Closed
Bug 209575
Opened 22 years ago
Closed 22 years ago
trunk topcrash [@ CSSStyleRuleImpl::MapRuleInfoInto]
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jcarpenter0524, Assigned: dbaron)
References
Details
(Keywords: crash, topcrash, Whiteboard: [patch])
Crash Data
Attachments
(2 files, 3 obsolete files)
|
13.15 KB,
text/plain
|
Details | |
|
6.03 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
4 CSSStyleRuleImpl::MapRuleInfoInto 11
Source File :
c:/builds/seamonkey/mozilla/content/html/style/src/nsCSSStyleRule.cpp line : 1341
====================================================================================================
Count Offset Real Signature
[ 4 CSSStyleRuleImpl::MapRuleInfoInto 7799b30f -
CSSStyleRuleImpl::MapRuleInfoInto ]
Crash date range: 2003-06-08 to 2003-06-12
Count Platform List
2 Windows NT 5.1 build 2600
2 Windows NT 5.0 build 2195
Count Build Id List
2 2003060804
1 2003061104
1 2003060808
No of Unique Users 2
Stack trace(Frame)
CSSStyleRuleImpl::MapRuleInfoInto
[c:/builds/seamonkey/mozilla/content/html/style/src/nsCSSStyleRule.cpp line 1341]
nsRuleNode::WalkRuleTree
[c:/builds/seamonkey/mozilla/content/base/src/nsRuleNode.cpp line 1430]
nsRuleNode::GetDisplayData
[c:/builds/seamonkey/mozilla/content/base/src/nsRuleNode.cpp line 1158]
nsRuleNode::GetStyleData
[c:/builds/seamonkey/mozilla/content/base/src/nsRuleNode.cpp line 4501]
nsStyleContext::GetStyleData
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleContext.cpp line 262]
nsStyleContext::ApplyStyleFixups
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleContext.cpp line 383]
nsStyleContext::nsStyleContext
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleContext.cpp line 89]
NS_NewStyleContext
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleContext.cpp line 867]
StyleSetImpl::GetContext
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp line 1042]
StyleSetImpl::ResolveStyleFor
[c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp line 1236]
nsPresContext::ResolveStyleContextFor
[c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp line 924]
nsCSSFrameConstructor::ResolveStyleContext
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6753]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7196]
nsCSSFrameConstructor::ProcessInlineChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 13565]
nsCSSFrameConstructor::ConstructInline
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 13333]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6493]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7357]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7210]
nsCSSFrameConstructor::ProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 12075]
nsCSSFrameConstructor::ConstructTableCellFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2980]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3239]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2821]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3225]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2709]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3219]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2585]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6544]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7357]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7210]
nsCSSFrameConstructor::ProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 12075]
nsCSSFrameConstructor::ConstructTableCellFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2980]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3239]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2821]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3225]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2709]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3219]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2585]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6544]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7357]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7210]
nsCSSFrameConstructor::ProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 12075]
nsCSSFrameConstructor::ConstructTableCellFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2980]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3239]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2821]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3225]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2709]
nsCSSFrameConstructor::TableProcessChild
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3219]
nsCSSFrameConstructor::TableProcessChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 3136]
nsCSSFrameConstructor::ConstructTableFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 2585]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6544]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7357]
nsCSSFrameConstructor::ConstructFrame
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7210]
nsCSSFrameConstructor::ProcessBlockChildren
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 13250]
nsCSSFrameConstructor::ConstructBlock
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 13194]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 6473]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp
line 7357]
(20976872) URL: http://www.realtor.com
(20879588) URL: http://www.realtor.com
(20879588) Comments: search on realtor.com
|
Assignee | |
Comment 1•22 years ago
|
||
I'm not seeing a crash. Anyone know the steps to reproduce?
|
|
Assignee | |
Comment 2•22 years ago
|
||
The talkback reports show the crash is on the third-to-last instruction of the
function:
61570141 8b4814 mov ecx,[eax+0x14] <=== crash here
61570144 e8de010000 call 61570327
61570149 c20800 ret 0x8
This doesn't make any sense to me. If |this| were garbage, we'd have crashed
already (virtual function call). Furthermore, the inner call is a non-virtual
function call.
The registers aren't available.
|
||
Comment 3•22 years ago
|
||
I got this crash today while opening 5 different blogs in new Tabs from gemal
blog page ( http://gemal.dk/mozilla/blogupdates.html ) but I can't reproduce
this with the same steps :-(
(1 day old win2k trunk)
|
|
||
Comment 4•22 years ago
|
||
A screenshot from MSVC++ : http://matti.no-ip.org/debug.gif
(domain is blocked from the NSCP Firewall but you can use my IRC IP to access
it)
crashed again while opening 5-10 Tabs very fast (middle click + loading in the
background) : Chris Nelson's Weblog, adot's notblog*, doron's blaahg, Zach's
Blog, Blogzilla - a blog about Mozilla, Surf*Mind*Musings, <Glazblog/>, Hixie's
Natural Log, DougT's Ramblings, kovu's blog )
I hope this helps...
|
|
Assignee | |
Comment 5•22 years ago
|
||
What was |mDeclaration| ? And was the memory corrupt?
|
|
||
Comment 6•22 years ago
|
||
This were an optimized with symbols and MSVC++ couldn't show |mDeclaration| :-(
Dunno if the memory is corrupt because I'm no developer (=I'm dumb)
|
|
Assignee | |
Comment 7•22 years ago
|
||
[06-26 18:10:25] <Matti> dbaron: i got the crash again and i have the debugger open
[06-26 18:10:49] <Matti> you want to know "mDeclaration" right ?
[06-26 18:13:37] <Matti> mDeclaration is "0x00000000" this time and aRuleData is
0x0012dde0
|
|
Assignee | |
Comment 8•22 years ago
|
||
Comment on attachment 126556 [details]
win2k stack from an optimized with symbols
Oh, this part of the stack shows the problem pretty clearly:
>nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x037f9178, nsIContent * 0x03932ad0, int 16) line 1381 + 10 bytes
[...]
>HTMLContentSink::BeginUpdate(HTMLContentSink * const 0x026eca30, nsIDocument * 0x037f9178) line 5383
>nsDocument::BeginUpdate(nsDocument * const 0x037f9178) line 1835 + 7 bytes
>nsGenericHTMLElement::SetHTMLAttribute(nsGenericHTMLElement * const 0x00000000, nsIAtom * 0x0024e950, const nsHTMLValue & {...}, int 1) line 2013
>nsDOMCSSAttributeDeclaration::DeclarationChanged(nsDOMCSSAttributeDeclaration * const 0x014729c0 const CSSStyleRuleImpl::`vftable'{for `nsICSSStyleRule'}) line 96 + 32 bytes
>nsDOMCSSDeclaration::ParsePropertyValue(nsDOMCSSDeclaration * const 0x014729c0 const CSSStyleRuleImpl::`vftable'{for `nsICSSStyleRule'}, const nsAString & {...}, const nsAString & {...}) line 288 + 7 bytes
I'm not yet sure what to do about it, though.
|
|
Assignee | |
Comment 9•22 years ago
|
||
This should work as a temporary fix, at least.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #126598 -
Flags: superreview?(bzbarsky)
Attachment #126598 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 10•22 years ago
|
||
Comment on attachment 126598 [details] [diff] [review]
patch
There's something wrong here.
Attachment #126598 -
Attachment is obsolete: true
Attachment #126598 -
Flags: superreview?(bzbarsky)
Attachment #126598 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 11•22 years ago
|
||
Only change the way we handle the declaration, not the selector.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #126605 -
Flags: superreview?(bzbarsky)
Attachment #126605 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•22 years ago
|
Whiteboard: [patch]
|
||
Comment 12•22 years ago
|
||
Comment on attachment 126605 [details] [diff] [review]
patch
I'm not sure what I think of removing those |if (mDeclaration)| checks, given
that Clone() can return null on OOM...
Other than that looks reasonable; I'm assuming we have scripts setting inline
style on nodes that have not been flushed from the sink yet....
|
|
Assignee | |
Comment 13•22 years ago
|
||
Also make CSSStyleRuleImpl::Clone return null/NS_ERROR_OUT_OF_MEMORY whenever
declaration / selector allocation fails.
Attachment #126605 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•22 years ago
|
Attachment #126716 -
Flags: superreview?(bzbarsky)
Attachment #126716 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•22 years ago
|
Attachment #126605 -
Flags: superreview?(bzbarsky)
Attachment #126605 -
Flags: review?(bzbarsky)
|
|
||
Comment 14•22 years ago
|
||
Comment on attachment 126716 [details] [diff] [review]
patch
Um... this still removes those checks for mDeclaration being non-null...
Attachment #126716 -
Flags: superreview?(bzbarsky)
Attachment #126716 -
Flags: superreview-
Attachment #126716 -
Flags: review?(bzbarsky)
Attachment #126716 -
Flags: review-
|
|
Assignee | |
Comment 15•22 years ago
|
||
Comment on attachment 126716 [details] [diff] [review]
patch
Could you describe a codepath that would make it null? (See comment 13.)
Attachment #126716 -
Flags: superreview?(bzbarsky)
Attachment #126716 -
Flags: superreview-
Attachment #126716 -
Flags: review?(bzbarsky)
Attachment #126716 -
Flags: review-
|
|
Assignee | |
Comment 16•22 years ago
|
||
Attachment #126716 -
Attachment is obsolete: true
|
|
||
Updated•22 years ago
|
Attachment #126716 -
Flags: superreview?(bzbarsky)
Attachment #126716 -
Flags: review?(bzbarsky)
|
|
||
Comment 17•22 years ago
|
||
Comment on attachment 126753 [details] [diff] [review]
patch
r+sr=bzbarsky
Attachment #126753 -
Flags: superreview+
Attachment #126753 -
Flags: review+
|
|
Assignee | |
Comment 18•22 years ago
|
||
Fix checked in to trunk, 2003-06-30 14:31 -0700.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Comment 19•22 years ago
|
||
*** Bug 211125 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 20•22 years ago
|
||
Talkback isn't showing any reports after 2003063008. (I'm assuming talkback has
been working in those builds, which I'm not sure of, since there have been some
talkback problems recently.)
|
|
||
Comment 21•22 years ago
|
||
David: Talkback reports have not successfully completed since July 1st. I think
I have fixed the problem and tommorrow's reports should have the latest
Talkback data for the past 10 days.
|
||
Updated•14 years ago
|
Crash Signature: [@ CSSStyleRuleImpl::MapRuleInfoInto]
You need to log in
before you can comment on or make changes to this bug.
Description
•