Closed
Bug 384937
Opened 17 years ago
Closed 17 years ago
crashes [@ nsFrameManager::Destroy] upon loading page with iframe
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: adnanmukhtar, Assigned: MatsPalmgren_bugz)
References
()
Details
(Keywords: crash, verified1.8.1.12, Whiteboard: 1.8 branch only.)
Crash Data
Attachments
(3 files)
12.14 KB,
application/x-zip-compressed
|
Details | |
16.33 KB,
text/html
|
Details | |
1.52 KB,
patch
|
dbaron
:
review+
MatsPalmgren_bugz
:
superreview+
dveditz
:
approval1.8.1.12+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
firefox crashes when a page has an iframe. seems to happen when the page reloads and the iframe's onload event is executed.
i'm trying to develop a page that has multiple iframes ("blocks") that load in the "background" to speed up the perceived performance of the page. the iframe has zero size, but upon iframe.onload, i'm copying the iframe.innerHTML to parent.someelement.innerHTML. see attached javascript.
i've been restyling and redesigning the page, and then the crashes started to happen. i'm not sure /exactly/ what's wrong with the page. but it definitely seems to be related to when the iframes are loaded.
any help would be appreciated.
Reproducible: Sometimes
Steps to Reproduce:
1.
2.
3.
Comment 1•17 years ago
|
||
Did you also test this in Firefox's -safe-mode or with a new profile?
http://kb.mozillazine.org/Safe_Mode_(Firefox)
http://kb.mozillazine.org/Profile_Folder
See also http://kb.mozillazine.org/Firefox_crashes
Could you attach a testcase or page that shows the problem?
Reporter | ||
Comment 2•17 years ago
|
||
Reporter | ||
Comment 3•17 years ago
|
||
(In reply to comment #2)
> Created an attachment (id=268868) [details]
> web page that crashes
>
yes, i removed all add-ons and also tested in safe-mode. i also now have a completely new profile
Reporter | ||
Comment 4•17 years ago
|
||
i can now recreate the problem, everytime:
1) in the attachment 268868 [details], open the file called "index.html"
2) put the keyboard's blinking cursor on the location bar at the very end of the url. make sure nothing is selected.
3) hit enter and viola, my firefox crashes
Comment 5•17 years ago
|
||
I'm indeed crashing with a recent branch build with the steps to reproduce in comment 4.
Talkback ID: TB33251260X
nsFrameManager::Destroy [mozilla/layout/base/nsFrameManager.cpp, line 289]
DocumentViewerImpl::Destroy [mozilla/layout/base/nsDocumentViewer.cpp, line 1555]
nsDocShell::Destroy [mozilla/docshell/base/nsDocShell.cpp, line 3529]
nsFrameLoader::Destroy [mozilla/content/base/src/nsFrameLoader.cpp, line 251]
nsGenericHTMLFrameElement::UnbindFromTree [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3677]
nsGenericElement::RemoveChildAt [mozilla/content/base/src/nsGenericElement.cpp, line 2913]
nsGenericElement::RemoveChild [mozilla/content/base/src/nsGenericElement.cpp, line 3658]
nsRange::DeleteContents [mozilla/content/base/src/nsRange.cpp, line 1539]
nsGenericHTMLElement::SetInnerHTML [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 949]
nsGenericHTMLElementTearoff::SetInnerHTML [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty [mozilla/js/src/jsobj.c, line 3655]
js_Interpret [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]
nsEventListenerManager::HandleEvent [mozilla/content/events/src/nsEventListenerManager.cpp, line 1762]
nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2232]
nsGlobalWindow::HandleDOMEvent [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1750]
DocumentViewerImpl::LoadComplete [mozilla/layout/base/nsDocumentViewer.cpp, line 1014]
nsDocShell::EndPageLoad [mozilla/docshell/base/nsDocShell.cpp, line 4795]
nsWebShell::EndPageLoad [mozilla/docshell/base/nsWebShell.cpp, line 665]
nsDocShell::OnStateChange [mozilla/docshell/base/nsDocShell.cpp, line 4710]
nsDocLoader::FireOnStateChange [mozilla/uriloader/base/nsDocLoader.cpp, line 1210]
nsDocLoader::doStopDocumentLoad [mozilla/uriloader/base/nsDocLoader.cpp, line 844]
nsDocLoader::OnStopRequest [mozilla/uriloader/base/nsDocLoader.cpp, line 665]
nsLoadGroup::RemoveRequest [mozilla/netwerk/base/src/nsLoadGroup.cpp, line 732]
PresShell::RemoveDummyLayoutRequest [mozilla/layout/base/nsPresShell.cpp, line 7190]
PresShell::Destroy [mozilla/layout/base/nsPresShell.cpp, line 2032]
DocumentViewerImpl::Hide [mozilla/layout/base/nsDocumentViewer.cpp, line 2033]
nsDocShell::SetVisibility [mozilla/docshell/base/nsDocShell.cpp, line 3782]
nsFrameList::DestroyFrames [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrames [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsFrameList::DestroyFrame [mozilla/layout/generic/nsFrameList.cpp, line 234]
nsFrameManager::RemoveFrame [mozilla/layout/base/nsFrameManager.cpp, line 717]
nsCSSFrameConstructor::ContentRemoved [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10156]
nsCSSFrameConstructor::ReinsertContent [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9687]
nsCSSFrameConstructor::ContentAppended [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8797]
PresShell::ContentAppended [mozilla/layout/base/nsPresShell.cpp, line 5525]
nsHTMLDocument::ContentAppended [mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1190]
nsFragmentObserver::Notify [mozilla/content/base/src/nsGenericElement.cpp, line 3296]
nsGenericElement::InsertBefore [mozilla/content/base/src/nsGenericElement.cpp, line 3068]
nsGenericHTMLElementTearoff::SetInnerHTML [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty [mozilla/js/src/jsobj.c, line 3655]
js_Interpret [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]
I haven't been able to crash with a trunk build.
It might be interesting to know when this was fixed on trunk.
Severity: major → critical
Status: UNCONFIRMED → NEW
Component: General → Layout
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → layout
Summary: crashes upon loading page with iframe → crashes [@ nsFrameManager::Destroy] upon loading page with iframe
Version: unspecified → 1.8 Branch
Reporter | ||
Comment 6•17 years ago
|
||
what i'm really looking for, is what i can do to work around this problem.
a span element /must not/ contain a div element according the xhtml1-transitional dtd. however, there are such constructs in the attached code.
i've just discovered that when i change the span element to a div element, in order be to be standards compliant, the browser doesn't crash anymore.
Reporter | ||
Comment 7•17 years ago
|
||
even when i make the span a div, but style it as a span, the browser still crashes:
<div style="display: inline" id="frame-container">
<div>Loading block...</div>
<iframe .... </iframe>
</div>
i want to make the "frame-container" element an inline, because, after the iframe content loads, but it's empty, it doesn't take up vertical space. this is very important to me. is there any other way to achieve this, as a workaround to this problem?
Comment 8•17 years ago
|
||
This was fixed on trunk between 2005-08-22-10 and 2005-08-22-22:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-08-22+09%3A00&maxdate=2005-08-22+23%3A00
Assignee | ||
Comment 9•17 years ago
|
||
(In reply to comment #8)
I see RemoveDummyLayoutRequest on the stack so my guess would be bug 294114.
OS: Windows XP → All
Assignee | ||
Comment 10•17 years ago
|
||
reentrant PresShell::Destroy(). It appears to be a null-ptr crash on Linux...
Assignee | ||
Comment 11•17 years ago
|
||
I think this could work as a wallpaper if we can't find a better fix...
Assignee | ||
Updated•17 years ago
|
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Comment 12•17 years ago
|
||
Unless there's more to this doesn't look like a stop-ship bug, but I'll put it on the "wanted" list. Get some reviews on the patch and if people are OK with it we can approve it.
Assignee: nobody → mats.palmgren
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: 1.8 branch only.
Assignee | ||
Updated•17 years ago
|
Attachment #269062 -
Flags: review?(dbaron)
Comment 13•17 years ago
|
||
What about doing the dummy layout request removal off an event?
Probably in addition to this patch, which is a good idea to start with. But as things stand, the onload causes script to run during frame tree destruction, which is sorta bad.
Note that on trunk the unblock was in fact asynchronous (until that code got removed altogether).
Comment on attachment 269062 [details] [diff] [review]
wallpaper
r=dbaron, but maybe consider what bz suggests too?
Attachment #269062 -
Flags: review?(dbaron) → review+
Comment 15•17 years ago
|
||
Comment on attachment 269062 [details] [diff] [review]
wallpaper
Is this still appropriate for the 1.8.1 branch?
Attachment #269062 -
Flags: approval1.8.1.12?
Comment 16•17 years ago
|
||
Mats or dbaron, we'd like to get this on the branch. Does it still apply and is it still valid?
Updated•17 years ago
|
Whiteboard: 1.8 branch only. → 1.8 branch only. [need answer=dbaron or mats]
Assignee | ||
Comment 17•17 years ago
|
||
Yes, this patch still applies and fixes the crash.
I was hoping to implement Boris' suggestion in comment 13 as well,
but I'm not sure I'll manage to do that before Jan. 18.
Assignee | ||
Updated•17 years ago
|
Whiteboard: 1.8 branch only. [need answer=dbaron or mats] → 1.8 branch only.
Comment 18•17 years ago
|
||
Comment on attachment 269062 [details] [diff] [review]
wallpaper
approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #269062 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Assignee | ||
Comment 19•17 years ago
|
||
Comment on attachment 269062 [details] [diff] [review]
wallpaper
sr=me since I think it's implied from comment 13/14.
Attachment #269062 -
Flags: superreview+
Assignee | ||
Comment 20•17 years ago
|
||
I filed bug 412539 to handle "dummy layout request removal off an event".
mozilla/layout/base/nsDocumentViewer.cpp 1.442.4.22
-> FIXED
Comment 21•17 years ago
|
||
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. No crashing any longer. Verified crash in 2.0.0.11.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Comment 22•17 years ago
|
||
Changing status since this is a branch only bug.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsFrameManager::Destroy]
You need to log in
before you can comment on or make changes to this bug.
Description
•