Last Comment Bug 325218 - Crash with evil xul testcase, using box, tooltip, object, etc [@ DoDeletingFrameSubtree]
: Crash with evil xul testcase, using box, tooltip, object, etc [@ DoDeletingFr...
Status: VERIFIED FIXED
regression from bug 310638 [rft-dl]
: crash, regression, testcase, verified1.8.0.2, verified1.8.1
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
:
:
Mentors:
Depends on: 322678
Blocks: ajax-demolisher 310638
  Show dependency treegraph
 
Reported: 2006-01-30 05:35 PST by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
8 users (show)
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes on load) (815 bytes, application/vnd.mozilla.xul+xml)
2006-01-30 05:37 PST, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
Frame tree (5.25 KB, text/plain)
2006-01-31 14:18 PST, Jonas Sicking (:sicking) No longer reading bugmail consistently
no flags Details
wallpaper, just in case... (1.56 KB, patch)
2006-02-03 23:26 PST, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2006-01-30 05:35:27 PST
See upcoming testcase, which crashes upon load in current trunk builds.
This looks like a regression, doesn't crash in 2006-01-26 build, but crashes in 2006-01-27 build, very likely a regression from bug 310638.
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-01-30 05:37:13 PST
Created attachment 210137 [details]
testcase (crashes on load)

Talkback ID TB14548920Z: 
DoDeletingFrameSubtree  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9809]
DoDeletingFrameSubtree  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9815]
DeletingFrameSubtree  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9878]
nsCSSFrameConstructor::ContentRemoved  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10064]
nsCSSFrameConstructor::ReinsertContent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9740]
nsCSSFrameConstructor::MaybeRecreateContainerForIBSplitterFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11646]
nsCSSFrameConstructor::ProcessRestyledFrames  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10538]
nsCSSFrameConstructor::RestyleElement  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10608]
nsCSSFrameConstructor::ProcessOneRestyle  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13415]
nsCSSFrameConstructor::ProcessPendingRestyles  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13467]
nsCSSFrameConstructor::RestyleEvent::HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13534]
SHELL32.dll + 0x520c24 (0x778b0c24)
Comment 2 Steve England [:stevee] 2006-01-30 06:16:28 PST
Not related to bug 288357?
Comment 3 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-01-30 06:51:09 PST
No, not likely.
Comment 4 Boris Zbarsky [:bz] (still a bit busy) 2006-01-30 07:56:31 PST
Mats, do you have time to look into this?

Is the issue here that we're failing to tear down the special siblings as you've commented elsewhere?  Note that in general we don't run into it because we reframe the containing block, but in this case there is no containing block...
Comment 5 Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-01-31 14:18:59 PST
Created attachment 210277 [details]
Frame tree
Comment 6 Mats Palmgren (:mats) 2006-02-03 23:23:04 PST
(In reply to comment #4)
> Is the issue here that we're failing to tear down the special siblings as
> you've commented elsewhere?

Yes, this is basically the same thing. We have two pending restyles
in ProcessPendingRestyles() for content that are descendents of a special
sibling (not the first in the chain), so the first restyle would destroy
the first special in the chain but since we don't destroy the following
the second restyle ended up doing a second DeletingFrameSubtree(), now on the
second special sibling that we left around.
In this frame there is a placeholder (the tooltip) that now have a null
out-of-flow.

Your patch for bug 322678 should fix this bug also.
I'm still a little worried that there are other (potentially bogus) frame
trees that would trigger this crash, so...
Comment 7 Mats Palmgren (:mats) 2006-02-03 23:26:25 PST
Created attachment 210679 [details] [diff] [review]
wallpaper, just in case...

... so maybe we should take this also, just in case.
(Until bug 323105 removes this function, but that might not land on branches?)
Comment 8 Boris Zbarsky [:bz] (still a bit busy) 2006-02-08 20:36:42 PST
Fixed by patch in bug 322678.

Mats, I suspect the wallpaper would just delay crashes, not remove them, no?
Comment 9 Mats Palmgren (:mats) 2006-02-08 20:59:12 PST
(In reply to comment #8)
> Mats, I suspect the wallpaper would just delay crashes, not remove them, no?

I think it would actually avoid crashes that is caused by traversing the same
(sub)tree twice. Not that I have any reason to believe that it will occur though.
Comment 10 Boris Zbarsky [:bz] (still a bit busy) 2006-02-08 21:08:15 PST
Hmm.. If you think that's possible, might be worth taking the patch on branch, I guess.
Comment 11 Stephen Donner [:stephend] 2006-02-09 08:21:07 PST
Using the testcase at https://bugzilla.mozilla.org/attachment.cgi?id=210137&action=view

this is Verified FIXED with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060209 Firefox/1.6a1
Comment 12 Boris Zbarsky [:bz] (still a bit busy) 2006-02-23 11:56:02 PST
Bug 322678 is on branches.
Comment 13 Dave Liebreich [:davel] 2006-03-02 10:58:56 PST
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Comment 14 Marcia Knous [:marcia - use ni] 2006-03-06 10:51:02 PST
Verified on the 1.8.0.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. No crash using the testcase. Adding relevant keyword.
Comment 15 Tracy Walker [:tracy] 2006-08-22 10:34:39 PDT
verified with Fx 2.0b2 builds from 22060821

Note You need to log in before you can comment on or make changes to this bug.