Closed Bug 187671 Opened 22 years ago Closed 22 years ago

{ib}crash in nsCSSFrameConstructor::StyleChangeReflow

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

testcase
333 bytes, text/html
Details
Unhandled exception at 0x02b82248 (gklayout.dll) in mozilla.exe: 0xC0000005: Access violation reading location 0x00000000. > gklayout.dll!CallQueryInterface(nsIFrame * aSource=0x039003bc, nsIBox * * aDestination=0x0012eea8) Line 266 + 0x13 C++ gklayout.dll!nsCSSFrameConstructor::StyleChangeReflow(nsIPresContext * aPresContext=0x03817fe8, nsIFrame * aFrame=0x039003bc, nsIAtom * aAttribute=0x00000000) Line 10211 + 0xd C++ gklayout.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList & aChangeList={...}, nsIPresContext * aPresContext=0x03817fe8) Line 10335 C++ gklayout.dll!PresShell::ReconstructStyleData(int aRebuildRuleTree=0) Line 5484 C++ gklayout.dll!PresShell::StyleSheetApplicableStateChanged(nsIDocument * aDocument=0x035aa228, nsIStyleSheet * aStyleSheet=0x03904fd0, int aApplicable=1) Line 5548 C++ gkcontent.dll!nsDocument::SetStyleSheetApplicableState(nsIStyleSheet * aSheet=0x03904fd0, int aApplicable=1) Line 1680 C++ gkcontent.dll!CSSStyleSheetImpl::SetComplete() Line 2059 C++ gkcontent.dll!CSSLoaderImpl::SheetComplete(SheetLoadData * aLoadData=0x0390b148, int aSucceeded=1) Line 1789 C++ gkcontent.dll!CSSLoaderImpl::ParseSheet(nsIUnicharInputStream * aStream=0x03904f88, SheetLoadData * aLoadData=0x0390b148, int & aCompleted=1) Line 1733 C++ gkcontent.dll!CSSLoaderImpl::LoadInlineStyle(nsIContent * aElement=0x03904ae8, nsIUnicharInputStream * aStream=0x03904f88, const nsAString & aTitle={...}, const nsAString & aMedia={...}, int aDefaultNameSpaceID=-1, nsIParser * aParserToUnblock=0x035ab950, int & aCompleted=1, nsICSSLoaderObserver * aObserver=0x00000000) Line 1890 + 0x14 C++ gkcontent.dll!nsStyleLinkElement::UpdateStyleSheet(nsIDocument * aOldDocument=0x00000000) Line 317 + 0x7e C++ gkcontent.dll!HTMLContentSink::ProcessSTYLETag(const nsIParserNode & aNode={...}) Line 5730 + 0x22 C++ gkcontent.dll!HTMLContentSink::AddLeaf(const nsIParserNode & aNode={...}) Line 3616 + 0xc C++ gkparser.dll!CNavDTD::AddLeaf(const nsIParserNode * aNode=0x038ef680) Line 3749 + 0x19 C++ gkparser.dll!CNavDTD::AddHeadLeaf(nsIParserNode * aNode=0x038ef680) Line 3812 + 0xf C++ gkparser.dll!CNavDTD::HandleStartToken(CToken * aToken=0x038e45d8) Line 1749 + 0xc C++ gkparser.dll!CNavDTD::HandleToken(CToken * aToken=0x00000000, nsIParser * aParser=0x035ab950) Line 907 + 0xc C++ gkparser.dll!CNavDTD::BuildModel(nsIParser * aParser=0x035ab950, nsITokenizer * aTokenizer=0x035030d0, nsITokenObserver * anObserver=0x00000000, nsIContentSink * aSink=0x038e5340) Line 521 + 0x14 C++ gkparser.dll!nsParser::BuildModel() Line 1906 + 0x22 C++ gkparser.dll!nsParser::ResumeParse(int allowIteration=1, int aIsFinalChunk=0, int aCanInterrupt=1) Line 1773 + 0xb C++ gkparser.dll!nsParser::OnDataAvailable(nsIRequest * request=0x03561550, nsISupports * aContext=0x00000000, nsIInputStream * pIStream=0x038e34d8, unsigned int sourceOffset=0, unsigned int aLength=691) Line 2407 + 0x15 C++ urildr.dll!nsDocumentOpenInfo::OnDataAvailable(nsIRequest * request=0x03561550, nsISupports * aCtxt=0x00000000, nsIInputStream * inStr=0x038e34d8, unsigned int sourceOffset=0, unsigned int count=691) Line 244 + 0x2e C++ necko.dll!nsFileChannel::OnDataAvailable(nsIRequest * request=0x038e1ad4, nsISupports * context=0x00000000, nsIInputStream * aIStream=0x038e34d8, unsigned int aSourceOffset=0, unsigned int aLength=691) Line 625 C++ necko.dll!nsOnDataAvailableEvent::HandleEvent() Line 195 + 0x46 C++ necko.dll!nsARequestObserverEvent::HandlePLEvent(PLEvent * plev=0x038e3e84) Line 116 C++ xpcom.dll!PL_HandleEvent(PLEvent * self=0x038e3e84) Line 663 + 0xa C xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00b293c8) Line 593 + 0x9 C xpcom.dll!_md_EventReceiverProc(HWND__ * hwnd=0x008c0282, unsigned int uMsg=49384, unsigned int wParam=0, long lParam=11703240) Line 1379 + 0x9 C user32.dll!77d67ad7() user32.dll!77d6ccd4() user32.dll!77d44455() user32.dll!77d495d5() appshell.dll!nsAppShellService::Run() Line 472 C++ mozilla.exe!main1(int argc=1, char * * argv=0x002b7d78, nsISupports * nativeApp=0x002b7db8) Line 1543 + 0x20 C++ mozilla.exe!main(int argc=1, char * * argv=0x002b7d78) Line 1904 + 0x25 C++ mozilla.exe!mainCRTStartup() Line 400 + 0x11 C kernel32.dll!77e814c7()
Attached file testcase
There's a frame pointer pointing to garbage in the change list, presumably since it's been destroyed by earlier processing of the change list.
Note that the 'font-size' triggers a reflow, and the crash doesn't happen when I trigger a repaint instead.
Assignee: dbaron → block-and-inline
Component: Style System → Layout: Block & Inline
Summary: crash in nsCSSFrameConstructor::StyleChangeReflow → {ib}crash in nsCSSFrameConstructor::StyleChangeReflow
crash also occurs with current linux trunk this regressed between 2002092921 and 2002100104, perhaps bug 113083
Keywords: regression, testcase
OS: Windows XP → All
Blocks: 187548
Seems a dup of bug 154797. The stack is nearly the same as bug 154797 comment 8. (It could be that other checkins have just made it manifest in a different light.)
Depends on: 154797
Patch in bug 123049 fixes this too.
Depends on: 123049
-> fixed
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
v
Status: RESOLVED → VERIFIED
Crashtest checked in.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: