Closed Bug 308516 Opened 19 years ago Closed 18 years ago

svg/canvas related crash? [@ GetNearestContainingBlock]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 194952

People

(Reporter: dveditz, Unassigned)

References

Details

Attachments

(1 obsolete file)

Was surfing around blogs and crashed twice trying to load the Times interview with Gerv, at least pretty sure it was that page, unless it was left over from http://planet.mozilla.org where I linked to the Times story. Got two crashes in GetNearestContainingBlock which seems to be a popular crash lately. I'm only filing this additional bug because I haven't seen SVG in the stack on the other bugs. TB9344327K, TB9344331Q Seems odd that a commercial news site would be using SVG though. It also isn't crashing for me anymore so maybe is was a fluke, or maybe the SVG was in random ad content. GetNearestContainingBlock [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 655] nsHTMLReflowState::InitAbsoluteConstraints [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 1044] nsHTMLReflowState::InitConstraints [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 1960] nsHTMLReflowState::Init [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 337] nsHTMLReflowState::nsHTMLReflowState [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 310] nsAbsoluteContainingBlock::ReflowAbsoluteFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 521] nsAbsoluteContainingBlock::IncrementalReflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 387] nsBlockFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 1023] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 904] CanvasFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 522] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 904] nsHTMLScrollFrame::ReflowScrolledFrame [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 520] nsHTMLScrollFrame::ReflowContents [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 568] nsHTMLScrollFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 760] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 904] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 240] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 914] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6874] ReflowEvent::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6700] PL_HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/threads/plevent.c, line 689] 0x778b0c24 nsSVGLinearGradientElement::CloneNode [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/svg/content/src/nsSVGGradientElement.cpp, line 385] 0x0824748b
Attached patch band-aide patch (obsolete) — Splinter Review
Given that this is a topcrasher on the 1.0x branch, and just hit me on the 1.8 branch, why can't we simply stop the pain like this here in GetNearestContainingBlock? Calling code already has to deal with a potential null return so what's the harm? (I guess it could push the crash somewhere else)
Attachment #196051 - Flags: superreview?(dbaron)
Attachment #196051 - Flags: review?(bzbarsky)
Er... Who's managing to pass a null frame to GetNearestContainingBlock, and why? And if the caller is nsHTMLReflowState::InitAbsoluteConstraints then it in fact does not deal with a null return from GetNearestContainingBlock -- it crashes when that happens. We have bugs on it. As for SVG, that part of the stack is most likely bogus and in any case doesn't have anything to do with the layout issue that's actually crashing. Also, <canvas> is not involved at all here that I can see (nsCanvasFrame has nothing to do with <canvas>)
Comment on attachment 196051 [details] [diff] [review] band-aide patch This won't fix the crash, since the caller will just proceed to crash, and there should never be a null being passed here anyway... if it's happening something else has gone very badly awry.
Attachment #196051 - Flags: review?(bzbarsky) → review-
So how do I try to reproduce this? Is there a URI?
Assignee: bzbarsky → nobody
(In reply to comment #4) > So how do I try to reproduce this? Is there a URI? Both crashes were 1) start on planet.mozilla.org, see post about Gerv's times interview. Since that will scroll off might be able to start here or at Gerv's blog (http://weblogs.mozillazine.org/gerv/archives/2005/09/times_interview.html) 2) Load times interview into a background tab (http://technology.timesonline.co.uk/article/0,,20410-1778674,00.html) 3) While that's loading middle-click on Glazman's link (http://glazman.org/weblog/dotclear/index.php?2005/09/14/1238-xmlhttprequest-and-msie) 4) and his link to the IE blog (http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx) twice I crashed at that point, then not after that. Maybe related to the ad being served at timesonline at the time?
*** Bug 308765 has been marked as a duplicate of this bug. ***
I've tried several times and not managed to reproduce it.
*** Bug 310766 has been marked as a duplicate of this bug. ***
Can't repro lately, and has dropped to #271 on the topcrasher list. Consolidating with older bug at the same location
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Attachment #196051 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: