=10608,14400 c=UC,UC pif=0x9190094 cnt=692 rowG 0x91903f0 r=0 a=192,14352 c=192,UC pif=0x9190008 cnt=693 row 0x91902e4 r=0 a=192,UC c=192,UC pif=0x918fefc cnt=694 cell 0x919033c r=0 a=192,UC c=168,UC pif=0x918ff54 cnt=695 block 0x919039c r=0 a=168,UC c=168,UC pif=0x918ffb4 cnt=696 ###!!! ASSERTION: SetParent failed!: 'NS_SUCCEEDED(rv)', file /builds/1.7/mozilla/view/src/nsViewManager.cpp, line 2375 Break: at file /builds/1.7/mozilla/view/src/nsViewManager.cpp, line 2375 text 0x917e4a0 r=2 a=168,UC c=UC,UC cnt=697 text 0x917e4a0 d=102,188 place 0x917e780 r=2 a=66,UC c=UC,UC cnt=698 place 0x917e780 d=0,0 subdoc 0x917e6f4 r=2 a=168,UC c=120,24000 cnt=699 subdoc 0x917e6f4 d=168,24048 block 0x919039c d=168,24252 cell 0x919033c d=192,24276 row 0x91902e4 d=192,24276 row 0x91902e4 r=2 a=192,14352 c=192,UC pif=0x918fefc cnt=700 cell 0x919033c r=2 a=192,14352 c=168,UC pif=0x918ff54 cnt=701 block 0x919039c r=2 a=168,14328 c=168,UC pif=0x918ffb4 cnt=702 text 0x917e4a0 r=2 a=168,14328 c=UC,UC cnt=703 text 0x917e4a0 d=102,188 place 0x917e780 r=2 a=66,14328 c=UC,UC cnt=704 place 0x917e780 d=0,0 subdoc 0x917e6f4 r=2 a=168,14124 c=120,24000 cnt=705 subdoc 0x917e6f4 d=168,24048 block 0x919039c d=168,24252 status=0x1 cell 0x919033c d=192,24276 status=0x1 row 0x91902e4 d=192,24276 status=0x1 ###!!! ASSERTION: data loss - incomplete row needed more height than available, on top of page: 'rowMetrics.height <= rowReflowState.availableHeight', file /builds/1.7/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1101 Break: at file /builds/1.7/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1101 rowG 0x91903f0 d=192,24276 status=0x1 tbl 0x919047c d=240,24324 status=0x1 tblO 0x9190430 d=240,24324 status=0x1 block 0x9190534 d=10608,24324 status=0x1 area 0x9190678 d=10800,24324 status=0x1 PageContent(-1) 0x9190624 d=10800,14400 status=0x1 page 0x91905b8 d=13008,16608 status=0x1 ###!!! ASSERTION: aContent1 must not be null: 'aContent1', file /builds/1.7/mozilla/layout/base/src/nsLayoutUtils.cpp, line 222 Break: at file /builds/1.7/mozilla/layout/base/src/nsLayoutUtils.cpp, line 222 [repeated many times] This bug should probably be marked fixed and the two remaining issues split off into other bugs...
(In reply to comment #89) > This bug should probably be marked fixed and the two remaining issues split off > into other bugs... OK, I just noticed comment 77. This bug is probably too long for keeping open for one of the issues, since I don't see that key point buried in comment 77, but I'll morph it anyway since there are a significant number of comments on the view mangling problem (starting either at comment 47 or at comment 66 depending on whether those two issues are related). However, I can't reproduce, so reassigning to default owner.
Assignee: dbaron → core.printing
Status: REOPENED → NEW
Flags: blocking1.7+ → blocking1.7-
QA Contact: sujay
Summary: M17rc2 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → crash printing / print previewing ign.com due to view tree mangling
David, can you not reproduce on Windows, or just Linux?
This testcase will crash browser print/print preview and the stack is same comment 83
I looked into this problem for quite a while... Seems it's because nsView ::Destroy() of same nsView has been called twice from difference place. So, the second call cause the crash. Attachment is the stack of two calls. Did you guys have any idea?
dbaron, please try attachment 150416 [details]. It will crash mozilla on windows and unix.
Aha!! Pete, that testcase works for me. That's very helpful.
I wonder if it can be minimized further...
attachment 150416 [details] does not crash for me on Linux. In print preview, I see one box near the bottom of page 1 and a second (thicker-bordered) box near the bottom of page 2.
Attached file reduced testcase
Here's a reduced version of Pete's testcase. This crashes for me on Linux as soon as I hit "print preview". You may need to tweak constants, especially the px height, to get it to crash on another system.
Flags: blocking1.8a2?
Flags: blocking1.7.1?
Attached patch fix (obsolete) — Splinter Review
The problem is simple: we need to search the descendant inlines of overflowing lines for placeholders. This code does that.
Assignee: core.printing → roc
Status: NEW → ASSIGNED
Attachment #151662 - Flags: superreview?(dbaron)
Attachment #151662 - Flags: review?(dbaron)
Comment on attachment 151662 [details] [diff] [review] fix Rather than adding the |aBlockParent| check, why not just check whether the line |IsBlock()|? I'm also not crazy about "overflow placeholders" in the comment you added -- that term might be used for something else (cases where the float itself is split, rather than just pushed to the next page). Also -- in the same first comment -- you're not considering all in-flow children -- only those within inlines. With those comments, r+sr=dbaron.
Attachment #151662 - Flags: superreview?(dbaron)
Attachment #151662 - Flags: superreview+
Attachment #151662 - Flags: review?(dbaron)
Attachment #151662 - Flags: review+
Attached patch revised patchSplinter Review
updated to comments.
Attachment #151662 - Attachment is obsolete: true
Comment on attachment 151756 [details] [diff] [review] revised patch David, I'd appreciate it if you could take another look at this before I check it in. In particular whether I'm doing the right thing to check for inlines (!aFrame->GetStyleDisplay()->IsBlockLevel())
Attachment #151756 - Flags: superreview?(dbaron)
Attachment #151756 - Flags: review?(dbaron)
Comment on attachment 151756 [details] [diff] [review] revised patch Oh, I was thinking more of iterating overflowLines at the caller and checking line->IsBlock(), and then walking the descendants of each line that isn't. Although that in theory could have problems with inline-blocks (it's ok for block-within-inline, though), so maybe this is better. Also s/it's/its/.
Attachment #151756 - Flags: superreview?(dbaron)
Attachment #151756 - Flags: superreview+
Attachment #151756 - Flags: review?(dbaron)
Attachment #151756 - Flags: review+
checked in
Status: ASSIGNED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
ign.com still crashed in Print Preview, but the stack is different now, and I've verified that the reduced testcase for this bug, http://bugzilla.mozilla.org/attachment.cgi?id=151258&action=view no longer crashes. See bug 248825 for the new frame crasher.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040628 Firefox/0.8.0+ Testcase #3; http://bugzilla.mozilla.org/attachment.cgi?id=135617&action=view still hangs firefox-2004-06-28-trunk on Win98SE (-> bug 245300 ).
Flags: blocking1.8a2?
attachment 135617 [details] still freezes my Firefox when I print-preview Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a2) Gecko/20040630 Firefox/0.8.0+
*** Bug 232450 has been marked as a duplicate of this bug. ***
Original testcase at https://bugzilla.mozilla.org/attachment.cgi?id=109295&action=view works fine now using build 2004-11-12-04 under Windows XP. We've got plenty of other outstanding Print Preview crash/hang bugs...this one is gone.
Status: RESOLVED → VERIFIED
Flags: blocking1.7.5? → blocking1.7.5-
*** Bug 269623 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: