258032 - [FIX]crash in nsGenericHTMLElement::GetOffsetRect

Status: RESOLVED FIXED

(Core :: Layout, defect, P1)

Description

[R.K.Aa.]

Going to http://psdata.no crashes with trunk 20040831 and newer
(Gtk2, if it matters)

Does not crash with the older 20040724

Comment 1

[R.K.Aa.]

With a current build it's impossible to write in the "File" field for
attachments, and filepicker doesn't see the relevant text files. Pasting
backtrace here - non-debug:



#0  0x088c7e30 in ?? ()
#1  0x070c3985 in nsGenericHTMLElement::GetOffsetRect ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#2  0x070c4030 in nsGenericHTMLElement::GetOffsetHeight ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#3  0x070cc735 in nsGenericHTMLElementTearoff::GetOffsetHeight ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#4  0x00d0ed23 in XPTC_InvokeByIndex ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#5  0x00896ee3 in XPCWrappedNative::CallMethod ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libxpconnect.so
#6  0x0089d0f2 in XPC_WN_GetterSetter ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libxpconnect.so
#7  0x00fbb88a in js_Invoke () from ./libmozjs.so
#8  0x00fbbc46 in js_InternalInvoke () from ./libmozjs.so
#9  0x00fbbd58 in js_InternalGetOrSet () from ./libmozjs.so
#10 0x00fd1854 in js_GetProperty () from ./libmozjs.so
#11 0x00fc144c in js_Interpret () from ./libmozjs.so
#12 0x00fbb94e in js_Invoke () from ./libmozjs.so
#13 0x00fbbc46 in js_InternalInvoke () from ./libmozjs.so
#14 0x00f9ba54 in JS_CallFunctionValue () from ./libmozjs.so
#15 0x071baecc in nsJSContext::CallEventHandler ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
---Type <return> to continue, or q <return> to quit---
#16 0x071e8a69 in nsJSEventListener::HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#17 0x070ad4f0 in nsEventListenerManager::HandleEventSubType ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#18 0x070ad93b in nsEventListenerManager::HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#19 0x071bf82f in GlobalWindowImpl::HandleDOMEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#20 0x07052d55 in DocumentViewerImpl::LoadComplete ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#21 0x0325a59e in nsDocShell::EndPageLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#22 0x03264256 in nsWebShell::EndPageLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#23 0x0325a354 in nsDocShell::OnStateChange ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#24 0x0326e830 in nsDocLoaderImpl::FireOnStateChange ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#25 0x0326df43 in nsDocLoaderImpl::doStopDocumentLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#26 0x0326de41 in nsDocLoaderImpl::DocLoaderIsEmpty ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#27 0x0326dc03 in nsDocLoaderImpl::OnStopRequest ()
---Type <return> to continue, or q <return> to quit---
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#28 0x00b58dac in nsLoadGroup::RemoveRequest ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libnecko.so
#29 0x070a93b2 in HandleImagePLEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#30 0x00cf71bf in PL_HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#31 0x00cf70f1 in PL_ProcessPendingEvents ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#32 0x00cf898a in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#33 0x00bfedca in event_processor_callback ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libwidget_gtk2.so
#34 0x0060721f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#35 0x005e1e4a in g_main_depth () from /usr/lib/libglib-2.0.so.0
#36 0x005e2f28 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#37 0x005e3260 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#38 0x005e38a3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#39 0x003db453 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#40 0x00bff1a4 in nsAppShell::Run ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libwidget_gtk2.so
#41 0x0093c18a in nsAppShellService::Run ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libnsappshell.so
---Type <return> to continue, or q <return> to quit---
#42 0x08054369 in main1 ()
#43 0x08054cdd in main ()
(gdb)

Comment 2

[Mats Palmgren (inactive)]

Attachment: Crash analysis

Comment 3

[Mats Palmgren (inactive)]

Related to bug 256242 / bug 257694 ?

Comment 4

[Boris Zbarsky [:bzbarsky]]

Marking dependent for now, but chances are this will need a separate fix somehow
(not sure how yet, exactly; I'll have to figure out what's the testcase that
actually causes the crash...)

Comment 5

[Boris Zbarsky [:bzbarsky]]

Attachment: Minimal testcase

The problem is that the flush wipes out the presshell...

Comment 6

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed patch

Comment 7

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 158602 [details] [diff] [review]
Proposed patch

jst, the basic problem here is that the flush may end up destroying an
<iframe>'s frame, which kills the presshell of the subdocument.

The s/GetOwnerDoc/GetCurrentDoc/ in the one place I did it has to do with that
discussion about owner docs in XBL2.... in this case we want the current doc,
not the owner.

Comment 8

[Johnny Stenback (:jst)]

Comment on attachment 158602 [details] [diff] [review]
Proposed patch

r+sr=jst

Comment 9

[Boris Zbarsky [:bzbarsky]]

Checked in.