Closed Bug 229263 Opened 21 years ago Closed 20 years ago

crashes at hixie.ch by switching stylesheet [@ nsHTMLContainerFrame::CreateViewForFrame] [@nsLineBox::GetAscent]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 231776

People

(Reporter: sekundes, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Testcase
245 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.6b) Gecko/20031208
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.6b) Gecko/20031208

crashes at hixie.ch by switching stylesheet

Reproducible: Always

Steps to Reproduce:
1.go to http://hixie.ch/.
2.Use the style "Orange".
Actual Results:  
Application Error.

Expected Results:  
Works.
OS -> All, I'm seeing this on 1.6b Linux

Seeing if I can get a testcase now
OS: Windows 2000 → All
Okay, it's these three style declarations working together

html { display: table; }
body { display: table-cell; }
h1 { position: absolute; top: 0; right: 0; }

I haven't done anything with the html yet.

I can get logs of anything if people tell me how... RH Linux 9
All right, the html doesn't seem to affect it, it crashes with just

<html>
<head>
<link rel='alternate stylesheet' href='hixie.ch_files/a.css' type='text/css'
title='crashtest' />
<title>blah</title>
</head>
<body>
<h1>blah</h1>
</body>
</html>

Moving this over to style and confirming.
Assignee: general → dbaron
Status: UNCONFIRMED → NEW
Component: Browser-General → Style System (CSS)
Ever confirmed: true
QA Contact: general → ian
TB27847119Y, TB27846837W tested with Mozilla 1.5
I recommend using TB27847119Y as it was done after reboot, and first pageload
besides loading this bug.

I´m seeing this crash with 1.4.1, 1.5 and current nightly:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20031222

I didn´t test 1.6, 1.6b
I can test with latest Netscape Release if the talkback from there would be of
any use.
Keywords: crash
From the source: 

 <link rel="stylesheet" href="/resources/style/spaced.css" type="text/css"
media="all" title="Spaced">
  <link rel="alternate stylesheet" href="/resources/style/orange/"
type="text/css" title="Orange" media="all">
  <link rel="alternate stylesheet" href="/resources/style/debug.css"
type="text/css" title="Debugging" media="all">

compare:
http://hixie.ch/resources/style/spaced.css
http://hixie.ch/resources/style/orange/


The weird filename isn't the crasher, and in fact when I was testcasing the
filename was a.css as you can see in comment 3

cc'ing myself since I forgot to before...
Stacktrace for this crash:
GKLAYOUT! nsLineBox::GetAscent(void) + 10 bytes
GKLAYOUT! nsIFrame::GetView(void) + 17 bytes
GKLAYOUT! nsHTMLContainerFrame::CreateViewForFrame(class nsIFrame *,class 
nsIFrame *,int) + 73 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrameByDisplayType(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,struct nsStyleDisplay 
const *,class nsIContent *,int,class nsIAtom *,class nsIFrame *,class 
nsStyleContext *,struct nsFrameItems &) + 1162 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrameInternal(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent 
*,class nsIFrame *,class nsIAtom *,int,class nsStyleContext *,struct 
nsFrameItems &,int) + 1031 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrame(class nsIPresShell *,class 
nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class 
nsIFrame *,struct nsFrameItems &) + 272 bytes
GKLAYOUT! nsCSSFrameConstructor::ProcessChildren(class nsIPresShell *,class 
nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class 
nsIFrame *,int,struct nsFrameItems &,int,struct nsTableCreator *) + 318 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructTableCellFrame(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent 
*,class nsIFrame *,class nsStyleContext *,struct nsTableCreator &,int,struct 
nsFrameItems &,class nsIFrame * &,class nsIFrame * &,int &) + 584 bytes
GKLAYOUT! nsCSSFrameConstructor::TableProcessChild(class nsIPresShell *,class 
nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class 
nsIContent *,class nsIFrame *,class nsIAtom *,class nsStyleContext *,struct 
nsTableCreator &,struct nsFrameItems &,class nsIFrame * &) + 738 bytes
GKLAYOUT! nsCSSFrameConstructor::TableProcessChildren(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent 
*,class nsIFrame *,struct nsTableCreator &,struct nsFrameItems &,class nsIFrame 
* &) + 442 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructTableFrame(class nsIPresShell *,class 
nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class 
nsIFrame *,class nsIFrame *,class nsStyleContext *,struct nsTableCreator 
&,int,struct nsFrameItems &,class nsIFrame * &,class nsIFrame * &,int &) + 442 
bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrameByDisplayType(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,struct nsStyleDisplay 
const *,class nsIContent *,int,class nsIAtom *,class nsIFrame *,class 
nsStyleContext *,struct nsFrameItems &) + 2837 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrameInternal(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent 
*,class nsIFrame *,class nsIAtom *,int,class nsStyleContext *,struct 
nsFrameItems &,int) + 1031 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructFrame(class nsIPresShell *,class 
nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class 
nsIFrame *,struct nsFrameItems &) + 272 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructDocElementTableFrame(class 
nsIPresShell *,class nsIPresContext *,class nsIContent *,class nsIFrame *,class 
nsIFrame * &,class nsILayoutHistoryState *) + 94 bytes
GKLAYOUT! nsCSSFrameConstructor::ConstructDocElementFrame(class nsIPresShell 
*,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent 
*,class nsIFrame *,class nsStyleContext *,class nsIFrame * &) + 982 bytes
GKLAYOUT! nsCSSFrameConstructor::ReconstructDocElementHierarchy(class 
nsIPresContext *) + 635 bytes
GKLAYOUT! nsCSSFrameConstructor::RecreateFramesForContent(class nsIPresContext 
*,class nsIContent *) + 538 bytes
GKLAYOUT! nsCSSFrameConstructor::ProcessRestyledFrames(class nsStyleChangeList 
&,class nsIPresContext *) + 313 bytes
GKLAYOUT! PresShell::ReconstructStyleData(void) + 498 bytes
GKLAYOUT! PresShell::EndUpdate(class nsIDocument *,unsigned int) + 48 bytes
GKLAYOUT! nsDocument::EndUpdate(unsigned int) + 89 bytes
GKLAYOUT! CSSStyleSheetImpl::SetDisabled(int) + 159 bytes
XPCOM! XPTC_InvokeByIndex + 39 bytes
XPC3250! XPCWrappedNative::CallMethod(class XPCCallContext &,enum 
XPCWrappedNative::CallMode) + 3875 bytes
XPC3250! XPCWrappedNative::SetAttribute(class XPCCallContext &) + 14 bytes
XPC3250! XPC_WN_GetterSetter(struct JSContext *,struct JSObject *,unsigned 
int,long *,long *) + 329 bytes
JS3250! js_Invoke + 2557 bytes
JS3250! js_InternalInvoke + 225 bytes
JS3250! js_InternalGetOrSet + 296 bytes
JS3250! js_SetProperty + 743 bytes
JS3250! js_Interpret + 38551 bytes
JS3250! js_Invoke + 2653 bytes
JS3250! js_InternalInvoke + 225 bytes
JS3250! JS_CallFunctionValue + 34 bytes
JSDOM! nsJSContext::CallEventHandler(void *,void *,unsigned int,void *,int *) + 
367 bytes
JSDOM! nsJSEventListener::HandleEvent(class nsIDOMEvent *) + 1859 bytes
GKLAYOUT! nsEventListenerManager::HandleEventSubType(struct nsListenerStruct 
*,class nsIDOMEvent *,class nsIDOMEventTarget *,unsigned int,unsigned int) + 
690 bytes
GKLAYOUT! nsEventListenerManager::HandleEvent(class nsIPresContext *,struct 
nsEvent *,class nsIDOMEvent * *,class nsIDOMEventTarget *,unsigned int,enum 
nsEventStatus *) + 749 bytes
GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent 
*,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3429 bytes
GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent 
*,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes
GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent 
*,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes
GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent 
*,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes
GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent 
*,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes
GKLAYOUT! PresShell::HandleDOMEventWithTarget(class nsIContent *,struct nsEvent 
*,enum nsEventStatus *) + 145 bytes
GKLAYOUT! nsMenuFrame::Execute(struct nsGUIEvent *) + 767 bytes
GKLAYOUT! nsMenuFrame::HandleEvent(class nsIPresContext *,struct nsGUIEvent 
*,enum nsEventStatus *) + 697 bytes
GKLAYOUT! PresShell::HandleEventInternal(struct nsEvent *,class nsIView 
*,unsigned int,enum nsEventStatus *) + 949 bytes
GKLAYOUT! PresShell::HandleEvent(class nsIView *,struct nsGUIEvent *,enum 
nsEventStatus *,int,int &) + 1386 bytes
Summary: crashes at hixie.ch by switching stylesheet → crashes at hixie.ch by switching stylesheet [@nsLineBox::GetAscent]
In my Linux trunk build from this morning:

(gdb) bt 5
#0  0x40ec26a4 in nsIFrame::GetStateBits() const (this=0x0) at nsIFrame.h:791
#1  0x40eea042 in nsIFrame::GetView() const (this=0x0) at nsFrame.cpp:2303
#2  0x40f043a2 in nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*,
int) (aFrame=0x89191dc, aContentParentF
rame=0x890a358, aForce=0)
    at nsHTMLContainerFrame.cpp:544
#3  0x40fc11db in
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell*,
nsIPresContext*, nsFrameConstructorS
tate&, nsStyleDisplay const*, nsIContent*, int, nsIAtom*, nsIFrame*,
nsStyleContext*, nsFrameItems&) (
    this=0x8829b20, aPresShell=0x883c3a8, aPresContext=0x8760408, 
    aState=@0xbfffc0dc, aDisplay=0x885f23c, aContent=0x890ee50, 
    aNameSpaceID=3, aTag=0x0, aParentFrame=0x890a358, 
    aStyleContext=0x8918d68, aFrameItems=@0xbfffbaa4)
    at nsCSSFrameConstructor.cpp:6207
#4  0x40fc26a7 in nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell*,
nsIPresContext*, nsFrameConstructorState&
, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int)
(this=0x8829b20, 
    aPresShell=0x883c3a8, aPresContext=0x8760408, aState=@0xbfffc0dc, 
    aContent=0x890ee50, aParentFrame=0x890a358, aTag=0x80cf2c0, 
    aNameSpaceID=3, aStyleContext=0xbfffb6a4, aFrameItems=@0xbfffbaa4, 
    aXBLBaseTag=0) at nsCSSFrameConstructor.cpp:7182

(gdb) f 2
#2  0x40f043a2 in nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*,
int) (aFrame=0x89191dc, aContentParentF
rame=0x890a358, aForce=0)
    at nsHTMLContainerFrame.cpp:544
544       nsIView* parentView = parent->GetView();
(gdb) p parent
$1 = (class nsIFrame *) 0x0
Attached file Testcase 

    
    

    
  
The stack is similar to 131008 (see bug 131008 comment 8)
Keywords: testcase

    
    

    
  
I noticed the same bug on Mac OS X, but I attached the report (attachment
137898 [details]) to bug 131008, before I found this bug. It seems Matt is right, we came
both to the same conclusion.
Depends on: 131008

    
    

    
  
Add a virtual *** Bug xxxxxx has been marked as a duplicate of this bug. *** here.

I just discovered this bug and went through the process of isolating the
offending code (dummy - before doing a Bugzilla search).  The testcase is nearly
exactly what I found, but it isn't a true testcase in that more code can still
be removed:  the "top: 0; right: 0;" CSS code is unnecessary, and Mozilla
(Firebird) crashes just as "well" when those two rules are removed.

I can upload my testcase if desired, but for such a small change it probably
isn't necessary.

    
    

    
  
The testcase Mats attached is showing bug 231776, methinks.
Depends on: 231776

    
    

    
  
The culprit is nsHTMLContainerFrame::CreateViewForFrame (see comment 7 and
comment 8) so bug 231776 is a duplicate of this one, methinks ;-)
Summary: crashes at hixie.ch by switching stylesheet [@nsLineBox::GetAscent] → crashes at hixie.ch by switching stylesheet [@ nsHTMLContainerFrame::CreateViewForFrame] [@nsLineBox::GetAscent]

    
    

    
  
Sure thing, but that bug has only three comments, all to the point, which
include an explanation of which code is causing the problem and what we should
do to solve it... ;)

    
    

    
  

*** This bug has been marked as a duplicate of 231776 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE

    
    

    
  
*** Bug 236576 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsHTMLContainerFrame::CreateViewForFrame]
[@nsLineBox::GetAscent]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: