The default bug view has changed. See this FAQ.

browser crashes or locks up when visiting www.vnunet.com (position: absolute div inside <a>) [@ nsHTMLReflowState::CalculateHypotheticalBox ]

RESOLVED FIXED

Status

()

Core
Layout: Block and Inline
--
critical
RESOLVED FIXED
14 years ago
8 years ago

People

(Reporter: Pavel, Assigned: mats)

Tracking

(4 keywords)

Trunk
x86
All
crash, regression, testcase, topcrash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020

Whenever I load www.vnunet.com mozilla either crashes or locks-up. If it
locks-up browser is still responsive, but clicking on any link does nothing and
new windows  can not be opened. It happens with todays build (2003102004) and
the site was working fine few days ago.

Reproducible: Always

Steps to Reproduce:
1. Visit www.vnunet.com
2.
3.

Actual Results:  
Browser crashes or locks up

Expected Results:  
Load the page.

Talkback ID: TB24607740Y

Updated

14 years ago
Keywords: crash, stackwanted
Whiteboard: TB24607740Y

Comment 1

14 years ago
crash for me to on XPProf.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031020
Firebird/0.7+

Comment 2

14 years ago
Linux version also crashes:

Starting program: /home/petevine/MozillaFirebird/MozillaFirebird-bin
http://www.vnunet.com
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 1024 (LWP 25719)]
Type Manifest File: /home/petevine/MozillaFirebird/components/xpti.dat
nsNativeComponentLoader: autoregistering begins.
nsNativeComponentLoader: autoregistering succeeded
nNCL: registering deferred (0)
[New Thread 2049 (LWP 25721)]
[New Thread 1026 (LWP 25722)]
GFX: dpi=90 t2p=0,0625 p2t=16 depth=24
WEBSHELL+ = 1
[New Thread 2051 (LWP 25726)]
[New Thread 3076 (LWP 25728)]
WEBSHELL+ = 2
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp,
line 3190
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp,
line 3190
Note: verifyreflow is disabled
Note: styleverifytree is disabled
Note: frameverifytree is disabled
WEBSHELL+ = 3
[New Thread 4101 (LWP 25729)]
[New Thread 5126 (LWP 25730)]
CSS Error (http://images.vnunet.com/v6_style/v65_style.css :126.103): Expected
color but found 'none'.  Error in parsing value for property 'background-color'.
 Declaration dropped.
JavaScript error: 
http://ad.uk.doubleclick.net/adj/tb.vnunet.uk/vnunet_home;cat=vnunet_home;page=home;pos=top;sz=468x60;tile=1;ptile=1;ord=807138944?
line 1: illegal character

WARNING: Couldn't add reflow command, so splitting.
WARNING: Couldn't add reflow command, so splitting.
WARNING: Couldn't add reflow command, so splitting.
###!!! ASSERTION: Must reach our placeholder before end of list!: 'firstFrame',
file nsHTMLReflowState.cpp, line 870
Break: at file nsHTMLReflowState.cpp, line 870

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 25719)]
0x410f6344 in nsHTMLReflowState::CalculateHypotheticalBox(nsIPresContext*,
nsIFrame*, nsIFrame*, nsMargin&, nsIFrame*, nsHypotheticalBox&) ()
   from /home/petevine/MozillaFirebird/components/libgklayout.so

Comment 3

14 years ago
No dupes found, marking NEW.
Can you attach full stack (using 'backtrace' when in GDB and Mozilla has
crashed) via "create a new attachment" ?
Assignee: general → block-and-inline
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout: Block & Inline
Ever confirmed: true
Keywords: stackwanted → regression
OS: Windows 2000 → All
QA Contact: general → ian
Summary: browser crashes or locks up when visiting www.vnunet.com → browser crashes or locks up when visiting www.vnunet.com [@ nsHTMLReflowState::CalculateHypotheticalBox ]
Whiteboard: TB24607740Y

Comment 4

14 years ago
Seems to be okay with 1.5 (Win2k)

Comment 5

14 years ago
Created attachment 133754 [details]
Stack trace

Here's the stack trace you requested. BTW, only gtk2 version is affected.

Comment 6

14 years ago
I just had a crash using Trunk BuildID 2003102004.
DocWatson came up, but there was no talkback in the sea.exe-package.

Stack summary of DocWatson was showing 37 calls to GKLAYOUT.DLL and one call to
XPCOM, no others.

WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007
WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Didn´t find Flash on this page.

Comment 7

14 years ago
Checked this out on recent nightlies on WIN XP...
20031017 : no crash
20031018 and later: crash

Comment 8

14 years ago
Charles, great info, can you even reduce more by mentioning the build ID (like
"2003101705") in the title bar ?

Comment 9

14 years ago
Oliver: 2003101704 and 2003101804

Looking at CVS checkins, BZ touched 
mozilla/ layout/ html/ base/ src/ nsHTMLReflowState.cpp 
a few times during that time period.

Comment 10

14 years ago
TB24618351G Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031019

Comment 11

14 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031018 BuildID 2003101804

TB24618983G crash on loading URL
TB24618895X crash on loading local copy of URL saved with BuildID 2003101704

tested Build ID2003101704 only once, to save the page, no crash
all later builds are crashing, some don´t have talkback, though I selected
complete install (SEA.EXE).

Flags: blocking1.6a?

Updated

14 years ago
Keywords: topcrash

Comment 12

14 years ago
Created attachment 133800 [details]
testcase

This javascript causes the crash:

document.writeln("<A><DIV STYLE=\"position:absolute;\">" + "</DIV></A>");

Updated

14 years ago
Keywords: testcase
Summary: browser crashes or locks up when visiting www.vnunet.com [@ nsHTMLReflowState::CalculateHypotheticalBox ] → browser crashes or locks up when visiting www.vnunet.com (position: absolute div inside <a>) [@ nsHTMLReflowState::CalculateHypotheticalBox ]
(Assignee)

Updated

14 years ago
Blocks: 223017

Updated

14 years ago
No longer blocks: 223017
bz, see comments in bug 223017 isolating this to recent nsHTMLReflowState.cpp
checkins.
(Assignee)

Comment 14

14 years ago
*** Bug 223171 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 15

14 years ago
Rolling back nsHTMLReflowState.cpp to -r1.174 makes the crash disappear so the
culprit is the checkin for bug 94468.
I think the real problem is in the frame splitting code in
nsCSSFrameConstructor.cpp though, it has a lot of concerned comments [1] about
not handling abs.pos. blocks (and floats) correctly.  I think this could lead to
the situation where the placeholder has a different parent than the block where
the frame is on the abs.pos. list.  (So the assertion on line 870 triggers and
we will dereference null on line 872).

[1] e.g. read XXX_kin comments in AdjustOutOfFlowFrameParentPtrs()
(Assignee)

Comment 16

14 years ago
Created attachment 133807 [details] [diff] [review]
Patch rev. 1

This fixes the crash without regressing bug 94468.
To Mats.
Assignee: block-and-inline → mats.palmgren
Comment on attachment 133807 [details] [diff] [review]
Patch rev. 1

r+sr=bzbarsky.	This even leads to correct positioning of positioned
blocks-inside-inlines, since they have to start a new line normally and since
the placeholder remains in the first line.
Attachment #133807 - Flags: superreview+
Attachment #133807 - Flags: review+
I just checked this in, and the tree was even still open for 1.6a.  ;)

Mats, thanks a ton for debugging this and for the patch!
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Comment 20

14 years ago
*** Bug 223070 has been marked as a duplicate of this bug. ***

Comment 21

14 years ago
I just wanted to comment that this bug report is impressive in the way it features:
 - crash report with an URL and Talkback ID,
 - fix in less than 24hr,
 - reduced testcase,
 - stacks and verification on multiple OS,
 - regression window,
 - debugging explanation in comment 15,
 - and, of course, the patch, from someone else than where the regression came from,
 - teamwork: all of these were provided by different people,

PS: Sorry for the spam, let's not start a discussion here, I simply wanted to
express my happy feelings on bugzilla today :)

Updated

14 years ago
Flags: blocking1.6a?

Comment 22

8 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Crash Signature: [@ nsHTMLReflowState::CalculateHypotheticalBox ]
You need to log in before you can comment on or make changes to this bug.