Crash [@ nsViewManager::UpdateWidgetArea] when leaving page which uses position:fixed on applet

VERIFIED FIXED

Status

()

Core
Layout: View Rendering
--
critical
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: roc)

Tracking

({crash, regression, testcase})

Trunk
x86
All
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Description

13 years ago
See upcoming testcase.
When reloading/leaving the testcase, Mozilla crashes.
(Reporter)

Comment 1

13 years ago
Created attachment 177308 [details]
Testcase

It seems a regression.
No crash in 2005-01-27 (2005-1-27 07:30am) trunk build.
Crash in 2005-01-28 (2005-1-27 22:18pm) trunk build.
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-01-27+07%3A00&maxdate=2005-01-27+23%3A00&cvsroot=%2Fcvsroot

Maybe a regression from fixing bug 261238?

Talkback ID: TB4320323G

nsViewManager::UpdateWidgetArea 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1815]
nsViewManager::UpdateView 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1888]
nsViewManager::UpdateView 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1657]
nsViewManager::RemoveChild 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2750]
nsSplittableFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsSplittableFrame.cpp,
line 71]
CanvasFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 230]
nsFrameList::DestroyFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp,
line 129]
nsBoxFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 1117]
nsBoxFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 1117]
ViewportFrame::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsViewportFrame.cpp,
line 67]
DocumentViewerImpl::Destroy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 1303]
DocumentViewerImpl::Show 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 1568]
nsPresContext::EnsureVisible 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresContext.cpp,
line 1257]
nsPluginInstanceOwner::Init 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsObjectFrame.cpp,
line 4048]
nsObjectFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsObjectFrame.cpp,
line 1060]
nsAbsoluteContainingBlock::ReflowAbsoluteFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp,
line 689]
nsAbsoluteContainingBlock::IncrementalReflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp,
line 394]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsViewportFrame.cpp,
line 300]
IncrementalReflow::Dispatch 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 907]
PresShell::ProcessReflowCommands 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6435]
ReflowEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6261]
PL_HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/xpcom/threads/plevent.c,
line 699]
SHELL32.dll + 0x520c24 (0x778b0c24)
(Reporter)

Updated

13 years ago
Keywords: regression
Summary: Crash [@ nsViewManager::UpdateWidgetArea] when leaving page wich uses position:fixed on applet → Crash [@ nsViewManager::UpdateWidgetArea] when leaving page which uses position:fixed on applet

Comment 2

13 years ago
Created attachment 177339 [details]
valgrind log

valgrind sees this before the crash
Hmm... Are we calling GetVisibility() on the view whose destructor is running,
or on some other view?
Component: Layout → Layout: View Rendering
Hmm... So in Seamonkey I don't crash at all.  In Firefox, I crash just on
pageload, but in a different (and expected, for fixed-pos plugin stuff in
Firefox) place.

Martijn, Andrew, were you testing Firefox, or Seamonkey?

Comment 5

13 years ago
I was running seamonkey.  Do you have a java plugin installed?
Keywords: crash
OS: Windows XP → All
No, no java plugin.   So I guess I was just getting the replacement content,
which doesn't break....
To roc...
Assignee: nobody → roc
Flags: blocking1.8b2?
QA Contact: layout → ian
Andrew, what sort of build are you using?

Comment 9

13 years ago
> Andrew, what sort of build are you using?

the valgrind log was from a debug gtk1 build (with -O optimization, but also
-fno-inline)
The problem here is that we create a widget for the applet's view because it's
fixed position. Then later we create a widget for the applet's view in
nsObjectFrame. Two widgets pointing at the same view is not a good idea :-).

To fix this we should create just one widget with the right initdata. I'll add a
method to nsIFrame to delegate widget creation to frames.
Created attachment 179145 [details] [diff] [review]
fix

Pretty easy one ...
Attachment #179145 - Flags: superreview?(dbaron)
Attachment #179145 - Flags: review?(dbaron)
Attachment #179145 - Flags: superreview?(dbaron)
Attachment #179145 - Flags: superreview+
Attachment #179145 - Flags: review?(dbaron)
Attachment #179145 - Flags: review+
Comment on attachment 179145 [details] [diff] [review]
fix

Fixes a crash regression, straightforward fix.
Attachment #179145 - Flags: approval1.8b2?

Comment 13

13 years ago
Comment on attachment 179145 [details] [diff] [review]
fix

a=asa for checkin to 1.8b2
Attachment #179145 - Flags: approval1.8b2? → approval1.8b2+
checked in
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Reporter)

Comment 15

13 years ago
Well, I still crashed the first two times, but not directly (after 30s or so).
But that is probably something else.
The third time I didn't crash at all, so things certainly improved ;)
Status: RESOLVED → VERIFIED

Updated

13 years ago
Flags: blocking1.8b2?
Crash Signature: [@ nsViewManager::UpdateWidgetArea]
You need to log in before you can comment on or make changes to this bug.