Closed
Bug 378146
Opened 18 years ago
Closed 17 years ago
Crash [@ nsFrame::CorrectStyleParentFrame] with maction
Categories
(Core :: MathML, defect)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: jruderman, Assigned: rbs)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(1 file)
|
1023 bytes,
application/xhtml+xml
|
Details |
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0xddddddf5
Thread 0 Crashed:
0 libgklayout.dylib 0x1592517d nsStyleContext::GetRuleNode() + 9 (nsStyleContext.h:114)
1 libgklayout.dylib 0x159251f9 nsIFrame::PresContext() const + 25 (nsIFrame.h:408)
2 libgklayout.dylib 0x153064a3 nsFrame::CorrectStyleParentFrame(nsIFrame*, nsIAtom*) + 251 (nsFrame.cpp:5504)
3 libgklayout.dylib 0x15306664 GetCorrectedParent(nsPresContext*, nsIFrame*, nsIFrame**) + 152 (nsFrame.cpp:5474)
4 libgklayout.dylib 0x15306790 nsFrame::DoGetParentStyleContextFrame(nsPresContext*, nsIFrame**, int*) + 282 (nsFrame.cpp:5571)
5 libgklayout.dylib 0x15306860 nsFrame::GetParentStyleContextFrame(nsPresContext*, nsIFrame**, int*) + 38 (nsFrame.cpp:5402)
6 libgklayout.dylib 0x152af7ef VerifyContextParent(nsPresContext*, nsIFrame*, nsStyleContext*, nsStyleContext*) + 95 (nsFrameManager.cpp:804)
7 libgklayout.dylib 0x152af9f9 VerifyStyleTree(nsPresContext*, nsIFrame*, nsStyleContext*) + 57 (nsFrameManager.cpp:845)
8 libgklayout.dylib 0x152afb80 nsFrameManager::DebugVerifyStyleTree(nsIFrame*) + 62 (nsFrameManager.cpp:898)
9 libgklayout.dylib 0x15792c41 nsMathMLContainerFrame::PropagateScriptStyleFor(nsIFrame*, int) + 775 (nsMathMLContainerFrame.cpp:712)
...
This might be related to bug 368430.
|
||
Comment 1•18 years ago
|
||
The parent of aFrame in this case is dead:
(gdb) frame 3
#3 0xb6dea76b in GetCorrectedParent (aPresContext=0x8a4f030, aFrame=0x8ad4574,
aSpecialParent=0xbfffdac4) at ../../../mozilla/layout/generic/nsFrame.cpp:5477
5477 while (parent->GetStyleContext()->GetPseudoType() ==
(gdb) p aFrame
$9 = (nsMathMLmrowFrame *) 0x8ad4574
(gdb) p aFrame->GetParent()
[Thread -1277715536 (LWP 14411) exited]
$10 = (nsIFrame *) 0x8ad436c
(gdb) p *aFrame->GetParent()
$11 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307,
y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddd,
mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd,
mState = 3722304989}
The basic problem is bug 355548, imo.
Depends on: 355548
|
Reporter | |
Comment 2•18 years ago
|
||
A related testcase triggers the assertion from bug 334514.
Blocks: framedest
|
|
Reporter | |
Updated•18 years ago
|
Whiteboard: [sg:critical?]
ok
|
|
Reporter | |
Updated•18 years ago
|
Assignee: general → roc
|
||
Updated•18 years ago
|
Flags: blocking1.9+
|
||
Comment 5•18 years ago
|
||
Poke. Any word on this?
I think Vlad Sukhoy owns this now :-)
|
||
Comment 7•18 years ago
|
||
I do. This is one of the aspects of bug 355548 which is in desperate need of new comprehensive reliably crashing test case..
Assignee: roc → vladimir.sukhoy
|
|
||
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
|
||
Comment 8•18 years ago
|
||
Crashes in release too, at NULL. Unfortunately, the testcase is <maction>-specific.
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000120
Thread 0 Crashed:
0 XUL 0x011c47d4 nsFrame::MarkIntrinsicWidthsDirty() + 62
1 XUL 0x011a22fc PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, unsigned) + 116
2 XUL 0x014aada6 nsMathMLContainerFrame::ReLayoutChildren(nsIFrame*, unsigned) + 396
3 XUL 0x014aae2f nsMathMLContainerFrame::ChildListChanged(int) + 129
4 XUL 0x014a9b5d nsMathMLContainerFrame::AppendFrames(nsIAtom*, nsIFrame*) + 77
5 XUL 0x0116c7b0 nsCSSFrameConstructor::AppendFrames(nsFrameConstructorState const&, nsIContent*, nsIFrame*, nsIFrame*, nsIFrame*) + 120
6 XUL 0x0117f7cb nsCSSFrameConstructor::ContentAppended(nsIContent*, int) + 2833
7 XUL 0x011a20bc PresShell::ContentAppended(nsIDocument*, nsIContent*, int) + 48
8 XUL 0x013da6dd nsBindingManager::ContentAppended(nsIDocument*, nsIContent*, int) + 433
|
|
Reporter | |
Comment 9•17 years ago
|
||
Vlad, are you going to be able to fix this in time for 1.9? If not, we should find a new owner.
|
|
||
Comment 10•17 years ago
|
||
:(. Unlikely, as I cannot reproduce bug 355548 other than with mutation events and, frankly, it is hard to fix crashes in a module that is broken. I will continue to look at it, but I don't think I can own this as it is.
Assignee: vladimir.sukhoy → rbs
Status: ASSIGNED → NEW
|
|
||
Comment 11•17 years ago
|
||
See also bug 368430 comment 2, i.e. if I use NS_UNCONSTRAINEDSIZE for available width in nsMathMLmactionFrame::Reflow() this crash is gone. Perhaps, this may help.
|
||
Comment 12•17 years ago
|
||
No crash on Linux amd64.
|
|
Reporter | |
Comment 13•17 years ago
|
||
WFM (Mac trunk debug).
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Comment 14•17 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase
-> Verified
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Crash Signature: [@ nsFrame::CorrectStyleParentFrame]
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•