Closed Bug 225868 Opened 22 years ago Closed 21 years ago

crash [@ nsScrollBoxFrame::GetPrefSize ] when document.writing to page with html{overflow:hidden}

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase
118 bytes, text/html
Details
Steps to reproduce: 1. Load the testcase. 2. Bonk the button labeled "Crash". Result: frame: Area(html)(-1) (036C4BBC) style: 036C4B3C {} Wrong parent style context: style: 036C4A90 :-moz-scrolled-content {} should be using: style: 036C48E8 {} ###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached', file c:/buildmoz/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 109 And a crash at the third line of nsScrollBoxFrame::GetPrefSize, with child=0x00000000. > gklayout.dll!nsScrollBoxFrame::GetPrefSize(nsBoxLayoutState & aBoxLayoutState={...}, nsSize & aSize={...}) Line 541 + 0xb C++ gklayout.dll!nsGfxScrollFrame::GetPrefSize(nsBoxLayoutState & aState={...}, nsSize & aSize={...}) Line 722 + 0x20 C++ gklayout.dll!nsBoxFrame::Reflow(nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 832 C++ gklayout.dll!nsGfxScrollFrame::Reflow(nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 823 + 0x19 C++ gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x036c4914, nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0) Line 951 + 0x1f C++ gklayout.dll!CanvasFrame::Reflow(nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 570 C++ gklayout.dll!nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & aState={...}, nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0, int aX=0, int aY=0, int aWidth=12000, int aHeight=6585, int aMoveFrame=1) Line 880 C++ gklayout.dll!nsBoxToBlockAdaptor::DoLayout(nsBoxLayoutState & aState={...}) Line 626 + 0x2e C++ gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...}) Line 997 C++ gklayout.dll!nsScrollBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 337 C++ gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...}) Line 997 C++ gklayout.dll!nsBoxFrame::Reflow(nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 872 C++ gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x036c46ac, nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0) Line 951 + 0x1f C++ gklayout.dll!ViewportFrame::Reflow(nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 262 + 0x2b C++ gklayout.dll!PresShell::InitialReflow(int aWidth=12000, int aHeight=6585) Line 2832 C++ gklayout.dll!HTMLContentSink::StartLayout() Line 3801 C++ gklayout.dll!HTMLContentSink::OpenBody(const nsIParserNode & aNode={...}) Line 2864 C++ gkparser.dll!CNavDTD::OpenBody(const nsCParserNode * aNode=0x0341c4f8) Line 3169 + 0x1f C++ gkparser.dll!CNavDTD::OpenContainer(const nsCParserNode * aNode=0x0341c4f8, nsHTMLTag aTag=eHTMLTag_body, int aClosedByStartTag=1, nsEntryStack * aStyleStack=0x00000000) Line 3404 + 0xc C++ gkparser.dll!CNavDTD::HandleDefaultStartToken(CToken * aToken=0x03677cf0, nsHTMLTag aChildTag=eHTMLTag_body, nsCParserNode * aNode=0x0341c4f8) Line 1454 + 0x14 C++ gkparser.dll!CNavDTD::HandleStartToken(CToken * aToken=0x03677cf0) Line 1832 + 0x14 C++ gkparser.dll!CNavDTD::HandleToken(CToken * aToken=0x03677cf0, nsIParser * aParser=0x02f9ce08) Line 1016 + 0xc C++ gkparser.dll!CNavDTD::HandleToken(CToken * aToken=0x03677cb0, nsIParser * aParser=0x02f9ce08) Line 983 + 0x14 C++ gkparser.dll!CNavDTD::BuildModel(nsIParser * aParser=0x02f9ce08, nsITokenizer * aTokenizer=0x0368d880, nsITokenObserver * anObserver=0x00000000, nsIContentSink * aSink=0x036b73f0) Line 508 + 0x14 C++ gkparser.dll!nsParser::BuildModel() Line 1894 + 0x22 C++ gkparser.dll!nsParser::ResumeParse(int allowIteration=0, int aIsFinalChunk=0, int aCanInterrupt=0) Line 1761 + 0xc C++ gkparser.dll!nsParser::Parse(const nsAString & aSourceBuffer={...}, void * aKey=0x80000001, const nsACString & aMimeType={...}, int aVerifyEnabled=0, int aLastCall=0, nsDTDMode aMode=eDTDMode_autodetect) Line 1644 + 0x11 C++ gklayout.dll!nsHTMLDocument::WriteCommon(const nsAString & aText={...}, int aNewlineTerminate=0) Line 2585 + 0xcb C++ gklayout.dll!nsHTMLDocument::ScriptWriteCommon(int aNewlineTerminate=0) Line 2671 + 0x16 C++ gklayout.dll!nsHTMLDocument::Write() Line 2698 C++ xpcom.dll!XPTC_InvokeByIndex(nsISupports * that=0x036ad1a0, unsigned int methodIndex=20, unsigned int paramCount=0, nsXPTCVariant * params=0x0012dca8) Line 102 C++ xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD) Line 2022 + 0x1e C++ xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x02c3e9f8, JSObject * obj=0x03659e90, unsigned int argc=1, long * argv=0x03560fd8, long * vp=0x0012df7c) Line 1272 + 0xe C++ js3250.dll!js_Invoke(JSContext * cx=0x02c3e9f8, unsigned int argc=1, unsigned int flags=0) Line 932 + 0x20 C js3250.dll!js_Interpret(JSContext * cx=0x02c3e9f8, long * result=0x0012e8e8) Line 2953 + 0xf C js3250.dll!js_Invoke(JSContext * cx=0x02c3e9f8, unsigned int argc=1, unsigned int flags=2) Line 949 + 0xd C js3250.dll!js_InternalInvoke(JSContext * cx=0x02c3e9f8, JSObject * obj=0x009a5658, long fval=10114664, unsigned int flags=0, unsigned int argc=1, long * argv=0x0012ebd0, long * rval=0x0012ea04) Line 1026 + 0x14 C js3250.dll!JS_CallFunctionValue(JSContext * cx=0x02c3e9f8, JSObject * obj=0x009a5658, long fval=10114664, unsigned int argc=1, long * argv=0x0012ebd0, long * rval=0x0012ea04) Line 3572 + 0x1f C jsdom.dll!nsJSContext::CallEventHandler(void * aTarget=0x009a5658, void * aHandler=0x009a5668, unsigned int argc=1, void * argv=0x0012ebd0, int * aBoolResult=0x0012eb1c, int aReverseReturnResult=0) Line 1219 + 0x21 C++ jsdom.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x02c6f130) Line 180 + 0x44 C++ gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x036c19b8, nsIDOMEvent * aDOMEvent=0x02c6f130, nsIDOMEventTarget * aCurrentTarget=0x02cfd7a0, unsigned int aSubType=4, unsigned int aPhaseFlags=7) Line 1420 + 0x14 C++ gklayout.dll!nsEventListenerManager::HandleEvent(nsIPresContext * aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * * aDOMEvent=0x0012ef34, nsIDOMEventTarget * aCurrentTarget=0x02cfd7a0, unsigned int aFlags=7, nsEventStatus * aEventStatus=0x0012f4c8) Line 1513 + 0x37 C++ gklayout.dll!nsGenericElement::HandleDOMEvent(nsIPresContext * aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * * aDOMEvent=0x0012ef34, unsigned int aFlags=7, nsEventStatus * aEventStatus=0x0012f4c8) Line 1943 C++ gklayout.dll!nsHTMLButtonElement::HandleDOMEvent(nsIPresContext * aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * * aDOMEvent=0x00000000, unsigned int aFlags=1, nsEventStatus * aEventStatus=0x0012f4c8) Line 474 + 0x1d C++ gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f168, nsIView * aView=0x00000000, unsigned int aFlags=1, nsEventStatus * aStatus=0x0012f4c8) Line 6180 + 0x2a C++ gklayout.dll!PresShell::HandleEventWithTarget(nsEvent * aEvent=0x0012f168, nsIFrame * aFrame=0x036cc4a8, nsIContent * aContent=0x036ce740, unsigned int aFlags=1, nsEventStatus * aStatus=0x0012f4c8) Line 6137 + 0x16 C++ gklayout.dll!nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * aPresContext=0x0356d830, nsMouseEvent * aEvent=0x0012f6dc, nsEventStatus * aStatus=0x0012f4c8) Line 2911 + 0x42 C++ gklayout.dll!nsEventStateManager::PostHandleEvent(nsIPresContext * aPresContext=0x0356d830, nsEvent * aEvent=0x0012f6dc, nsIFrame * aTargetFrame=0x036cc4a8, nsEventStatus * aStatus=0x0012f4c8, nsIView * aView=0x036ce628) Line 1899 + 0x17 C++ gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f6dc, nsIView * aView=0x036ce628, unsigned int aFlags=1, nsEventStatus * aStatus=0x0012f4c8) Line 6232 + 0x31 C++ gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x036ce628, nsGUIEvent * aEvent=0x0012f6dc, nsEventStatus * aEventStatus=0x0012f4c8, int aForceHandle=0, int & aHandled=1) Line 6075 + 0x19 C++ gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x036ce3a0, nsGUIEvent * aEvent=0x0012f6dc, int aCaptured=0) Line 2296 C++ gklayout.dll!nsView::HandleEvent(nsViewManager * aVM=0x0356bdd8, nsGUIEvent * aEvent=0x0012f6dc, int aCaptured=0) Line 298 C++ gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f6dc, nsEventStatus * aStatus=0x0012f5d4) Line 2033 + 0x17 C++ gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f6dc) Line 79 C++ gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f6dc, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1050 + 0xa C++ gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f6dc) Line 1071 C++ gkwidget.dll!nsWindow::DispatchMouseEvent(unsigned int aEventType=301, unsigned int wParam=0, nsPoint * aPoint=0x00000000) Line 5208 + 0x15 C++ gkwidget.dll!ChildWindow::DispatchMouseEvent(unsigned int aEventType=301, unsigned int wParam=0, nsPoint * aPoint=0x00000000) Line 5465 C++ gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=514, unsigned int wParam=0, long lParam=655403, long * aRetValue=0x0012fb74) Line 3995 + 0x1c C++ gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x009d0216, unsigned int msg=514, unsigned int wParam=0, long lParam=655403) Line 1333 + 0x1b C++ user32.dll!77d43a50() user32.dll!77d43b1f() user32.dll!77d43d79() user32.dll!77d43ddf() appshell.dll!nsAppShellService::Run() Line 484 C++ MozillaFirebird.exe!main1(int argc=2, char * * argv=0x002b85a0, nsISupports * nativeApp=0x0099fa30, const nsXREAppData & aAppData={...}) Line 1282 + 0x20 C++ MozillaFirebird.exe!xre_main(int argc=2, char * * argv=0x002b85a0, const nsXREAppData & aAppData={...}) Line 1716 + 0x29 C++ MozillaFirebird.exe!main(int argc=2, char * * argv=0x002b85a0) Line 51 + 0x11 C++ MozillaFirebird.exe!mainCRTStartup() Line 400 + 0x11 C kernel32.dll!77e814c7() (I found this bug by typing "<link rel=stylesheet href=" into http://www.squarefree.com/htmledit/. That loads editbox.html as a CSS file. The inline stylesheet in editbox.html then gets interpreted.)
Attached file testcase
WFM on Mozilla 1.5 / Win98: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20030925 (sorry, nothing else to test on right now...)
This wouldn't show up in 1.5, since overflow:hidden did not create a scrollframe in 1.5.... Maybe we're not completely tearing down the frames for the root element when we remove it in nsHTMLDocument::OpenCommon?
See also bug 78070
Depends on: 78070
OS: All (crash on Linux as well)
OS: Windows XP → All
*** Bug 236280 has been marked as a duplicate of this bug. ***
*** Bug 234971 has been marked as a duplicate of this bug. ***
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040902 The testcase WFM. Does it still crash anybody else?
Also WFM on WinXP with recent nightly: -- does it still crash on linux?
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040828 Firefox/0.9.1+
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Crashtest: http://hg.mozilla.org/mozilla-central/rev/863b7b97208b
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsScrollBoxFrame::GetPrefSize ]
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: