Closed Bug 307320 Opened 19 years ago Closed 8 years ago

OOMs and frame leaks in nsCSSFrameConstructor.cpp (Crash [@ nsTextControlFrame::SetInitialChildList])

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 obsolete file) 

steps:
1. rename components\editor.dll to editor.dul (anything that causes   mEditor = 
do_CreateInstance(kTextEditorCID, &rv); to fail will cause the crash)

    mTextSelImpl->SetScrollableView(mScrollableView);
mTextSelImpl = 0x0
00 gklayout!nsTextControlFrame::SetInitialChildList(class nsPresContext * 
aPresContext = 0x01fa703c, class nsIAtom * aListName = 0x00000000, class 
nsIFrame * aChildList = 0x01588060)+0x1a7 (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\layout\forms\nstextcontrolframe.cpp @ 3255]
01 gklayout!nsCSSFrameConstructor::ConstructHTMLFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024b5d88, class nsIFrame * aParentFrame = 0x024df380, class nsIAtom * aTag = 
0x002ae060, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x024df2d0, struct nsFrameItems * aFrameItems = 0x0012ddf4, int 
aHasPseudoParent = 0)+0x5f4 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 5485]
02 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024df380, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x002ae060, int aNameSpaceID = 3, class nsStyleContext * aStyleContext = 
0x0012ddf4, struct nsFrameItems * aFrameItems = 0x0012ddf4, int aXBLBaseTag = 0)
+0x21a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7608]
03 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x024df2d0, struct nsFrameItems * aFrameItems = 0x0012ddf4)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
04 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024e6440, class nsIFrame * aFrame = 0x024b5d88, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012ddf4, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x024b5d88)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
05 gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024e6440, class nsIFrame * aParentFrame = 0x024deda4, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x024df220, struct nsFrameItems * aFrameItems = 0x0012e120, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012deb8)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
06 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024deda4, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012e120, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
07 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x024df220, struct nsFrameItems * aFrameItems = 0x0012e120)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
08 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024b1e40, class nsIFrame * aFrame = 0x024e6440, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012e120, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x024e6440)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
09 gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024b1e40, class nsIFrame * aParentFrame = 0x024decf4, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x02492190, struct nsFrameItems * aFrameItems = 0x0012e44c, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012e1e4)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
0a gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x024decf4, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012e44c, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
0b gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x02492190, struct nsFrameItems * aFrameItems = 0x0012e44c)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
0c gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01ee05c8, class nsIFrame * aFrame = 0x024b1e40, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012e44c, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x024b1e40)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
0d gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01ee05c8, class nsIFrame * aParentFrame = 0x02491864, class nsIAtom * aTag = 
0x009e7fa0, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x02491d18, struct nsFrameItems * aFrameItems = 0x0012e7fc, int aXBLBaseTag = 
1, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012e510)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
0e gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x02491864, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fa0, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012e7fc, int aXBLBaseTag = 1)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
0f gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x009e2030, class nsIFrame * aParentFrame = 0x02491864, class nsIAtom * aTag = 
0x009e8168, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x02491d18, struct nsFrameItems * aFrameItems = 0x0012e7fc, int aXBLBaseTag = 0)
+0x157 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7563]
10 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x02491c10, struct nsFrameItems * aFrameItems = 0x0012e7fc)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
11 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01ee0be8, class nsIFrame * aFrame = 0x01ee05c8, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012e7fc, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x01ee05c8)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
12 gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01ee0be8, class nsIFrame * aParentFrame = 0x0246cb98, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x0246cebc, struct nsFrameItems * aFrameItems = 0x0012eb28, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012e8c0)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
13 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0246cb98, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012eb28, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
14 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x0246cebc, struct nsFrameItems * aFrameItems = 0x0012eb28)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
15 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0244f748, class nsIFrame * aFrame = 0x01ee0be8, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012eb28, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x01ee0be8)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
16 gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0244f748, class nsIFrame * aParentFrame = 0x023d14fc, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x0246cb40, struct nsFrameItems * aFrameItems = 0x0012ee54, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012ebec)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
17 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x023d14fc, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fa8, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012ee54, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
18 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x0246cb40, struct nsFrameItems * aFrameItems = 0x0012ee54)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
19 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01e23c80, class nsIFrame * aFrame = 0x0244f748, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012ee54, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x0244f748)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
1a gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01e23c80, class nsIFrame * aParentFrame = 0x0239f080, class nsIAtom * aTag = 
0x009e7dd0, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x023d0864, struct nsFrameItems * aFrameItems = 0x0012f180, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012ef18)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
1b gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0239f080, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7dd0, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012f180, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
1c gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x0239f208, struct nsFrameItems * aFrameItems = 0x0012f180)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
1d gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x02392d58, class nsIFrame * aFrame = 0x01e23c80, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012f180, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x01e23c80)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
1e gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x02392d58, class nsIFrame * aParentFrame = 0x0239efa0, class nsIAtom * aTag = 
0x009e7fb0, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x0239f028, struct nsFrameItems * aFrameItems = 0x0012f4ac, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012f244)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
1f gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0239efa0, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7fb0, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012f4ac, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
20 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x0239f028, struct nsFrameItems * aFrameItems = 0x0012f4ac)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
21 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01e243b0, class nsIFrame * aFrame = 0x02392d58, int aCanHaveGeneratedContent 
= 0, struct nsFrameItems * aFrameItems = 0x0012f4ac, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x02392d58)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
22 gklayout!nsCSSFrameConstructor::ConstructXULFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01e243b0, class nsIFrame * aParentFrame = 0x01678500, class nsIAtom * aTag = 
0x009e7de8, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x0239eef0, struct nsFrameItems * aFrameItems = 0x0012f6f4, int aXBLBaseTag = 
0, int aHasPseudoParent = 0, int * aHaltProcessing = 0x0012f570)+0x81b (FPO: 
[Uses EBP] [10,89,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 6196]
23 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x01678500, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x009e7de8, int aNameSpaceID = 9, class nsStyleContext * aStyleContext = 
0x00000000, struct nsFrameItems * aFrameItems = 0x0012f6f4, int aXBLBaseTag = 0)
+0x24f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7613]
24 gklayout!nsCSSFrameConstructor::ConstructFrame(class nsFrameConstructorState 
* aState = 0x0012f738, class nsIContent * aContent = 0x00000000, class nsIFrame 
* aParentFrame = 0x0239ea4c, struct nsFrameItems * aFrameItems = 0x0012f6f4)
+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7498]
25 gklayout!nsCSSFrameConstructor::ProcessChildren(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aContent = 
0x0174ff20, class nsIFrame * aFrame = 0x01e243b0, int aCanHaveGeneratedContent 
= 1, struct nsFrameItems * aFrameItems = 0x0012f6f4, int aParentIsBlock = 0, 
struct nsTableCreator * aTableCreator = 0x01e243b0)+0xcd (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 11831]
26 gklayout!nsCSSFrameConstructor::ConstructDocElementFrame(class 
nsFrameConstructorState * aState = 0x0012f738, class nsIContent * aDocElement = 
0x0174ff20, class nsIFrame * aParentFrame = 0x016782d4, class nsIFrame ** 
aNewFrame = 0x0012f924)+0x36b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 4403]
27 gklayout!nsCSSFrameConstructor::ContentInserted(class nsIContent * 
aContainer = 0x01678500, class nsIFrame * aContainerFrame = 0x00000000, class 
nsIContent * aChild = 0x0174ff20, int aIndexInContainer = 0, class 
nsILayoutHistoryState * aFrameState = 0x00000000, int aInReinsertContent = 0)
+0x8c (FPO: [Uses EBP] [6,121,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 8989]
28 gklayout!PresShell::InitialReflow(int aWidth = 0, int aHeight = 0)+0x9f 
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\layout\base\nspresshell.cpp @ 2835]
29 gklayout!nsXULDocument::StartLayout(void)+0xe2 (FPO: [Non-Fpo]) (CONV: 
thiscall) [c:\build\chs3
\build\mozilla\content\xul\document\src\nsxuldocument.cpp @ 2165]
2a gklayout!nsXULDocument::ResumeWalk(void)+0x587 (FPO: [Uses EBP] [0,61,0]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\document\src\nsxuldocument.cpp @ 3187]
2b gklayout!nsXULDocument::EndLoad(void)+0x1d2 (FPO: [Non-Fpo]) (CONV: 
thiscall) [c:\build\chs3
\build\mozilla\content\xul\document\src\nsxuldocument.cpp @ 744]
2c gklayout!XULContentSinkImpl::DidBuildModel(void)+0x36 (FPO: [Non-Fpo]) 
(CONV: stdcall) [c:\build\chs3
\build\mozilla\content\xul\document\src\nsxulcontentsink.cpp @ 408]
2d gkparser!nsExpatDriver::DidBuildModel(unsigned int anErrorCode = <Memory 
access error>, int aNotifySink = <Memory access error>, class nsIParser * 
aParser = <Memory access error>, class nsIContentSink * aSink = <Memory access 
error>)+0x1c (FPO: [5,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\parser\htmlparser\src\nsexpatdriver.cpp @ 1080]
2e gkparser!nsParser::DidBuildModel(unsigned int anErrorCode = <Memory access 
error>)+0x36 (FPO: [1,0,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\parser\htmlparser\src\nsparser.cpp @ 1315]
2f gkparser!nsParser::ResumeParse(int allowIteration = <Memory access error>, 
int aIsFinalChunk = <Memory access error>, int aCanInterrupt = <Memory access 
error>)+0x14b (FPO: [Uses EBP] [3,1,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\parser\htmlparser\src\nsparser.cpp @ 2050]
30 gkparser!nsParser::OnStopRequest(class nsIRequest * request = 0x023a68b0, 
class nsISupports * aContext = 0x00000000, unsigned int status = 0)+0x60 (FPO: 
[Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\parser\htmlparser\src\nsparser.cpp @ 2719]
31 jar50!nsJARChannel::OnStopRequest(class nsIRequest * req = 0x00000000, class 
nsISupports * ctx = 0x00000000, unsigned int status = 0)+0x36 (FPO: [4,0,0]) 
(CONV: stdcall) [c:\build\chs3\build\mozilla\modules\libjar\nsjarchannel.cpp @ 
712]
32 necko!nsInputStreamPump::OnStateStop(void)+0x55 (FPO: [Uses EBP] [0,0,0]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 507]
33 necko!nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream * 
stream = 0x02121800)+0x2a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 344]
34 xpcom_core!nsInputStreamReadyEvent::EventHandler(struct PLEvent * plevent = 
0x778b0c24)+0x20 (FPO: [1,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\io\nsstreamutils.cpp @ 120]
35 xpcom_core!PL_HandleEvent(struct PLEvent * self = 0x778b0c24)+0xe (FPO: 
[1,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\xpcom\threads\plevent.c @ 
689]
36 xpcom_core!PL_ProcessPendingEvents(struct PLEventQueue * self = 0x778b0c24)
+0x61 (FPO: [Uses EBP] [1,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\threads\plevent.c @ 623]
37 xpcom_core!_md_EventReceiverProc(struct HWND__ * hwnd = 0x003f028e, unsigned 
int uMsg = 0xc0f7, unsigned int wParam = 0, long lParam = 0x9b7e98)+0x1c (FPO: 
[Non-Fpo]) (CONV: stdcall) [c:\build\chs3\build\mozilla\xpcom\threads\plevent.c 
@ 1409]
38 USER32!InternalCallWinProc+0x28
39 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
3a USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
3b USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
3c gkwidget!nsAppShell::Run(void)+0x10c (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 159]
3d appcomps!nsAppStartup::Run(void)+0xd (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\xpfe\components\startup\src\nsappstartup.cpp @ 208]
3e HsEngine!main1(int argc = 1, char ** argv = 0x002a4510, class nsISupports * 
nativeApp = 0x0000000c)+0x355 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1264]
3f HsEngine!main(int argc = 1, char ** argv = 0x002a4510)+0xc5 (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 
1765]
40 HsEngine!WinMain(struct HINSTANCE__ * __formal = 0x7c816d4f, struct 
HINSTANCE__ * __formal = 0x00000000, char * args = 0x00000000 "", int __formal 
= 0x7ffd6000)+0x18 (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1789]
41 HsEngine!WinMainCRTStartup(void)+0x185 (FPO: [Non-Fpo]) (CONV: cdecl) 
[f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 390]
42 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

problem starts with this well behaved code
  mEditor = do_CreateInstance(kTextEditorCID, &rv);
  if (NS_FAILED(rv))
    return rv;

00 gklayout!nsTextControlFrame::CreateAnonymousContent(class nsPresContext * 
aPresContext = 0x015be9a0, class nsISupportsArray * aChildList = 0x01f42e40)
+0x1b5 (FPO: [Uses EBP] [3,55,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\layout\forms\nstextcontrolframe.cpp @ 1844]

and then that useful information is lost by the caller (which could of course 
crash):
  nsCOMPtr<nsISupportsArray> anonymousItems;
  NS_NewISupportsArray(getter_AddRefs(anonymousItems));

  creator->CreateAnonymousContent(aState.mPresContext, *anonymousItems);

01 gklayout!nsCSSFrameConstructor::CreateAnonymousFrames(class 
nsFrameConstructorState * aState = 0x0012d960, class nsIContent * aParent = 
0x01f38c58, class nsIDocument * aDocument = 0x01e7e6b8, class nsIFrame * 
aParentFrame = 0x01f298b0, int aForceBindingParent = 0, int aAppendToExisting = 
0, struct nsFrameItems * aChildItems = 0x0012c9c0, class nsIFrame * 
aAnonymousCreator = 0x00000000, class nsIContent * aInsertionNode = 0x00000000, 
int aAnonymousParentIsBlock = 0)+0x6d (FPO: [Uses EBP] [10,45,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\layout\base\nscssframeconstructor.cpp @ 
5660]
02 gklayout!nsCSSFrameConstructor::CreateAnonymousFrames(class nsIAtom * aTag = 
0x002aed38, class nsFrameConstructorState * aState = 0x0012d960, class 
nsIContent * aParent = 0x01f38c58, class nsIFrame * aNewFrame = 0x01f298b0, int 
aAppendToExisting = 0, struct nsFrameItems * aChildItems = 0x0012c9c0, int 
aIsRoot = 0)+0x54 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 5547]

unfortunately that error will be lost again here:
      CreateAnonymousFrames(aTag, aState, aContent, newFrame,
                            PR_FALSE, childItems);

      // Set the frame's initial child list
      if (childItems.childList) {


03 gklayout!nsCSSFrameConstructor::ConstructHTMLFrame(class 
nsFrameConstructorState * aState = 0x0012d960, class nsIContent * aContent = 
0x01f38c58, class nsIFrame * aParentFrame = 0x01f29690, class nsIAtom * aTag = 
0x002aed38, int aNameSpaceID = 1, class nsStyleContext * aStyleContext = 
0x01f29800, struct nsFrameItems * aFrameItems = 0x0012cccc, int 
aHasPseudoParent = 0)+0x5de (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 5481]
04 gklayout!nsCSSFrameConstructor::ConstructFrameInternal(class 
nsFrameConstructorState * aState = 0x0012d960, class nsIContent * aContent = 
0x01f29690, class nsIFrame * aParentFrame = 0x00000000, class nsIAtom * aTag = 
0x002aed38, int aNameSpaceID = 3, class nsStyleContext * aStyleContext = 
0x0012cccc, struct nsFrameItems * aFrameItems = 0x0012cccc, int aXBLBaseTag = 0)
+0x21a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nscssframeconstructor.cpp @ 7608]
Summary: [@ nsTextControlFrame::SetInitialChildList] → Crash [@ nsTextControlFrame::SetInitialChildList] when editor.dll is missing
<timeless> not having the library was just a convenient way to take pot shots at
oom code
Summary: Crash [@ nsTextControlFrame::SetInitialChildList] when editor.dll is missing → Crash [@ nsTextControlFrame::SetInitialChildList] when editor.dll is missing or OOM
> problem starts with this well behaved code
>   mEditor = do_CreateInstance(kTextEditorCID, &rv);
>   if (NS_FAILED(rv))
>     return rv;

> and then that useful information is lost by the caller (which could of course 
> crash):
>   nsCOMPtr<nsISupportsArray> anonymousItems;
>   NS_NewISupportsArray(getter_AddRefs(anonymousItems));
> 
>   creator->CreateAnonymousContent(aState.mPresContext, *anonymousItems);

I think this also happens in OOM situations? Setting dependency for such an OOM
case.
Blocks: 277565
Keywords: helpwanted
*** Bug 320426 has been marked as a duplicate of this bug. ***
the url was a complete audit for the file, as best as i could do it.

mats.palmgren@bredband.net, i don't suppose i could interest you in taking this bug? otherwise i suppose it's time for me to work on it.
Sure, I can have a look at this one...
Assignee: nobody → mats.palmgren
Keywords: helpwanted
OS: Windows XP → All
Hardware: PC → All
Component: Layout: Form Controls → Layout
Summary: Crash [@ nsTextControlFrame::SetInitialChildList] when editor.dll is missing or OOM → OOMs and frame leaks in nsCSSFrameConstructor.cpp (Crash [@ nsTextControlFrame::SetInitialChildList])
Attached patch Patch rev. 1 (obsolete) — Splinter Review 
Sorry for the large patch (3237 lines), there are still some
remaining OOMs that isn't handled by this patch but I will
address those in a separate bug(s).

What I am addressing in this bug:
1. allocation failures, mostly from NS_New*Frame
2. failures from InitAndRestoreFrame() and Init(), CreateViewForFrame(),
   SetInitialChildList(), ProcessPseudoFrames(), ProcessChildren(),
   CreateAnonymousFrames() and others...
3. leakage of frames when handling errors from 1 and 2.
4. some other minor cleanups (unused variables and such)

timeless, there was two lines I didn't get why you marked:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1121&mark=6181,6190#6164

Boris, the "ownership" of the table pseduo frames in case of
failure is unclear to me. I read the code many times but still
couldn't figure it out. Please have a look at the changes in
ProcessPseudoFrame(), ProcessPseudoTableFrame() and 
ProcessPseudoCellFrame() and tell me if that makes sense -
or if not, how it can be solved, thanks.
Attachment #210061 - Flags: superreview?(bzbarsky)
Attachment #210061 - Flags: review?(timeless)
not sure about the first line, it's almost certainly an off by one error on my part . the second was probably me showing a dereference, most likely of newframe. btw, thanks for pulling this one in.
Frankly, I have no idea what should happen with pseudo-frames either.  Not only that, but in general I don't know what should happen in a lot of the other places too -- that is, cleanup needs to happen somehow, but I'm not sure how.  For example, generally speaking failure to SetInitialChildList should trigger destruction of some out-of-flows.  But in general, I bet SetInitialChildList cannot in fact fail...

I would say that trying to fix this bug with the frame constructor code in the current state is nearly impossible.  I _might_ be able to review changes to one function at a time with a large amount of code tracing, but reviewing the whole thing is basically not feasible, and I suspect at least some parts of it are "wrong" as things stand.

Since this is clearly 1.9 work, I think the right thing to do is to move forward with the proposed simplification of the frame constructor that sicking has been looking into.  If we can get to a point where we're less "stateful", that should make fixing this bug a whole lot easier...
Frankly, i'm not exited about this patch. Getting things OOM safe is good and all, but at this point we need to get the cssframector less complicated, not more.

Timeless: are you running in an environment where you're frequently are running out of memory in the cssframector, or is this purly a just-in-case exercise?
Attachment #210061 - Flags: superreview?(bzbarsky)
Comment on attachment 210061 [details] [diff] [review]
Patch rev. 1

Seems unlikely this will be accepted...
Attachment #210061 - Flags: review?(timeless)
Assignee: mats.palmgren → nobody
QA Contact: layout.form-controls → layout
Crash Signature: [@ nsTextControlFrame::SetInitialChildList]
Now that allocating frames and the Init() call are infallible I think this
issue is mostly solved.  Only 6 of the reported crashes in the past 6 months
that are from modern versions (v44 or newer), so this doesn't seem worth
tracking.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Attachment #210061 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: