Closed Bug 225868 Opened 21 years ago Closed 20 years ago

crash [@ nsScrollBoxFrame::GetPrefSize ] when document.writing to page with html{overflow:hidden}

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase
118 bytes, text/html
Details 
Steps to reproduce:
1. Load the testcase.
2. Bonk the button labeled "Crash".

Result:

frame: Area(html)(-1) (036C4BBC) style: 036C4B3C {}
Wrong parent style context:  style: 036C4A90 :-moz-scrolled-content {}
should be using:  style: 036C48E8 {}

###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached',
file c:/buildmoz/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 109

And a crash at the third line of nsScrollBoxFrame::GetPrefSize, with
child=0x00000000.

>	gklayout.dll!nsScrollBoxFrame::GetPrefSize(nsBoxLayoutState &
aBoxLayoutState={...}, nsSize & aSize={...})  Line 541 + 0xb	C++
 	gklayout.dll!nsGfxScrollFrame::GetPrefSize(nsBoxLayoutState & aState={...},
nsSize & aSize={...})  Line 722 + 0x20	C++
 	gklayout.dll!nsBoxFrame::Reflow(nsIPresContext * aPresContext=0x0356d830,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 832	C++
 	gklayout.dll!nsGfxScrollFrame::Reflow(nsIPresContext *
aPresContext=0x0356d830, nsHTMLReflowMetrics & aDesiredSize={...}, const
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 823 +
0x19	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x036c4914,
nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int
aY=0, unsigned int aFlags=0, unsigned int & aStatus=0)  Line 951 + 0x1f	C++
 	gklayout.dll!CanvasFrame::Reflow(nsIPresContext * aPresContext=0x0356d830,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 570	C++
 	gklayout.dll!nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & aState={...},
nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int &
aStatus=0, int aX=0, int aY=0, int aWidth=12000, int aHeight=6585, int
aMoveFrame=1)  Line 880	C++
 	gklayout.dll!nsBoxToBlockAdaptor::DoLayout(nsBoxLayoutState & aState={...}) 
Line 626 + 0x2e	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 997	C++
 	gklayout.dll!nsScrollBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) 
Line 337	C++
 	gklayout.dll!nsBox::Layout(nsBoxLayoutState & aState={...})  Line 997	C++
 	gklayout.dll!nsBoxFrame::Reflow(nsIPresContext * aPresContext=0x0356d830,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 872	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x036c46ac,
nsIPresContext * aPresContext=0x0356d830, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int
aY=0, unsigned int aFlags=0, unsigned int & aStatus=0)  Line 951 + 0x1f	C++
 	gklayout.dll!ViewportFrame::Reflow(nsIPresContext * aPresContext=0x0356d830,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0)  Line 262 + 0x2b	C++
 	gklayout.dll!PresShell::InitialReflow(int aWidth=12000, int aHeight=6585) 
Line 2832	C++
 	gklayout.dll!HTMLContentSink::StartLayout()  Line 3801	C++
 	gklayout.dll!HTMLContentSink::OpenBody(const nsIParserNode & aNode={...}) 
Line 2864	C++
 	gkparser.dll!CNavDTD::OpenBody(const nsCParserNode * aNode=0x0341c4f8)  Line
3169 + 0x1f	C++
 	gkparser.dll!CNavDTD::OpenContainer(const nsCParserNode * aNode=0x0341c4f8,
nsHTMLTag aTag=eHTMLTag_body, int aClosedByStartTag=1, nsEntryStack *
aStyleStack=0x00000000)  Line 3404 + 0xc	C++
 	gkparser.dll!CNavDTD::HandleDefaultStartToken(CToken * aToken=0x03677cf0,
nsHTMLTag aChildTag=eHTMLTag_body, nsCParserNode * aNode=0x0341c4f8)  Line
1454 + 0x14	C++
 	gkparser.dll!CNavDTD::HandleStartToken(CToken * aToken=0x03677cf0)  Line
1832 + 0x14	C++
 	gkparser.dll!CNavDTD::HandleToken(CToken * aToken=0x03677cf0, nsIParser *
aParser=0x02f9ce08)  Line 1016 + 0xc	C++
 	gkparser.dll!CNavDTD::HandleToken(CToken * aToken=0x03677cb0, nsIParser *
aParser=0x02f9ce08)  Line 983 + 0x14	C++
 	gkparser.dll!CNavDTD::BuildModel(nsIParser * aParser=0x02f9ce08, nsITokenizer
* aTokenizer=0x0368d880, nsITokenObserver * anObserver=0x00000000,
nsIContentSink * aSink=0x036b73f0)  Line 508 + 0x14	C++
 	gkparser.dll!nsParser::BuildModel()  Line 1894 + 0x22	C++
 	gkparser.dll!nsParser::ResumeParse(int allowIteration=0, int aIsFinalChunk=0,
int aCanInterrupt=0)  Line 1761 + 0xc	C++
 	gkparser.dll!nsParser::Parse(const nsAString & aSourceBuffer={...}, void *
aKey=0x80000001, const nsACString & aMimeType={...}, int aVerifyEnabled=0, int
aLastCall=0, nsDTDMode aMode=eDTDMode_autodetect)  Line 1644 + 0x11	C++
 	gklayout.dll!nsHTMLDocument::WriteCommon(const nsAString & aText={...}, int
aNewlineTerminate=0)  Line 2585 + 0xcb	C++
 	gklayout.dll!nsHTMLDocument::ScriptWriteCommon(int aNewlineTerminate=0)  Line
2671 + 0x16	C++
 	gklayout.dll!nsHTMLDocument::Write()  Line 2698	C++
 	xpcom.dll!XPTC_InvokeByIndex(nsISupports * that=0x036ad1a0, unsigned int
methodIndex=20, unsigned int paramCount=0, nsXPTCVariant * params=0x0012dca8)
 Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2022 + 0x1e	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x02c3e9f8, JSObject *
obj=0x03659e90, unsigned int argc=1, long * argv=0x03560fd8, long *
vp=0x0012df7c)  Line 1272 + 0xe	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x02c3e9f8, unsigned int argc=1, unsigned
int flags=0)  Line 932 + 0x20	C
 	js3250.dll!js_Interpret(JSContext * cx=0x02c3e9f8, long * result=0x0012e8e8) 
Line 2953 + 0xf	C
 	js3250.dll!js_Invoke(JSContext * cx=0x02c3e9f8, unsigned int argc=1, unsigned
int flags=2)  Line 949 + 0xd	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x02c3e9f8, JSObject *
obj=0x009a5658, long fval=10114664, unsigned int flags=0, unsigned int argc=1,
long * argv=0x0012ebd0, long * rval=0x0012ea04)  Line 1026 + 0x14	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x02c3e9f8, JSObject *
obj=0x009a5658, long fval=10114664, unsigned int argc=1, long * argv=0x0012ebd0,
long * rval=0x0012ea04)  Line 3572 + 0x1f	C
 	jsdom.dll!nsJSContext::CallEventHandler(void * aTarget=0x009a5658, void *
aHandler=0x009a5668, unsigned int argc=1, void * argv=0x0012ebd0, int *
aBoolResult=0x0012eb1c, int aReverseReturnResult=0)  Line 1219 + 0x21	C++
 	jsdom.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x02c6f130) 
Line 180 + 0x44	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x036c19b8, nsIDOMEvent * aDOMEvent=0x02c6f130,
nsIDOMEventTarget * aCurrentTarget=0x02cfd7a0, unsigned int aSubType=4, unsigned
int aPhaseFlags=7)  Line 1420 + 0x14	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsIPresContext *
aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * *
aDOMEvent=0x0012ef34, nsIDOMEventTarget * aCurrentTarget=0x02cfd7a0, unsigned
int aFlags=7, nsEventStatus * aEventStatus=0x0012f4c8)  Line 1513 + 0x37	C++
 	gklayout.dll!nsGenericElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * *
aDOMEvent=0x0012ef34, unsigned int aFlags=7, nsEventStatus *
aEventStatus=0x0012f4c8)  Line 1943	C++
 	gklayout.dll!nsHTMLButtonElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x0356d830, nsEvent * aEvent=0x0012f168, nsIDOMEvent * *
aDOMEvent=0x00000000, unsigned int aFlags=1, nsEventStatus *
aEventStatus=0x0012f4c8)  Line 474 + 0x1d	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f168,
nsIView * aView=0x00000000, unsigned int aFlags=1, nsEventStatus *
aStatus=0x0012f4c8)  Line 6180 + 0x2a	C++
 	gklayout.dll!PresShell::HandleEventWithTarget(nsEvent * aEvent=0x0012f168,
nsIFrame * aFrame=0x036cc4a8, nsIContent * aContent=0x036ce740, unsigned int
aFlags=1, nsEventStatus * aStatus=0x0012f4c8)  Line 6137 + 0x16	C++
 	gklayout.dll!nsEventStateManager::CheckForAndDispatchClick(nsIPresContext *
aPresContext=0x0356d830, nsMouseEvent * aEvent=0x0012f6dc, nsEventStatus *
aStatus=0x0012f4c8)  Line 2911 + 0x42	C++
 	gklayout.dll!nsEventStateManager::PostHandleEvent(nsIPresContext *
aPresContext=0x0356d830, nsEvent * aEvent=0x0012f6dc, nsIFrame *
aTargetFrame=0x036cc4a8, nsEventStatus * aStatus=0x0012f4c8, nsIView *
aView=0x036ce628)  Line 1899 + 0x17	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f6dc,
nsIView * aView=0x036ce628, unsigned int aFlags=1, nsEventStatus *
aStatus=0x0012f4c8)  Line 6232 + 0x31	C++
 	gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x036ce628, nsGUIEvent *
aEvent=0x0012f6dc, nsEventStatus * aEventStatus=0x0012f4c8, int aForceHandle=0,
int & aHandled=1)  Line 6075 + 0x19	C++
 	gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x036ce3a0, nsGUIEvent
* aEvent=0x0012f6dc, int aCaptured=0)  Line 2296	C++
 	gklayout.dll!nsView::HandleEvent(nsViewManager * aVM=0x0356bdd8, nsGUIEvent *
aEvent=0x0012f6dc, int aCaptured=0)  Line 298	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f6dc,
nsEventStatus * aStatus=0x0012f5d4)  Line 2033 + 0x17	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f6dc)  Line 79	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f6dc,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1050 + 0xa	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f6dc) 
Line 1071	C++
 	gkwidget.dll!nsWindow::DispatchMouseEvent(unsigned int aEventType=301,
unsigned int wParam=0, nsPoint * aPoint=0x00000000)  Line 5208 + 0x15	C++
 	gkwidget.dll!ChildWindow::DispatchMouseEvent(unsigned int aEventType=301,
unsigned int wParam=0, nsPoint * aPoint=0x00000000)  Line 5465	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=514, unsigned int
wParam=0, long lParam=655403, long * aRetValue=0x0012fb74)  Line 3995 + 0x1c	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x009d0216, unsigned int
msg=514, unsigned int wParam=0, long lParam=655403)  Line 1333 + 0x1b	C++
 	user32.dll!77d43a50() 	
 	user32.dll!77d43b1f() 	
 	user32.dll!77d43d79() 	
 	user32.dll!77d43ddf() 	
 	appshell.dll!nsAppShellService::Run()  Line 484	C++
 	MozillaFirebird.exe!main1(int argc=2, char * * argv=0x002b85a0, nsISupports *
nativeApp=0x0099fa30, const nsXREAppData & aAppData={...})  Line 1282 + 0x20	C++
 	MozillaFirebird.exe!xre_main(int argc=2, char * * argv=0x002b85a0, const
nsXREAppData & aAppData={...})  Line 1716 + 0x29	C++
 	MozillaFirebird.exe!main(int argc=2, char * * argv=0x002b85a0)  Line 51 + 0x11	C++
 	MozillaFirebird.exe!mainCRTStartup()  Line 400 + 0x11	C
 	kernel32.dll!77e814c7() 	

(I found this bug by typing "<link rel=stylesheet href=" into
http://www.squarefree.com/htmledit/. That loads editbox.html as a CSS file.  The
inline stylesheet in editbox.html then gets interpreted.)
Attached file testcase 

    
    

    
  
WFM on Mozilla 1.5 / Win98: 
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20030925
(sorry, nothing else to test on right now...)

    
    

    
  
This wouldn't show up in 1.5, since overflow:hidden did not create a scrollframe
in 1.5....

Maybe we're not completely tearing down the frames for the root element when we
remove it in nsHTMLDocument::OpenCommon?

    
    

    
  
See also bug 78070 
Depends on: 78070

    
    

    
  
OS: All (crash on Linux as well)
OS: Windows XP → All

    
    

    
  
*** Bug 236280 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 234971 has been marked as a duplicate of this bug. ***

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040902
The testcase WFM.  Does it still crash anybody else?

    
    

    
  
Also WFM on WinXP with recent nightly: -- does it still crash on linux? 

    
    

    
  
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040828
Firefox/0.9.1+
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?

    
    

    
  
Crashtest:
http://hg.mozilla.org/mozilla-central/rev/863b7b97208b
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsScrollBoxFrame::GetPrefSize ]

    
  
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: