Closed Bug 256242 Opened 21 years ago Closed 21 years ago

Crash/recursion in nsCSSFrameConstructor::ProcessPendingRestyles

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8alpha4

People

(Reporter: stephend, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression)

Build ID: 2004-08-19-08, Seamonkey Windows XP Trunk. Summary: Crash/recursion in nsCSSFrameConstructor::ProcessPendingRestyles Steps: 1. Load http://www.mailblocks.com 2. Click on any message in the Inbox 3. Click Reply 4. Type something, click Send http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB606964Q nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13364] PresShell::FlushPendingNotifications [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5099] nsDocument::FlushPendingNotifications [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp, line 4079] nsHTMLDocument::FlushPendingNotifications [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1262] nsGenericHTMLElement::GetPrimaryFrameFor [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2231] nsGenericHTMLElement::GetFormControlFrameFor [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 2249] nsGenericHTMLElement::GetFormControlFrame [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.h, line 283] nsHTMLInputElement::GetValue [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 600] nsFileControlFrame::PreDestroy [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/forms/src/nsFileControlFrame.cpp, line 130] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9109] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DoDeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9155] DeletingFrameSubtree [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9201] nsCSSFrameConstructor::ContentRemoved [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9429] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 11343] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9926] ProcessRestyle [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13340] nsBaseHashtable,nsXMLEventsListener *>::s_EnumStub [../../../dist/include/xpcom/nsBaseHashtable.h, line 350] PL_DHashTableEnumerate [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c, line 620] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13364]
The problem is that teardown of text control frames leads to a callback on the content node to save the state, which leads to a flush of restyles before a GetPrimaryFrameFor() call... but flushing restyles reenters the exact teardown we were in, if the teardown was due to a style-change reframe. So we end up in infinite recursion. The right thing to do is to bail out of ProcessPendingRestyles() if we're already in the middle of restyle processing. There's a good chance this will fix bug 255845 too... I'm not going to be able to deal with this till mid-September, so if someone has time on their hands before then....
Blocks: 255845
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha4
Depends on: 257694
Note that bug 257694 has what I think is a better approach to resolving this.
Blocks: 257818
Blocks: 258032
Blocks: 258101
Blocks: 258112
Also note that I can't test this bug because the page needs registration and there is no testcase...
Blocks: 257825
Blocks: 255933
Fixed by patch in bug 257694
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Verified FIXED with build 2004-09-13-06, Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.