Closed Bug 194615 Opened 22 years ago Closed 19 years ago

Crash because deleted frame not removed from primary frame map - Trunk [@ nsCSSFrameConstructor::AttributeChanged]

Categories

(Core :: CSS Parsing and Computation, defect, P1)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: bzbarsky, Assigned: dbaron)

References

Details

(Keywords: crash, topcrash-)

Crash Data

Attachments

(1 file)

Testcase coming up; this is crashing my vanilla CVS debug build consistently with the stack: #0 nsCOMPtr<nsIStyleRule>::get (this=0xdddddde5) at ../../../../dist/include/xpcom/nsCOMPtr.h:632 #1 0x4146060a in int operator==<nsIStyleRule, nsIStyleRule> (lhs=@0xdddddde5, rhs=0x8734f6c) at ../../../dist/include/xpcom/nsCOMPtr.h:1162 #2 0x412c14f0 in nsRuleNode::ClearCachedData (this=0xdddddddd, aRule=0x8734f6c) at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsRuleNode.cpp:577 #3 0x412e99f0 in StyleSetImpl::ClearStyleData (this=0x87b3ce8, aPresContext=0x8133540, aRule=0x8734f6c, aContext=0x87cb7a0) at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsStyleSet.cpp:1430 #4 0x40f35064 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x87b3f28, aPresContext=0x8133540, aContent=0x87cdde0, aInlineStyle=1, aInlineStyleRule=0x8734f6c, aStyleContext=0x87cb7a0) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:12142 #5 0x40f3083e in nsCSSFrameConstructor::AttributeChanged (this=0x87b3f28, aPresContext=0x8133540, aContent=0x87cdde0, aNameSpaceID=0, aAttribute=0x818c698, aModType=1, aHint=254) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10765 (if you track back, the AttributeChanged is called by CSS2PropertiesTearoff::SetDisplay). So how are we ending up with a deleted rulenode here? A few notes: 1) I crash on the first click on any of those links; the original report (http://www.mozillazine.org/forums/viewtopic.php?t=6192) claims that three clicks are needed and that the second link does not crash. 2) If I use a build with the patch for bug 171830 I see the behavior described in that mozillazine post -- crash on third click, with the second link not crashing. In that case, on the second click I see: ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1050 ###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: '!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file /home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp, line 1050 and on the third click I crash in: #0 0x40fc432f in nsCSSFrameConstructor::AttributeChanged (this=0x87ae468, aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0, aAttribute=0x81a6450, aModType=1, aHint=14) at /home/bzbarsky/mozilla/profile/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10628 #1 0x413af311 in StyleSetImpl::AttributeChanged (this=0x87ae3d8, aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0, aAttribute=0x81a6450, aModType=1, aHint=14) at /home/bzbarsky/mozilla/profile/mozilla/content/base/src/nsStyleSet.cpp:1643 #2 0x40f45cbe in PresShell::AttributeChanged (this=0x87ae558, aDocument=0x8792f00, aContent=0x87c78b0, aNameSpaceID=0, aAttribute=0x81a6450, aModType=1, aHint=14) at /home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsPresShell.cpp:5168 (called from CSS2PropertiesTearoff::SetDisplay again). The cause of the crash is that the frame returned by GetPrimaryFrameFor has been deleted: (gdb) p *primaryFrame $2 = {<nsISupports> = {_vptr. = 0x0}, mRect = {x = -572662307, y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddd, mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, mState = 3722304989}
Attached file testcase
Ah, ok. The first crash I'm seeing is bug 194584. Once that's fixed, I doubt bug 171830 will affect this. Are we doing something like calling GetPrimaryFrameFor in the middle of things here, at the wrong time? I seem to recall form controls doing that on some attr changes....
Severity: normal → critical
Depends on: 194584
No longer depends on: 171830
Summary: Crash on some inline style changes → Crash because deleted frame not removed from primary frame map
more crash data... 200222303/OS X... Talkback IDs: TB174378E TB174391K
> "200222303/OS X." Then that's bug 194584. To reproduce this bug you must use a build at least a few days old or a build with the patch for bug 194584 in it.
ack... i really screwed that one up didn't I... maybe i need more coffee... those crases were on 2003022303
WFM with build 2003021008 under Windows XP SP1.
If you're not using a debug build, the crash may be intermittent (since you're accessing random garbage data). With a debug build, it is guaranteed.
Keywords: crash
*** Bug 194698 has been marked as a duplicate of this bug. ***
I crashed with today's MozillaTrunk build after clicking the first link the 3rd time. Here's my incident: Incident ID 17466055 Stack Signature nsCSSFrameConstructor::AttributeChanged 202924a9 Email Address jpatel@netscape.com Product ID MozillaTrunk Build ID 2003022408 Trigger Time 2003-02-24 16:13:22 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll URL visited http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile User Comments crashed after clicking on first testcase 3 times. Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp Trigger Line No. 10623 Stack Trace nsCSSFrameConstructor::AttributeChanged [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 10623] StyleSetImpl::AttributeChanged [c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1716] PresShell::AttributeChanged [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5170] nsDocument::AttributeChanged [c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2121] nsHTMLDocument::AttributeChanged [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1543] nsDOMCSSAttributeDeclaration::ParsePropertyValue [c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp, line 275] nsDOMCSSDeclaration::SetProperty [c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp, line 252] CSS2PropertiesTearoff::SetDisplay [../../../../dist/include/content\nsCSSPropList.h, line 178] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025] XPC_WN_GetterSetter [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1317] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936] js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2640] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2656] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1043] nsJSEventListener::HandleEvent [c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183] nsEventListenerManager::HandleEventSubType [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1218] nsEventListenerManager::HandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1389] nsGenericElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929] nsGenericHTMLElement::HandleDOMEventForAnchors [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1423] nsHTMLAnchorElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp, line 355] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6228] PresShell::HandleEventWithTarget [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6196] nsEventStateManager::CheckForAndDispatchClick [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2852] nsEventStateManager::PostHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1849] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6265] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6179] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2208] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1944] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1117] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1134] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5374] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5629] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4130] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1401] USER32.dll + 0x3a68 (0x77d43a68) USER32.dll + 0x3b37 (0x77d43b37) USER32.dll + 0x3d91 (0x77d43d91) USER32.dll + 0x3df7 (0x77d43df7) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1289] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1639] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1660] WinMainCRTStartup() kernel32.dll + 0x214c7 (0x77e814c7) Adding testcase keyword and topcrash+. There have been quite a few of these crashes lately (not sure if it's a common problem or just from all the testing being done). It looks like the stack signature started showing up with builds from 2/18.
Keywords: testcase, topcrash+
Summary: Crash because deleted frame not removed from primary frame map → Crash because deleted frame not removed from primary frame map - Trunk [@ nsCSSFrameConstructor::AttributeChanged]
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030303 Crashes every time for me on the test page http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile Here's a talkback number: TB17789336Z
marking priority P1 since it is a topcrash+ bug
Priority: -- → P1
Not on any topcrash reports; marking topcrash- Here's a recent crash from NetscapeMozillaTrunkWin322003032611 Incident ID 18500276 Stack Signature nsCSSFrameConstructor::AttributeChanged 291682c8 Product ID MozillaTrunk Build ID 2003032611 Trigger Time 2003-03-26 16:53:43 Platform Win32 Operating System Windows NT 5.0 build 2195 Module gklayout.dll URL visited User Comments Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp Trigger Line No. 10634 Stack Trace nsCSSFrameConstructor::AttributeChanged [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 10634] StyleSetImpl::AttributeChanged [c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1764] PresShell::AttributeChanged [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5233] nsDocument::AttributeChanged [c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2183] nsHTMLDocument::AttributeChanged [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1496] nsGenericHTMLElement::SetHTMLAttribute [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2011] nsDOMCSSAttributeDeclaration::SetCSSDeclaration [c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp, line 125] nsDOMCSSAttributeDeclaration::ParsePropertyValue [c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp, line 241] nsDOMCSSDeclaration::SetProperty [c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp, line 252] CSS2PropertiesTearoff::SetDisplay [../../../../dist/include/content\nsCSSPropList.h, line 178] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025] XPC_WN_GetterSetter [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1317] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936] js_InternalGetOrSet [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 962] js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2631] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2673] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3529] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1068] nsJSEventListener::HandleEvent [c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183] nsEventListenerManager::HandleEventSubType [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1192] nsEventListenerManager::HandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1363] nsGenericElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929] nsGenericHTMLElement::HandleDOMEventForAnchors [c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1423] nsHTMLAreaElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAreaElement.cpp, line 230] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6289] PresShell::HandleEventWithTarget [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6257] nsEventStateManager::CheckForAndDispatchClick [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2864] nsEventStateManager::PostHandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1859] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6326] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6240] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2221] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1957] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1154] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1171] nsWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5439] ChildWindow::DispatchMouseEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5694] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4190] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1438] USER32.dll + 0x2a244 (0x77e3a244) USER32.dll + 0x45e5 (0x77e145e5) USER32.dll + 0xa792 (0x77e1a792) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1287] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1645] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1666] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77ea847c)
Keywords: topcrash+topcrash-
Testcase does not crash and URL in comment 10 is 404. WFM, SeaMonkey 2005-08-31-02 trunk Linux.
Keywords: testcase
Oh, yeah. Most of the code in those last 4-5 stackframes is just gone completely nowadays...
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsCSSFrameConstructor::AttributeChanged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: