Closed
Bug 194615
Opened 22 years ago
Closed 19 years ago
Crash because deleted frame not removed from primary frame map - Trunk [@ nsCSSFrameConstructor::AttributeChanged]
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bzbarsky, Assigned: dbaron)
References
Details
(Keywords: crash, topcrash-)
Crash Data
Attachments
(1 file)
1.27 KB,
text/html
|
Details |
Testcase coming up; this is crashing my vanilla CVS debug build consistently
with the stack:
#0 nsCOMPtr<nsIStyleRule>::get (this=0xdddddde5)
at ../../../../dist/include/xpcom/nsCOMPtr.h:632
#1 0x4146060a in int operator==<nsIStyleRule, nsIStyleRule> (lhs=@0xdddddde5,
rhs=0x8734f6c) at ../../../dist/include/xpcom/nsCOMPtr.h:1162
#2 0x412c14f0 in nsRuleNode::ClearCachedData (this=0xdddddddd, aRule=0x8734f6c)
at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsRuleNode.cpp:577
#3 0x412e99f0 in StyleSetImpl::ClearStyleData (this=0x87b3ce8,
aPresContext=0x8133540,
aRule=0x8734f6c, aContext=0x87cb7a0)
at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsStyleSet.cpp:1430
#4 0x40f35064 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x87b3f28,
aPresContext=0x8133540, aContent=0x87cdde0, aInlineStyle=1,
aInlineStyleRule=0x8734f6c, aStyleContext=0x87cb7a0)
at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:12142
#5 0x40f3083e in nsCSSFrameConstructor::AttributeChanged (this=0x87b3f28,
aPresContext=0x8133540, aContent=0x87cdde0, aNameSpaceID=0,
aAttribute=0x818c698,
aModType=1, aHint=254)
at
/home/bzbarsky/mozilla/xlib/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10765
(if you track back, the AttributeChanged is called by
CSS2PropertiesTearoff::SetDisplay).
So how are we ending up with a deleted rulenode here?
A few notes:
1) I crash on the first click on any of those links; the original report
(http://www.mozillazine.org/forums/viewtopic.php?t=6192) claims that three
clicks are needed and that the second link does not crash.
2) If I use a build with the patch for bug 171830 I see the behavior described
in that mozillazine post -- crash on third click, with the second link not
crashing. In that case, on the second click I see:
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1050
###!!! ASSERTION: frame was not removed from primary frame map before
destruction or was readded to map after being removed:
'!PL_DHASH_ENTRY_IS_BUSY(entry) || entry->frame != aFrame', file
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 1050
and on the third click I crash in:
#0 0x40fc432f in nsCSSFrameConstructor::AttributeChanged (this=0x87ae468,
aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0,
aAttribute=0x81a6450,
aModType=1, aHint=14)
at
/home/bzbarsky/mozilla/profile/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:10628
#1 0x413af311 in StyleSetImpl::AttributeChanged (this=0x87ae3d8,
aPresContext=0x81145b0, aContent=0x87c78b0, aNameSpaceID=0,
aAttribute=0x81a6450,
aModType=1, aHint=14)
at /home/bzbarsky/mozilla/profile/mozilla/content/base/src/nsStyleSet.cpp:1643
#2 0x40f45cbe in PresShell::AttributeChanged (this=0x87ae558, aDocument=0x8792f00,
aContent=0x87c78b0, aNameSpaceID=0, aAttribute=0x81a6450, aModType=1, aHint=14)
at
/home/bzbarsky/mozilla/profile/mozilla/layout/html/base/src/nsPresShell.cpp:5168
(called from CSS2PropertiesTearoff::SetDisplay again).
The cause of the crash is that the frame returned by GetPrimaryFrameFor has been
deleted:
(gdb) p *primaryFrame
$2 = {<nsISupports> = {_vptr. = 0x0}, mRect = {x = -572662307, y = -572662307,
width = -572662307, height = -572662307}, mContent = 0xdddddddd,
mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd,
mState = 3722304989}
Reporter | ||
Comment 1•22 years ago
|
||
Reporter | ||
Comment 2•22 years ago
|
||
Ah, ok. The first crash I'm seeing is bug 194584. Once that's fixed, I doubt
bug 171830 will affect this.
Are we doing something like calling GetPrimaryFrameFor in the middle of things
here, at the wrong time? I seem to recall form controls doing that on some attr
changes....
Comment 3•22 years ago
|
||
more crash data... 200222303/OS X... Talkback IDs:
TB174378E
TB174391K
Reporter | ||
Comment 4•22 years ago
|
||
> "200222303/OS X."
Then that's bug 194584.
To reproduce this bug you must use a build at least a few days old or a build
with the patch for bug 194584 in it.
Comment 5•22 years ago
|
||
ack... i really screwed that one up didn't I... maybe i need more coffee...
those crases were on 2003022303
Reporter | ||
Comment 7•22 years ago
|
||
If you're not using a debug build, the crash may be intermittent (since you're
accessing random garbage data). With a debug build, it is guaranteed.
Comment 8•22 years ago
|
||
*** Bug 194698 has been marked as a duplicate of this bug. ***
Comment 9•22 years ago
|
||
I crashed with today's MozillaTrunk build after clicking the first link the 3rd
time. Here's my incident:
Incident ID 17466055
Stack Signature nsCSSFrameConstructor::AttributeChanged 202924a9
Email Address jpatel@netscape.com
Product ID MozillaTrunk
Build ID 2003022408
Trigger Time 2003-02-24 16:13:22
Platform Win32
Operating System Windows NT 5.1 build 2600
Module gklayout.dll
URL visited http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile
User Comments crashed after clicking on first testcase 3 times.
Trigger Reason Access violation
Source File Name
c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
Trigger Line No. 10623
Stack Trace
nsCSSFrameConstructor::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10623]
StyleSetImpl::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1716]
PresShell::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5170]
nsDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2121]
nsHTMLDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line
1543]
nsDOMCSSAttributeDeclaration::ParsePropertyValue
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 275]
nsDOMCSSDeclaration::SetProperty
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp,
line 252]
CSS2PropertiesTearoff::SetDisplay
[../../../../dist/include/content\nsCSSPropList.h, line 178]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
XPC_WN_GetterSetter
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1317]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2640]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2656]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1043]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183]
nsEventListenerManager::HandleEventSubType
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1218]
nsEventListenerManager::HandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1389]
nsGenericElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929]
nsGenericHTMLElement::HandleDOMEventForAnchors
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1423]
nsHTMLAnchorElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp,
line 355]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6228]
PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6196]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2852]
nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1849]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6265]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6179]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2208]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1944]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1117]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1134]
nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5374]
ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5629]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4130]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1401]
USER32.dll + 0x3a68 (0x77d43a68)
USER32.dll + 0x3b37 (0x77d43b37)
USER32.dll + 0x3d91 (0x77d43d91)
USER32.dll + 0x3df7 (0x77d43df7)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1289]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1639]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1660]
WinMainCRTStartup()
kernel32.dll + 0x214c7 (0x77e814c7)
Adding testcase keyword and topcrash+. There have been quite a few of these
crashes lately (not sure if it's a common problem or just from all the testing
being done).
It looks like the stack signature started showing up with builds from 2/18.
Comment 10•22 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030303
Crashes every time for me on the test page
http://home.hccnet.nl/m.wargers/test/mozilla/f3.htm#userfile
Here's a talkback number: TB17789336Z
Comment 12•22 years ago
|
||
Not on any topcrash reports; marking topcrash-
Here's a recent crash from NetscapeMozillaTrunkWin322003032611
Incident ID 18500276
Stack Signature nsCSSFrameConstructor::AttributeChanged 291682c8
Product ID MozillaTrunk
Build ID 2003032611
Trigger Time 2003-03-26 16:53:43
Platform Win32
Operating System Windows NT 5.0 build 2195
Module gklayout.dll
URL visited
User Comments
Trigger Reason Access violation
Source File Name
c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
Trigger Line No. 10634
Stack Trace
nsCSSFrameConstructor::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 10634]
StyleSetImpl::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1764]
PresShell::AttributeChanged
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5233]
nsDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2183]
nsHTMLDocument::AttributeChanged
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line
1496]
nsGenericHTMLElement::SetHTMLAttribute
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2011]
nsDOMCSSAttributeDeclaration::SetCSSDeclaration
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 125]
nsDOMCSSAttributeDeclaration::ParsePropertyValue
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSAttrDeclaration.cpp,
line 241]
nsDOMCSSDeclaration::SetProperty
[c:/builds/seamonkey/mozilla/content/html/style/src/nsDOMCSSDeclaration.cpp,
line 252]
CSS2PropertiesTearoff::SetDisplay
[../../../../dist/include/content\nsCSSPropList.h, line 178]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
XPC_WN_GetterSetter
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1317]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 845]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
js_InternalGetOrSet [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 962]
js_SetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2631]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2673]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 861]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 936]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3529]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1068]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 183]
nsEventListenerManager::HandleEventSubType
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1192]
nsEventListenerManager::HandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1363]
nsGenericElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1929]
nsGenericHTMLElement::HandleDOMEventForAnchors
[c:/builds/seamonkey/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 1423]
nsHTMLAreaElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLAreaElement.cpp,
line 230]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6289]
PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6257]
nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 2864]
nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1859]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6326]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6240]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2221]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 309]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1957]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1154]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1171]
nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5439]
ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 5694]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4190]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1438]
USER32.dll + 0x2a244 (0x77e3a244)
USER32.dll + 0x45e5 (0x77e145e5)
USER32.dll + 0xa792 (0x77e1a792)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1287]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1645]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1666]
WinMainCRTStartup()
KERNEL32.dll + 0x2847c (0x77ea847c)
Comment 13•19 years ago
|
||
Testcase does not crash and URL in comment 10 is 404.
WFM, SeaMonkey 2005-08-31-02 trunk Linux.
Keywords: testcase
Reporter | ||
Comment 14•19 years ago
|
||
Oh, yeah. Most of the code in those last 4-5 stackframes is just gone
completely nowadays...
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Updated•14 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::AttributeChanged]
You need to log in
before you can comment on or make changes to this bug.
Description
•