Closed Bug 265986 Opened 20 years ago Closed 19 years ago

Infinite loop in nsFrameList::LastChild

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: robert.strong.bugs, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Testcase (causes crash)
355 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025 Firefox/1.0

The soon to be attached simplified testcase causes a crash @
nsLineIterator::GetLine. TB1512938E

Reproducible: Always
Steps to Reproduce:
1. Open testcase
2.
3.

Actual Results:  
Latest Firefox Aviary branch crashes
Recent Mozilla Trunk hangs

Expected Results:  
No crash or hang

UA's affected:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025 Firefox/1.0
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041023 (this
UA hanged instead of crashed)

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1512938E

Stack Signature	 nsLineIterator::GetLine 29f53cd4
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsLineBox.cpp,
line 594
Adding keywords crash and testcase
Keywords: crash, testcase
wfm windows firefox 1.0 branch 20041025
With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041023
and a new profile the browser takes over the CPU.
With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025
Firefox/1.0 and a new profile I get a crash every time.
Robert, this is the only one of your testcases so far which _doesn't_ crash for
me using the 2004-10-25-05 build on Windows XP.
One change in the procedure to reproduce this. Before opening the attachment
disable java. With Java enabled I was able to view it with Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041025. When I disabled java it hung
the same UA and it crashes the latest Firefox branch.
This worksforme with a current trunk build on Linux...
I can reproduce with java disabled (win firefox 1.0 20041025)
Confirming on Win32 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8a5) Gecko/20041027 and java disabled. Browser hangs
Status: UNCONFIRMED → NEW
Ever confirmed: true
>	gklayout.dll!nsFrameList::LastChild()  Line 379	C++
 	gklayout.dll!nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState &
aState={...}, nsLineLayout & aLineLayout={...}, nsLineList_iterator aLine={...},
int * aKeepReflowGoing=0x0012d354, unsigned char * aLineReflowStatus=0x0012d1db,
int aUpdateMaximumWidth=0x00000000, int aDamageDirtyArea=0x00000001)  Line
3554 + 0xb	C++
 	gklayout.dll!nsBlockFrame::ReflowInlineFrames(nsBlockReflowState &
aState={...}, nsLineList_iterator aLine={...}, int *
aKeepReflowGoing=0x00000000, int aDamageDirtyArea=0x00000000, int
aUpdateMaximumWidth=0x00000000)  Line 3456	C++
 	gklayout.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...},
nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x00000000, int
aDamageDirtyArea=0x00000000)  Line 2574	C++
 	gklayout.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...})
 Line 2112	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x00000000,
nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=)  Line 827	C++
 	gklayout.dll!nsBlockReflowContext::ReflowBlock(const nsRect & aSpace={...},
int aApplyTopMargin=0x00000001, nsCollapsingMargin & aPrevBottomMargin={...},
int aIsAdjacentWithTop=0x00000078, nsMargin & aComputedOffsets={...},
nsHTMLReflowState & aFrameRS={...}, unsigned int &
aFrameReflowStatus=0x00000000)  Line 544	C++
 	gklayout.dll!nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & aState={...},
nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012dc04)  Line 3203
+ 0x34	C++
 	gklayout.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...},
nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x00000000, int
aDamageDirtyArea=0x00000000)  Line 2456	C++
 	gklayout.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...})
 Line 2112	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x00000000,
nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=)  Line 827	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x04454cdc,
nsPresContext * aPresContext=0x0450aba0, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int
aX=0x00000000, int aY=0x00000000, unsigned int aFlags=0x00000000, unsigned int &
aStatus=0x00000000)  Line 989	C++
 	gklayout.dll!CanvasFrame::Reflow(nsPresContext * aPresContext=0x0450aba0,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0x00000000)  Line 551	C++
 	gklayout.dll!nsFrame::BoxReflow(nsBoxLayoutState & aState={...}, nsPresContext
* aPresContext=0x0450aba0, nsHTMLReflowMetrics & aDesiredSize={...}, const
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x00000000, int
aX=0x00000000, int aY=0x00000000, int aWidth=0x00002f67, int aHeight=0x00002229,
int aMoveFrame=0x00000001)  Line 5260	C++
 	gklayout.dll!nsFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 5004	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799	C++
 	gklayout.dll!nsScrollBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) 
Line 339	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799	C++
 	gklayout.dll!nsBoxFrame::LayoutChildAt(nsBoxLayoutState & aState={...},
nsIFrame * aBox=0x0451f8f4, const nsRect & aRect={...})  Line 2689 + 0x8	C++
 	gklayout.dll!nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & aState={...},
nsIFrame * aBox=0x0451f8f4, const nsRect & aRect={...})  Line 1668 + 0x11	C++
 	gklayout.dll!nsGfxScrollFrameInner::Layout(nsBoxLayoutState & aState={...})
 Line 1811	C++
 	gklayout.dll!nsHTMLScrollFrame::DoLayout(nsBoxLayoutState & aState={...}) 
Line 579	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799	C++
 	gklayout.dll!nsBoxFrame::Reflow(nsPresContext * aPresContext=0x0450aba0,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=0x00000000)  Line 858	C++
 	gklayout.dll!nsHTMLScrollFrame::Reflow(nsPresContext *
aPresContext=0x0450aba0, nsHTMLReflowMetrics & aDesiredSize={...}, const
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x00000000) 
Line 514	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x0451f7bc,
nsPresContext * aPresContext=0x0450aba0, nsHTMLReflowMetrics &
aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int
aX=0x00000000, int aY=0x00000000, unsigned int aFlags=0x00000000, unsigned int &
aStatus=0x00000000)  Line 989	C++
 	gklayout.dll!ViewportFrame::Reflow(nsPresContext * aPresContext=0x00000000,
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState &
aReflowState={...}, unsigned int & aStatus=)  Line 249	C++
 	gklayout.dll!IncrementalReflow::Dispatch(nsPresContext *
aPresContext=0x0432cbf0, nsHTMLReflowMetrics & aDesiredSize={...}, const nsSize
& aMaxSize={...}, nsIRenderingContext & aRendContext={...})  Line 907	C++
 	gklayout.dll!PresShell::ProcessReflowCommands(int aInterruptible=0x00000000) 
Line 6296	C++
 	gklayout.dll!PresShell::FlushPendingNotifications(mozFlushType
aType=Flush_Layout)  Line 5014	C++
 	gklayout.dll!nsDocument::FlushPendingNotifications(mozFlushType
aType=Flush_Layout)  Line 4056	C++
 	gklayout.dll!nsHTMLDocument::FlushPendingNotifications(mozFlushType
aType=Flush_Layout)  Line 1261	C++
 	gklayout.dll!nsGenericHTMLElement::GetOffsetRect(nsRect & aRect={...},
nsIContent * * aOffsetParent=0x0012eadc)  Line 601	C++
 	gklayout.dll!nsGenericHTMLElement::GetOffsetLeft(int * aOffsetLeft=0x0012eb20)
 Line 811 + 0x14	C++
 	gklayout.dll!nsGenericHTMLElementTearoff::GetOffsetLeft(int *
aOffsetLeft=0x0012eb20)  Line 215 + 0x10	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x044c4cb8, unsigned int
methodIndex=0x00000004, unsigned int paramCount=0x00000001, nsXPTCVariant *
params=0x0012eb20)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_GETTER)  Line 2037 + 0x15	C++
 	xpc3250.dll!XPC_WN_GetterSetter(JSContext * cx=0x041860f8, JSObject *
obj=0x04188798, unsigned int argc=0x00000000, long * argv=0x02bd601c, long *
vp=0x0012ed90)  Line 1319 + 0xb	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00000000,
unsigned int flags=0x00000000)  Line 1286 + 0x11	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x041860f8, JSObject *
obj=0x04188798, long fval=0x04189250, unsigned int flags=0x00000000, unsigned
int argc=0x0453f2dc, long * argv=0x00000000, long * rval=0x0012f03c)  Line
1428 + 0x13	C
 	js3250.dll!js_InternalGetOrSet(JSContext * cx=0x041860f8, JSObject *
obj=0x04188798, long id=0x01259330, long fval=0x04189250, JSAccessMode
mode=JSACC_READ, unsigned int argc=0x00000000, long * argv=0x00000000, long *
rval=0x0012f03c)  Line 1472 + 0x19	C
 	js3250.dll!js_GetProperty(JSContext * cx=0x041860f8, JSObject *
obj=0x04188798, long id=0x01259330, long * vp=0x0012f03c)  Line 2683 + 0x1d	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x00000000) 
Line 3295 + 0xb9	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00000000,
unsigned int flags=0x00000000)  Line 1306 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x00000000) 
Line 3500	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00000000,
unsigned int flags=0x00000000)  Line 1306 + 0xa	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x00000000, unsigned short methodIndex=0x0000, const nsXPTMethodInfo *
info=0x00000000, nsXPTCMiniVariant * nativeParams=0x00000000)  Line 1413 + 0x10	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=0x0003,
const nsXPTMethodInfo * info=0x029c97c8, nsXPTCMiniVariant * params=0x0012f49c)
 Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0453b170, unsigned
int methodIndex=0x00000003, unsigned int * args=0x0012f560, unsigned int *
stackBytesToPop=0x0012f550)  Line 117 + 0x1a	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x04513688, nsIDOMEvent * aDOMEvent=0x04498890,
nsIDOMEventTarget * aCurrentTarget=0x04185fa4, unsigned int aSubType=0x04498898,
unsigned int aPhaseFlags=0x00000007)  Line 1523	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012f72c, nsIDOMEvent * *
aDOMEvent=0x0012f6f8, nsIDOMEventTarget * aCurrentTarget=0x04185fa4, unsigned
int aFlags=0x00000007, nsEventStatus * aEventStatus=0x0012f7c0)  Line 1599	C++
 	gklayout.dll!GlobalWindowImpl::HandleDOMEvent(nsPresContext *
aPresContext=0x0450aba0, nsEvent * aEvent=0x0012f72c, nsIDOMEvent * *
aDOMEvent=0x0012f6f8, unsigned int aFlags=0x00000007, nsEventStatus *
aEventStatus=0x0012f7c0)  Line 907	C++
 	gklayout.dll!DocumentViewerImpl::LoadComplete(unsigned int aStatus=0x00000000)
 Line 896	C++
 	docshell.dll!nsDocShell::EndPageLoad(nsIWebProgress * aProgress=0x04192854,
nsIChannel * aChannel=0x044568c8, unsigned int aStatus=0x00000000)  Line 4332	C++
 	docshell.dll!nsWebShell::EndPageLoad(nsIWebProgress * aProgress=0x00000000,
nsIChannel * channel=0x00000000, unsigned int aStatus=0x00000000)  Line 752	C++
 	docshell.dll!nsDocShell::OnStateChange(nsIWebProgress * aProgress=0x04192854,
nsIRequest * aRequest=0x044568c8, unsigned int aStateFlags=0x04192854, unsigned
int aStatus=0x00000000)  Line 4252	C++
 	docshell.dll!nsDocLoaderImpl::FireOnStateChange(nsIWebProgress *
aProgress=0x04192854, nsIRequest * aRequest=0x044568c8, int
aStateFlags=0x00020010, unsigned int aStatus=0x00000000)  Line 1224 + 0x1a	C++
 	docshell.dll!nsDocLoaderImpl::doStopDocumentLoad(nsIRequest *
request=0x044568c8, unsigned int aStatus=0x00000000)  Line 832	C++
 	docshell.dll!nsDocLoaderImpl::DocLoaderIsEmpty()  Line 729	C++
 	docshell.dll!nsDocLoaderImpl::OnStopRequest(nsIRequest * aRequest=0x00000001,
nsISupports * aCtxt=0x00000000, unsigned int aStatus=0x00000000)  Line 661	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x04192844,
nsISupports * ctxt=0x00000000, unsigned int aStatus=0x00000000)  Line 698	C++
 	gklayout.dll!CantRenderReplacedElementEvent::RemoveLoadGroupRequest()  Line
957 + 0x13	C++
 	gklayout.dll!CantRenderReplacedElementEvent::~CantRenderReplacedElementEvent()
 Line 913	C++
 	gklayout.dll!nsFrameManager::DestroyPLEvent(CantRenderReplacedElementEvent *
aEvent=0x0407b418)  Line 893 + 0xf	C++
 	xpcom_core.dll!PL_DestroyEvent(PLEvent * self=0x0407b418)  Line 731 + 0x4	C
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x0407b418)  Line 703 + 0x6	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x0107b110)  Line 628	C
 	xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x002c1ef2, unsigned int
uMsg=0x0000c14e, unsigned int wParam=0x00000000, long lParam=0x0107b110)  Line
1434	C
 	user32.dll!77d43a50() 	
 	user32.dll!77d43b1f() 	
 	user32.dll!GetMessageW()  + 0x125	
 	user32.dll!DispatchMessageW()  + 0xb	
 	appshell.dll!nsAppShellService::Run()  Line 484	C++
 	mozilla.exe!main1(int argc=0x00000000, char * * argv=0x00000000, nsISupports *
nativeApp=0x00000000)  Line 1336	C++
 	mozilla.exe!main(int argc=0x00000001, char * * argv=0x003f7c10)  Line 1827 +
0x16	C++
 	mozilla.exe!mainCRTStartup()  Line 400 + 0x11	C
 	kernel32.dll!TermsrvAppInstallMode()  + 0x269	

nsIFrame*
nsFrameList::LastChild() const
{
  nsIFrame* frame = mFirstChild;
017E54E4  mov         eax,dword ptr [ecx] 
  if (!frame) {
017E54E6  test        eax,eax 
017E54E8  jne         nsFrameList::LastChild+7 (17E54EBh) 
  }
  return frame;
}
017E54EA  ret              
    return nsnull;
  }

  nsIFrame* next = frame->GetNextSibling();
017E54EB  mov         ecx,dword ptr [eax+20h] 
017E54EE  jmp         nsFrameList::LastChild+11h (17E54F5h) 
    frame = next;
017E54F0  mov         eax,ecx 
    next = frame->GetNextSibling();
017E54F2  mov         ecx,dword ptr [ecx+20h] 
  while (next) {
017E54F5  test        ecx,ecx 
017E54F7  jne         nsFrameList::LastChild+0Ch (17E54F0h) 
  }
  return frame;
}
017E54F9  ret              

-	(nsIFrame*)eax	0x0451b3e4 {mAscent=0x000000e8 mLines={mLink={_mNext=0x044dc8c8
{_mNext=0x0451b420 _mPrev=0x0451b420 } _mPrev=0x044dc8c8 {_mNext=0x0451b420
_mPrev=0x0451b420 } } } mFloats={mFirstChild=0x00000000 {mRect={x=??? y=???
width=??? ...} mContent=??? mStyleContext=??? ...} } ...}	nsIFrame *
|+	[nsBlockFrame]	{mAscent=0x000000e8 mLines={mLink={_mNext=0x044dc8c8
{_mNext=0x0451b420 _mPrev=0x0451b420 } _mPrev=0x044dc8c8 {_mNext=0x0451b420
_mPrev=0x0451b420 } } } mFloats={mFirstChild=0x00000000 {mRect={x=??? y=???
width=??? ...} mContent=??? mStyleContext=??? ...} } ...}	const nsBlockFrame
|+	nsISupports	{...}	nsISupports
|+	mRect	{x=0x00000000 y=0x7df0090e width=0x00000000 ...}	nsRect
|+	mContent	0x0456c878	nsIContent *
|+	mStyleContext	0x0451b340 {mParent=0x04454e18 {mParent=0x04454ba8
{mParent=0x00000000 {mParent=??? mChild=??? mEmptyChild=??? ...}
mChild=0x04454bd4 {mParent=0x04454ba8 mChild=0x00000000 mEmptyChild=0x00000000
...} mEmptyChild=0x04454c58 {mParent=0x04454ba8 mChild=0x00000000
mEmptyChild=0x00000000 ...} ...} mChild=0x0451b050 {mParent=0x04454e18
{mParent=0x04454ba8 mChild=0x0451b050 mEmptyChild=0x0451af5c ...}
mChild=0x00000000 {mParent=??? mChild=??? mEmptyChild=??? ...}
mEmptyChild=0x00000000 {mParent=??? mChild=??? mEmptyChild=??? ...} ...}
mEmptyChild=0x0451af5c {mParent=0x04454e18 {mParent=0x04454ba8 mChild=0x0451b050
mEmptyChild=0x0451af5c ...} mChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} mEmptyChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} ...} ...} mChild=0x042835f4 {mParent=0x0451b340
{mParent=0x04454e18 {mParent=0x04454ba8 mChild=0x0451b050 mEmptyChild=0x0451af5c
...} mChild=0x042835f4 {mParent=0x0451b340 mChild=0x042835c8
mEmptyChild=0x04402eb8 ...} mEmptyChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} ...} mChild=0x042835c8 {mParent=0x042835f4
{mParent=0x0451b340 mChild=0x042835c8 mEmptyChild=0x04402eb8 ...}
mChild=0x0451b9e8 {mParent=0x042835c8 mChild=0x00000000 mEmptyChild=0x00000000
...} mEmptyChild=0x00000000 {mParent=??? mChild=??? mEmptyChild=??? ...} ...}
mEmptyChild=0x04402eb8 {mParent=0x042835f4 {mParent=0x0451b340 mChild=0x042835c8
mEmptyChild=0x04402eb8 ...} mChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} mEmptyChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} ...} ...} mEmptyChild=0x00000000 {mParent=??? mChild=???
mEmptyChild=??? ...} ...}	nsStyleContext *
|+	mParent	0x04454ee4 {mAscent=0x7df008ca mLines={mLink={_mNext=0x0451afc8
{_mNext=0x044dc938 _mPrev=0x04454f20 } _mPrev=0x044dc968 {_mNext=0x04454f20
_mPrev=0x044dc938 } } } mFloats={mFirstChild=0x045720a8 } ...}	nsIFrame *
|+	mNextSibling	0x0451b3e4 {mAscent=0x000000e8 mLines={mLink={_mNext=0x044dc8c8
{_mNext=0x0451b420 _mPrev=0x0451b420 } _mPrev=0x044dc8c8 {_mNext=0x0451b420
_mPrev=0x0451b420 } } } mFloats={mFirstChild=0x00000000 {mRect={x=??? y=???
width=??? ...} mContent=??? mStyleContext=??? ...} } ...}	nsIFrame *
\	mState	0x0004000c	unsigned int
+	(nsIFrame*)ecx	0x0451b3e4 {mAscent=0x000000e8 mLines={mLink={_mNext=0x044dc8c8
{_mNext=0x0451b420 _mPrev=0x0451b420 } _mPrev=0x044dc8c8 {_mNext=0x0451b420
_mPrev=0x0451b420 } } } mFloats={mFirstChild=0x00000000 {mRect={x=??? y=???
width=??? ...} mContent=??? mStyleContext=??? ...} } ...}	nsIFrame *
Assignee: general → nobody
Component: Browser-General → Layout: Block and Inline
QA Contact: general → core.layout.block-and-inline
Summary: Crash [@ nsLineIterator::GetLine ] → Infinite loop in nsFrameList::LastChild
Depends on: 266332
###!!! ASSERTION: Bug 265986 Infinite loop in nsFrameList::LastChild: 'this != 
aNextSibling', file ../../../../dist/include/layout\nsIFrame.h, line 698
Break: at file ../../../../dist/include/layout\nsIFrame.h, line 698

 	xpcom_core.dll!nsDebug::Assertion(const char * aStr=0x01cee16c, const 
char * aExpr=0x01cee1a0, const char * aFile=0x01ce8df4, int aLine=0x000002ba)  
Line 109	C++
 	gklayout.dll!nsIFrame::SetNextSibling(nsIFrame * 
aNextSibling=0x0397a07c)  Line 698 + 0x26	C++
>	gklayout.dll!nsBlockFrame::DrainOverflowLines()  Line 4459	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * 
aPresContext=0x0069fd88, nsHTMLReflowMetrics & aMetrics={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0xffffffff)  
Line 735	C++
 	gklayout.dll!nsBlockReflowContext::ReflowBlock(const nsRect & aSpace=
{...}, int aApplyTopMargin=0x00000001, nsCollapsingMargin & aPrevBottomMargin=
{...}, int aIsAdjacentWithTop=0x00000078, nsMargin & aComputedOffsets={...}, 
nsHTMLReflowState & aFrameRS={...}, unsigned int & 
aFrameReflowStatus=0x00000000)  Line 544	C++
 	gklayout.dll!nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & aState=
{...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012de08)  
Line 3203 + 0x34	C++
 	gklayout.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState=
{...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x00000000, int 
aDamageDirtyArea=0x77e83a80)  Line 2456	C++
 	gklayout.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState=
{...})  Line 2112	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * 
aPresContext=0x0069fd88, nsHTMLReflowMetrics & aMetrics={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0xffffffff)  
Line 827	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * 
aKidFrame=0x03977174, nsPresContext * aPresContext=0x038b64c0, 
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & 
aReflowState={...}, int aX=0x00000000, int aY=0x00000000, unsigned int 
aFlags=0x00000000, unsigned int & aStatus=0x00000000)  Line 989	C++
 	gklayout.dll!CanvasFrame::Reflow(nsPresContext * 
aPresContext=0x038b64c0, nsHTMLReflowMetrics & aDesiredSize={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x00000000)  
Line 551	C++
 	gklayout.dll!nsFrame::BoxReflow(nsBoxLayoutState & aState={...}, 
nsPresContext * aPresContext=0x038b64c0, nsHTMLReflowMetrics & aDesiredSize=
{...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & 
aStatus=0x00000000, int aX=0x00000000, int aY=0x00000000, int 
aWidth=0x000036e7, int aHeight=0x00002445, int aMoveFrame=0x00000001)  Line 5260
	C++
 	gklayout.dll!nsFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 
5004	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799
	C++
 	gklayout.dll!nsScrollBoxFrame::DoLayout(nsBoxLayoutState & aState=
{...})  Line 339	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799
	C++
 	gklayout.dll!nsBoxFrame::LayoutChildAt(nsBoxLayoutState & aState={...}, 
nsIFrame * aBox=0x0396e24c, const nsRect & aRect={...})  Line 2689 + 0x8
	C++
 	gklayout.dll!nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & aState=
{...}, nsIFrame * aBox=0x0396e24c, const nsRect & aRect={...})  Line 1668 + 0x11
	C++
 	gklayout.dll!nsGfxScrollFrameInner::Layout(nsBoxLayoutState & aState=
{...})  Line 1811	C++
 	gklayout.dll!nsHTMLScrollFrame::DoLayout(nsBoxLayoutState & aState=
{...})  Line 579	C++
 	gklayout.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 799
	C++
 	gklayout.dll!nsBoxFrame::Reflow(nsPresContext * 
aPresContext=0x038b64c0, nsHTMLReflowMetrics & aDesiredSize={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x00000000)  
Line 858	C++
 	gklayout.dll!nsHTMLScrollFrame::Reflow(nsPresContext * 
aPresContext=0x038b64c0, nsHTMLReflowMetrics & aDesiredSize={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0x00000000)  
Line 514	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * 
aKidFrame=0x0396e114, nsPresContext * aPresContext=0x038b64c0, 
nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & 
aReflowState={...}, int aX=0x00000000, int aY=0x00000000, unsigned int 
aFlags=0x00000000, unsigned int & aStatus=0x00000000)  Line 989	C++
 	gklayout.dll!ViewportFrame::Reflow(nsPresContext * 
aPresContext=0x0069fd88, nsHTMLReflowMetrics & aDesiredSize={...}, const 
nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0xffffffff)  
Line 249	C++
 	gklayout.dll!IncrementalReflow::Dispatch(nsPresContext * 
aPresContext=0x03830898, nsHTMLReflowMetrics & aDesiredSize={...}, const nsSize 
& aMaxSize={...}, nsIRenderingContext & aRendContext={...})  Line 907	C++
 	gklayout.dll!PresShell::ProcessReflowCommands(int 
aInterruptible=0x00000000)  Line 6296	C++
 	gklayout.dll!PresShell::FlushPendingNotifications(mozFlushType 
aType=Flush_Layout)  Line 5014	C++
 	gklayout.dll!nsDocument::FlushPendingNotifications(mozFlushType 
aType=Flush_Layout)  Line 4056	C++
 	gklayout.dll!nsHTMLDocument::FlushPendingNotifications(mozFlushType 
aType=Flush_Layout)  Line 1261	C++
 	gklayout.dll!nsGenericHTMLElement::GetOffsetRect(nsRect & aRect={...}, 
nsIContent * * aOffsetParent=0x0012ece0)  Line 601	C++
 	gklayout.dll!nsGenericHTMLElement::GetOffsetHeight(int * 
aOffsetHeight=0x0012ed24)  Line 835 + 0x14	C++
 	gklayout.dll!nsGenericHTMLElementTearoff::GetOffsetHeight(int * 
aOffsetHeight=0x0012ed24)  Line 215 + 0x10	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x03830858, 
unsigned int methodIndex=0x00000006, unsigned int paramCount=0x00000001, 
nsXPTCVariant * params=0x0012ed24)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, 
XPCWrappedNative::CallMode mode=CALL_GETTER)  Line 2037 + 0x15	C++
 	xpc3250.dll!XPC_WN_GetterSetter(JSContext * cx=0x0377af38, JSObject * 
obj=0x037cbb18, unsigned int argc=0x00000000, long * argv=0x0279f7ac, long * 
vp=0x0012ef94)  Line 1319 + 0xb	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00010001, unsigned int 
argc=0x00000000, unsigned int flags=0x77e83a80)  Line 1286 + 0x11	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x0377af38, JSObject * 
obj=0x037cbb18, long fval=0x037cbb28, unsigned int flags=0x00000000, unsigned 
int argc=0x039a16c4, long * argv=0x00000000, long * rval=0x0012f240)  Line 1428 
+ 0x13	C
 	js3250.dll!js_InternalGetOrSet(JSContext * cx=0x0377af38, JSObject * 
obj=0x037cbb18, long id=0x0279f218, long fval=0x037cbb28, JSAccessMode 
mode=JSACC_READ, unsigned int argc=0x00000000, long * argv=0x00000000, long * 
rval=0x0012f240)  Line 1472 + 0x19	C
 	js3250.dll!js_GetProperty(JSContext * cx=0x0377af38, JSObject * 
obj=0x037cbb18, long id=0x0279f218, long * vp=0x0012f240)  Line 2683 + 0x1d
	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * 
result=0x77e83a80)  Line 3295 + 0xb9	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00010001, unsigned int 
argc=0x00000000, unsigned int flags=0x77e83a80)  Line 1306 + 0xa	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * 
wrapper=0x0069fd88, unsigned short methodIndex=0x0001, const nsXPTMethodInfo * 
info=0x00000000, nsXPTCMiniVariant * nativeParams=0x77e83a80)  Line 1413 + 0x10
	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short 
methodIndex=0x0003, const nsXPTMethodInfo * info=0x018340c8, nsXPTCMiniVariant 
* params=0x0012f4a8)  Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x03999128, 
unsigned int methodIndex=0x00000003, unsigned int * args=0x0012f56c, unsigned 
int * stackBytesToPop=0x0012f55c)  Line 117 + 0x1a	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType
(nsListenerStruct * aListenerStruct=0x03999240, nsIDOMEvent * 
aDOMEvent=0x037b0700, nsIDOMEventTarget * aCurrentTarget=0x0377ade4, unsigned 
int aSubType=0x037b0708, unsigned int aPhaseFlags=0x00000007)  Line 1523
	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * 
aPresContext=0x00000000, nsEvent * aEvent=0x0012f738, nsIDOMEvent * * 
aDOMEvent=0x0012f704, nsIDOMEventTarget * aCurrentTarget=0x0377ade4, unsigned 
int aFlags=0x00000007, nsEventStatus * aEventStatus=0x0012f7cc)  Line 1599
	C++
 	gklayout.dll!GlobalWindowImpl::HandleDOMEvent(nsPresContext * 
aPresContext=0x038b64c0, nsEvent * aEvent=0x0012f738, nsIDOMEvent * * 
aDOMEvent=0x0012f704, unsigned int aFlags=0x00000007, nsEventStatus * 
aEventStatus=0x0012f7cc)  Line 907	C++
 	gklayout.dll!DocumentViewerImpl::LoadComplete(unsigned int 
aStatus=0x00000000)  Line 896	C++
 	docshell.dll!nsDocShell::EndPageLoad(nsIWebProgress * 
aProgress=0x0377f404, nsIChannel * aChannel=0x03958af0, unsigned int 
aStatus=0x00000000)  Line 4332	C++
 	docshell.dll!nsWebShell::EndPageLoad(nsIWebProgress * 
aProgress=0x00010001, nsIChannel * channel=0x00000000, unsigned int 
aStatus=0x77e83a80)  Line 752	C++
 	docshell.dll!nsDocShell::OnStateChange(nsIWebProgress * 
aProgress=0x0377f404, nsIRequest * aRequest=0x03958af0, unsigned int 
aStateFlags=0x0377f404, unsigned int aStatus=0x00000000)  Line 4252	C++
 	docshell.dll!nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 
aProgress=0x0377f404, nsIRequest * aRequest=0x03958af0, int 
aStateFlags=0x00020010, unsigned int aStatus=0x00000000)  Line 1224 + 0x1a
	C++
 	docshell.dll!nsDocLoaderImpl::doStopDocumentLoad(nsIRequest * 
request=0x03958af0, unsigned int aStatus=0x00000000)  Line 832	C++
 	docshell.dll!nsDocLoaderImpl::DocLoaderIsEmpty()  Line 729	C++
 	docshell.dll!nsDocLoaderImpl::OnStopRequest(nsIRequest * 
aRequest=0x00000001, nsISupports * aCtxt=0x00000000, unsigned int 
aStatus=0x00000000)  Line 661	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x0377f3f4, 
nsISupports * ctxt=0x00000000, unsigned int aStatus=0x00000000)  Line 698
	C++
 	gklayout.dll!CantRenderReplacedElementEvent::RemoveLoadGroupRequest()  
Line 957 + 0x13	C++
 	gklayout.dll!
CantRenderReplacedElementEvent::~CantRenderReplacedElementEvent()  Line 913
	C++
 	gklayout.dll!nsFrameManager::DestroyPLEvent
(CantRenderReplacedElementEvent * aEvent=0x038bc8c0)  Line 893 + 0xf	C++
 	xpcom_core.dll!PL_DestroyEvent(PLEvent * self=0x038bc8c0)  Line 731 + 
0x4	C
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x038bc8c0)  Line 703 + 0x6
	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x01062b08)  
Line 628	C
 	xpcom_core.dll!_md_TimerProc(HWND__ * hwnd=0x001327f2, unsigned int 
uMsg=0x00000113, unsigned int idEvent=0x00000000, unsigned long 
dwTime=0x1c80dc67)  Line 998 + 0x6	C
 	user32.dll!77d43a50() 	
 	user32.dll!GetSysColor()  + 0x10f	
 	user32.dll!TranslateMessage()  + 0x8d	
 	user32.dll!DispatchMessageW()  + 0xb	
 	appshell.dll!nsAppShellService::Run()  Line 484	C++
 	mozilla.exe!main1(int argc=0x00010001, char * * argv=0x00000000, 
nsISupports * nativeApp=0x77e83a80)  Line 1336	C++
 	mozilla.exe!main(int argc=0x00000001, char * * argv=0x003f7c10)  Line 
1827 + 0x16	C++
 	mozilla.exe!mainCRTStartup()  Line 400 + 0x11	C
 	kernel32.dll!TermsrvAppInstallMode()  + 0x269	

WFM? with current trunk, Robert could you please reevaluate?
This is WFM as well. Thanks!
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
layout/base/crashtests/265986-1.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Depends on: 497602
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: