[FIX]crash in nsGenericHTMLElement::GetOffsetRect

RESOLVED FIXED in mozilla1.8alpha4

Status

()

Product:
Core
Component:
Layout
Importance:
P1
critical
Status:
RESOLVED FIXED
Reported:
14 years ago
Modified:
14 years ago

People

(Reporter: spam, Assigned: bzbarsky)

Tracking

({crash, regression})

Version:
Trunk
Target:
mozilla1.8alpha4
Platform:
x86
Linux
Keywords:
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments)

Crash analysis
26.13 KB, text/plain
Details
Minimal testcase
181 bytes, text/html
Details
Proposed patch
2.91 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
(Reporter)

Description

14 years ago 
Going to http://psdata.no crashes with trunk 20040831 and newer
(Gtk2, if it matters)

Does not crash with the older 20040724
(Reporter)

Comment 1

14 years ago 
With a current build it's impossible to write in the "File" field for
attachments, and filepicker doesn't see the relevant text files. Pasting
backtrace here - non-debug:



#0  0x088c7e30 in ?? ()
#1  0x070c3985 in nsGenericHTMLElement::GetOffsetRect ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#2  0x070c4030 in nsGenericHTMLElement::GetOffsetHeight ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#3  0x070cc735 in nsGenericHTMLElementTearoff::GetOffsetHeight ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#4  0x00d0ed23 in XPTC_InvokeByIndex ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#5  0x00896ee3 in XPCWrappedNative::CallMethod ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libxpconnect.so
#6  0x0089d0f2 in XPC_WN_GetterSetter ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libxpconnect.so
#7  0x00fbb88a in js_Invoke () from ./libmozjs.so
#8  0x00fbbc46 in js_InternalInvoke () from ./libmozjs.so
#9  0x00fbbd58 in js_InternalGetOrSet () from ./libmozjs.so
#10 0x00fd1854 in js_GetProperty () from ./libmozjs.so
#11 0x00fc144c in js_Interpret () from ./libmozjs.so
#12 0x00fbb94e in js_Invoke () from ./libmozjs.so
#13 0x00fbbc46 in js_InternalInvoke () from ./libmozjs.so
#14 0x00f9ba54 in JS_CallFunctionValue () from ./libmozjs.so
#15 0x071baecc in nsJSContext::CallEventHandler ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
---Type <return> to continue, or q <return> to quit---
#16 0x071e8a69 in nsJSEventListener::HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#17 0x070ad4f0 in nsEventListenerManager::HandleEventSubType ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#18 0x070ad93b in nsEventListenerManager::HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#19 0x071bf82f in GlobalWindowImpl::HandleDOMEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#20 0x07052d55 in DocumentViewerImpl::LoadComplete ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#21 0x0325a59e in nsDocShell::EndPageLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#22 0x03264256 in nsWebShell::EndPageLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#23 0x0325a354 in nsDocShell::OnStateChange ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#24 0x0326e830 in nsDocLoaderImpl::FireOnStateChange ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#25 0x0326df43 in nsDocLoaderImpl::doStopDocumentLoad ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#26 0x0326de41 in nsDocLoaderImpl::DocLoaderIsEmpty ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#27 0x0326dc03 in nsDocLoaderImpl::OnStopRequest ()
---Type <return> to continue, or q <return> to quit---
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libdocshell.so
#28 0x00b58dac in nsLoadGroup::RemoveRequest ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libnecko.so
#29 0x070a93b2 in HandleImagePLEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libgklayout.so
#30 0x00cf71bf in PL_HandleEvent ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#31 0x00cf70f1 in PL_ProcessPendingEvents ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#32 0x00cf898a in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/libxpcom.so
#33 0x00bfedca in event_processor_callback ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libwidget_gtk2.so
#34 0x0060721f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#35 0x005e1e4a in g_main_depth () from /usr/lib/libglib-2.0.so.0
#36 0x005e2f28 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#37 0x005e3260 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#38 0x005e38a3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#39 0x003db453 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#40 0x00bff1a4 in nsAppShell::Run ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libwidget_gtk2.so
#41 0x0093c18a in nsAppShellService::Run ()
   from /home/dark/MOZ/TREE1/mozilla/dist/bin/components/libnsappshell.so
---Type <return> to continue, or q <return> to quit---
#42 0x08054369 in main1 ()
#43 0x08054cdd in main ()
(gdb)

Comment 2

14 years ago 
Created attachment 157912 [details]
Crash analysis

Comment 3

14 years ago 
Related to bug 256242 / bug 257694 ?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 4

14 years ago 
Marking dependent for now, but chances are this will need a separate fix somehow
(not sure how yet, exactly; I'll have to figure out what's the testcase that
actually causes the crash...)
Depends on: 256242
 (Assignee)

Comment 5

14 years ago 
Created attachment 158600 [details]
Minimal testcase

The problem is that the flush wipes out the presshell...
 (Assignee)

Comment 6

14 years ago 
Created attachment 158602 [details] [diff] [review]
Proposed patch
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
 (Assignee)

Updated

14 years ago
Priority: -- → P1
Summary: crash in nsGenericHTMLElement::GetOffsetRect → [FIX]crash in nsGenericHTMLElement::GetOffsetRect
Target Milestone: --- → mozilla1.8alpha4
 (Assignee)

Comment 7

14 years ago 
Comment on attachment 158602 [details] [diff] [review]
Proposed patch

jst, the basic problem here is that the flush may end up destroying an
<iframe>'s frame, which kills the presshell of the subdocument.

The s/GetOwnerDoc/GetCurrentDoc/ in the one place I did it has to do with that
discussion about owner docs in XBL2.... in this case we want the current doc,
not the owner.
Attachment #158602 - Flags: superreview?(jst)
Attachment #158602 - Flags: review?(jst)

Comment 8

14 years ago 
Comment on attachment 158602 [details] [diff] [review]
Proposed patch

r+sr=jst
Attachment #158602 - Flags: superreview?(jst)
Attachment #158602 - Flags: superreview+
Attachment #158602 - Flags: review?(jst)
Attachment #158602 - Flags: review+
 (Assignee)

Comment 9

14 years ago 
Checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.