256242 - Crash/recursion in nsCSSFrameConstructor::ProcessPendingRestyles

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect, P1)

Description

[Stephen Donner [:stephend] Not actively reading bugmail]

Build ID: 2004-08-19-08, Seamonkey Windows XP Trunk.

Summary: Crash/recursion in nsCSSFrameConstructor::ProcessPendingRestyles

Steps:

1. Load http://www.mailblocks.com
2. Click on any message in the Inbox
3. Click Reply
4. Type something, click Send

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB606964Q

nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 13364]
PresShell::FlushPendingNotifications 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5099]
nsDocument::FlushPendingNotifications 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 4079]
nsHTMLDocument::FlushPendingNotifications 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 1262]
nsGenericHTMLElement::GetPrimaryFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2231]
nsGenericHTMLElement::GetFormControlFrameFor 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 2249]
nsGenericHTMLElement::GetFormControlFrame 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsGenericHTMLElement.h,
line 283]
nsHTMLInputElement::GetValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 600]
nsFileControlFrame::PreDestroy 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/forms/src/nsFileControlFrame.cpp,
line 130]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9109]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DoDeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9155]
DeletingFrameSubtree 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9201]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9429]
nsCSSFrameConstructor::RecreateFramesForContent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 11343]
nsCSSFrameConstructor::RestyleElement 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9926]
ProcessRestyle 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 13340]
nsBaseHashtable,nsXMLEventsListener *>::s_EnumStub 
[../../../dist/include/xpcom/nsBaseHashtable.h, line 350]
PL_DHashTableEnumerate 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 620]
nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 13364]

Comment 1

[Boris Zbarsky [:bzbarsky]]

The problem is that teardown of text control frames leads to a callback on the
content node to save the state, which leads to a flush of restyles before a
GetPrimaryFrameFor() call... but flushing restyles reenters the exact teardown
we were in, if the teardown was due to a style-change reframe.

So we end up in infinite recursion.

The right thing to do is to bail out of ProcessPendingRestyles() if we're
already in the middle of restyle processing.

There's a good chance this will fix bug 255845 too...

I'm not going to be able to deal with this till mid-September, so if someone has
time on their hands before then....

Comment 2

[Boris Zbarsky [:bzbarsky]]

Note that bug 257694 has what I think is a better approach to resolving this.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Also note that I can't test this bug because the page needs registration and
there is no testcase...

Comment 4

[Boris Zbarsky [:bzbarsky]]

Fixed by patch in bug 257694

Comment 5

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED with build 2004-09-13-06, Windows XP Seamonkey trunk.