Closed Bug 233956 Opened 21 years ago Closed 19 years ago

DOM 1 Core TS with SVG content crashes

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: alex)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files)

console log zip
8.24 KB, application/zip
Details
hc_characterdataappenddata.zip
32.39 KB, application/zip
Details 
Running the DOM 1 Core TS with SVG hangs Mozilla with the following as the last
assert.

###!!! ASSERTION: SpaceManager should be set in nsBlockReflowState:
'mSpaceManager', file
c:/work/mozilla_source/trunk/mozilla/layout/html/base/src/nsBlockReflowState.cpp,
line 91
###!!! ASSERTION: null pointer: 'aSpaceManager', file
c:/work/mozilla_source/trunk/mozilla/layout/html/base/src/nsBlockBandData.cpp,
line 68

The browser is actually somewhat responsive but the menu options for javascript
console, prefs etc are not responsive. Full console log coming up.
Attached file console log zip 
Console log. Note that these tests ran ok with other XML, HTML, XHTML content.
Only SVG horked the browser.
"reduced" test case crashes with the following stack

nsSpaceManager::GetTranslation(int & 0, int & 0) line 196 + 13 bytes
nsBlockBandData::Init(nsSpaceManager * 0x00000000, const nsSize & {...}) line 73
nsBlockReflowState::nsBlockReflowState(const nsHTMLReflowState & {...},
nsIPresContext * 0x02d99448, nsBlockFrame * 0x030fe8f4, const
nsHTMLReflowMetrics & {...}, int 0) line 150
nsBlockFrame::Reflow(nsBlockFrame * const 0x030fe8f4, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 662
nsSVGOuterSVGFrame::Reflow(nsSVGOuterSVGFrame * const 0x030fe278, nsIPresContext
* 0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 402
nsContainerFrame::ReflowChild(nsIFrame * 0x030fe278, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 935 + 31 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x027b8554, nsIPresContext * 0x02d99448,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 563
nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0, int 0, int 0, int 4500, int 2250, int 1) line 880
nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x030fe1e8,
nsBoxLayoutState & {...}) line 626 + 46 bytes
nsBox::Layout(nsBox * const 0x030fe1e8, nsBoxLayoutState & {...}) line 994
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x027b8880, nsBoxLayoutState
& {...}) line 337
nsBox::Layout(nsBox * const 0x027b8880, nsBoxLayoutState & {...}) line 994
nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x027b8880,
const nsRect & {...}) line 650 + 16 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x027b8880,
const nsRect & {...}) line 1205 + 17 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1355
nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x027b8768, nsBoxLayoutState
& {...}) line 1213 + 15 bytes
nsBox::Layout(nsBox * const 0x027b8768, nsBoxLayoutState & {...}) line 994
nsBoxFrame::Reflow(nsBoxFrame * const 0x027b8730, nsIPresContext * 0x02d99448,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 868
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x027b8730, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 823 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x027b8730, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 935 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x027b8450, nsIPresContext *
0x02d99448, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 43 bytes
IncrementalReflow::Dispatch(nsIPresContext * 0x02d99448, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 898
PresShell::ProcessReflowCommands(int 1) line 6434
ReflowEvent::HandleEvent() line 6256
HandlePLEvent(ReflowEvent * 0x02ee6250) line 6270
PL_HandleEvent(PLEvent * 0x02ee6250) line 671 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x009cdca0) line 606 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0220011c, unsigned int 49380, unsigned int 0,
long 10280096) line 1412 + 9 bytes
USER32! 77d43a50()
USER32! 77d43b1f()
USER32! 77d43d79()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a5c4d8) line 484
main1(int 1, char * * 0x002e2638, nsISupports * 0x009af5d8) line 1291 + 32 bytes
main(int 1, char * * 0x002e2638) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7(

local variables

	aX	0
	aY	0
+	this	0x00000000

test case coming up.
Summary: DOM 1 Core TS with SVG content hangs → DOM 1 Core TS with SVG content crashes
test case
So if I understand this correctly the problem here is that you are putting html
content into an <svg> element without wrapping it in <svg:foreignObject>, and
the html frames don't get initialized properly leading to a crash when you are
trying to manipulate the DOM.
CC'ing bzbarsky because IIRC he fixed a similar issue with foreignObject content
a while back. 
This is basically the same issue as bug 231776 -- the root doesn't have a space
manager on incremental reflow, even though it's forced to have one during frame
construction.
Depends on: 231776
Not sure if this will help, but the null pointer assertion is preceded by
another. Here are both and stacks for each.

###!!! ASSERTION: SpaceManager should be set in nsBlockReflowState:
'mSpaceManager', file
c:/work/mozilla_source/trunk/mozilla/layout/html/base/src/nsBlockReflowState.cpp,
line 91
Break: at file
c:/work/mozilla_source/trunk/mozilla/layout/html/base/src/nsBlockReflowState.cpp,
line 91

NTDLL! 77f75a58()
nsDebugImpl::Assertion(nsDebugImpl * const 0x002e6d70, const char * 0x016086e4,
const char * 0x016086d4, const char * 0x01608680, int 91) line 272
nsDebug::Assertion(const char * 0x016086e4, const char * 0x016086d4, const char
* 0x01608680, int 91) line 109
nsBlockReflowState::nsBlockReflowState(const nsHTMLReflowState & {...},
nsIPresContext * 0x04273970, nsBlockFrame * 0x042cb79c, const
nsHTMLReflowMetrics & {...}, int 0) line 91 + 32 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x042cb79c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 668
nsSVGOuterSVGFrame::Reflow(nsSVGOuterSVGFrame * const 0x042cb118, nsIPresContext
* 0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 406
nsContainerFrame::ReflowChild(nsIFrame * 0x042cb118, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 938 + 31 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x044699b0, nsIPresContext * 0x04273970,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 554
nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0, int 0, int 0, int 4500, int 2250, int 1) line 880
nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x042cb088,
nsBoxLayoutState & {...}) line 626 + 46 bytes
nsBox::Layout(nsBox * const 0x042cb088, nsBoxLayoutState & {...}) line 994
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x04469cdc, nsBoxLayoutState
& {...}) line 337
nsBox::Layout(nsBox * const 0x04469cdc, nsBoxLayoutState & {...}) line 994
nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x04469cdc,
const nsRect & {...}) line 650 + 16 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x04469cdc,
const nsRect & {...}) line 1245 + 17 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1401
nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x04469bc4, nsBoxLayoutState
& {...}) line 1253 + 15 bytes
nsBox::Layout(nsBox * const 0x04469bc4, nsBoxLayoutState & {...}) line 994
nsBoxFrame::Reflow(nsBoxFrame * const 0x04469b8c, nsIPresContext * 0x04273970,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 868
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x04469b8c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 853 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x04469b8c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 938 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x044698ac, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 43 bytes
IncrementalReflow::Dispatch(nsIPresContext * 0x04273970, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 898
PresShell::ProcessReflowCommands(int 1) line 6353
ReflowEvent::HandleEvent() line 6178
HandlePLEvent(ReflowEvent * 0x043a3a90) line 6192
PL_HandleEvent(PLEvent * 0x043a3a90) line 673 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x009bd870) line 608 + 9 bytes
_md_TimerProc(HWND__ * 0x00100148, unsigned int 275, unsigned int 0, unsigned
long 8300625) line 979 + 9 bytes
USER32! 77d43a50()
USER32! 77d442c5()
USER32! 77d43e6f()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a59e60) line 524
main1(int 1, char * * 0x002e2638, nsISupports * 0x009fbf78) line 1303 + 32 bytes
main(int 1, char * * 0x002e2638) line 1716 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7()

###!!! ASSERTION: null pointer: 'aSpaceManager', file
c:/work/mozilla_source/trunk/mozilla/layout/html/base/src/nsBlockBandData.cpp,
 line 67

NTDLL! 77f75a58()
nsDebugImpl::Assertion(nsDebugImpl * const 0x002e6d70, const char * 0x0160a728,
const char * 0x0160a718, const char * 0x0160a6c8, int 67) line 272
nsDebug::Assertion(const char * 0x0160a728, const char * 0x0160a718, const char
* 0x0160a6c8, int 67) line 109
nsBlockBandData::Init(nsSpaceManager * 0x00000000, const nsSize & {...}) line 67
+ 29 bytes
nsBlockReflowState::nsBlockReflowState(const nsHTMLReflowState & {...},
nsIPresContext * 0x04273970, nsBlockFrame * 0x042cb79c, const
nsHTMLReflowMetrics & {...}, int 0) line 150
nsBlockFrame::Reflow(nsBlockFrame * const 0x042cb79c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 668
nsSVGOuterSVGFrame::Reflow(nsSVGOuterSVGFrame * const 0x042cb118, nsIPresContext
* 0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 406
nsContainerFrame::ReflowChild(nsIFrame * 0x042cb118, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 938 + 31 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x044699b0, nsIPresContext * 0x04273970,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 554
nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0, int 0, int 0, int 4500, int 2250, int 1) line 880
nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x042cb088,
nsBoxLayoutState & {...}) line 626 + 46 bytes
nsBox::Layout(nsBox * const 0x042cb088, nsBoxLayoutState & {...}) line 994
nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x04469cdc, nsBoxLayoutState
& {...}) line 337
nsBox::Layout(nsBox * const 0x04469cdc, nsBoxLayoutState & {...}) line 994
nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x04469cdc,
const nsRect & {...}) line 650 + 16 bytes
nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x04469cdc,
const nsRect & {...}) line 1245 + 17 bytes
nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1401
nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x04469bc4, nsBoxLayoutState
& {...}) line 1253 + 15 bytes
nsBox::Layout(nsBox * const 0x04469bc4, nsBoxLayoutState & {...}) line 994
nsBoxFrame::Reflow(nsBoxFrame * const 0x04469b8c, nsIPresContext * 0x04273970,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 868
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x04469b8c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 853 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x04469b8c, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 0, unsigned int & 0) line 938 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x044698ac, nsIPresContext *
0x04273970, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 248 + 43 bytes
IncrementalReflow::Dispatch(nsIPresContext * 0x04273970, nsHTMLReflowMetrics &
{...}, const nsSize & {...}, nsIRenderingContext & {...}) line 898
PresShell::ProcessReflowCommands(int 1) line 6353
ReflowEvent::HandleEvent() line 6178
HandlePLEvent(ReflowEvent * 0x043a3a90) line 6192
PL_HandleEvent(PLEvent * 0x043a3a90) line 673 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x009bd870) line 608 + 9 bytes
_md_TimerProc(HWND__ * 0x00100148, unsigned int 275, unsigned int 0, unsigned
long 8300625) line 979 + 9 bytes
USER32! 77d43a50()
USER32! 77d442c5()
USER32! 77d43e6f()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a59e60) line 524
main1(int 1, char * * 0x002e2638, nsISupports * 0x009fbf78) line 1303 + 32 bytes
main(int 1, char * * 0x002e2638) line 1716 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7()
Severity: normal → critical
Keywords: crash
I can no longer reproduce this crash in a recent firefox trunk build. WFM
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Yeah, this was "fixed" by not making the root SVG node an absolute or float
containing block during initial frame construction...
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: