Closed Bug 308516 Opened 19 years ago Closed 17 years ago

svg/canvas related crash? [@ GetNearestContainingBlock]

Categories

(Core :: Layout, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 194952

People

(Reporter: dveditz, Unassigned)

References

Details

Attachments

(1 obsolete file)

Was surfing around blogs and crashed twice trying to load the Times interview
with Gerv, at least pretty sure it was that page, unless it was left over from
http://planet.mozilla.org where I linked to the Times story.

Got two crashes in GetNearestContainingBlock which seems to be a popular crash
lately. I'm only filing this additional bug because I haven't seen SVG in the
stack on the other bugs.

TB9344327K, TB9344331Q

Seems odd that a commercial news site would be using SVG though. It also isn't
crashing for me anymore so maybe is was a fluke, or maybe the SVG was in random
ad content.

GetNearestContainingBlock 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 655]
nsHTMLReflowState::InitAbsoluteConstraints 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 1044]
nsHTMLReflowState::InitConstraints 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 1960]
nsHTMLReflowState::Init 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 337]
nsHTMLReflowState::nsHTMLReflowState 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp,
line 310]
nsAbsoluteContainingBlock::ReflowAbsoluteFrame 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp,
line 521]
nsAbsoluteContainingBlock::IncrementalReflow 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp,
line 387]
nsBlockFrame::Reflow 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 1023]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 904]
CanvasFrame::Reflow 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 522]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 904]
nsHTMLScrollFrame::ReflowScrolledFrame 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 520]
nsHTMLScrollFrame::ReflowContents 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 568]
nsHTMLScrollFrame::Reflow 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 760]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 904]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp,
line 240]
IncrementalReflow::Dispatch 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 914]
PresShell::ProcessReflowCommands 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6874]
ReflowEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6700]
PL_HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/threads/plevent.c,
line 689]
0x778b0c24
nsSVGLinearGradientElement::CloneNode 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/svg/content/src/nsSVGGradientElement.cpp,
line 385]
0x0824748b
Attached patch band-aide patch (obsolete) — Splinter Review
Given that this is a topcrasher on the 1.0x branch, and just hit me on the 1.8
branch, why can't we simply stop the pain like this here in
GetNearestContainingBlock? Calling code already has to deal with a potential
null return so what's the harm? (I guess it could push the crash somewhere
else)
Attachment #196051 - Flags: superreview?(dbaron)
Attachment #196051 - Flags: review?(bzbarsky)
Er... Who's managing to pass a null frame to GetNearestContainingBlock, and why?

And if the caller is nsHTMLReflowState::InitAbsoluteConstraints then it in fact
does not deal with a null return from GetNearestContainingBlock -- it crashes
when that happens.  We have bugs on it.

As for SVG, that part of the stack is most likely bogus and in any case doesn't
have anything to do with the layout issue that's actually crashing.  Also, 
<canvas> is not involved at all here that I can see (nsCanvasFrame has nothing
to do with <canvas>)
Comment on attachment 196051 [details] [diff] [review]
band-aide patch

This won't fix the crash, since the caller will just proceed to crash, and
there should never be a null being passed here anyway... if it's happening
something else has gone very badly awry.
Attachment #196051 - Flags: review?(bzbarsky) → review-
So how do I try to reproduce this?  Is there a URI?
Assignee: bzbarsky → nobody
(In reply to comment #4)
> So how do I try to reproduce this?  Is there a URI?

Both crashes were
1) start on planet.mozilla.org, see post about Gerv's times interview. Since
that will scroll off might be able to start here or at Gerv's blog
(http://weblogs.mozillazine.org/gerv/archives/2005/09/times_interview.html)
2) Load times interview into a background tab
(http://technology.timesonline.co.uk/article/0,,20410-1778674,00.html)
3) While that's loading middle-click on Glazman's link
(http://glazman.org/weblog/dotclear/index.php?2005/09/14/1238-xmlhttprequest-and-msie)
4) and his link to the IE blog
(http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx)

twice I crashed at that point, then not after that. Maybe related to the ad
being served at timesonline at the time?
*** Bug 308765 has been marked as a duplicate of this bug. ***
I've tried several times and not managed to reproduce it.
*** Bug 310766 has been marked as a duplicate of this bug. ***
Can't repro lately, and has dropped to #271 on the topcrasher list. Consolidating with older bug at the same location
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Attachment #196051 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.