Last Comment Bug 384937 - crashes [@ nsFrameManager::Destroy] upon loading page with iframe
: crashes [@ nsFrameManager::Destroy] upon loading page with iframe
Status: VERIFIED FIXED
1.8 branch only.
: crash, verified1.8.1.12
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 1.8 Branch
: x86 All
: -- critical (vote)
: ---
Assigned To: Mats Palmgren (:mats)
:
:
Mentors:
jar:https://bugzilla.mozilla.org/atta...
: 396895 402495 (view as bug list)
Depends on:
Blocks: 396895 402495
  Show dependency treegraph
 
Reported: 2007-06-18 14:24 PDT by Adnan Mukhtar
Modified: 2011-06-13 10:01 PDT (History)
12 users (show)
dveditz: wanted1.8.1.x+
dveditz: wanted1.8.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
web page that crashes (12.14 KB, application/x-zip-compressed)
2007-06-18 16:29 PDT, Adnan Mukhtar
no flags Details
stack (16.33 KB, text/html)
2007-06-20 03:51 PDT, Mats Palmgren (:mats)
no flags Details
wallpaper (1.52 KB, patch)
2007-06-20 03:59 PDT, Mats Palmgren (:mats)
dbaron: review+
mats: superreview+
dveditz: approval1.8.1.12+
Details | Diff | Splinter Review

Description Adnan Mukhtar 2007-06-18 14:24:33 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

firefox crashes when a page has an iframe. seems to happen when the page reloads and the iframe's onload event is executed.

i'm trying to develop a page that has multiple iframes ("blocks") that load in the "background" to speed up the perceived performance of the page. the iframe has zero size, but upon iframe.onload, i'm copying the iframe.innerHTML to parent.someelement.innerHTML. see attached javascript.

i've been restyling and redesigning the page, and then the crashes started to happen. i'm not sure /exactly/ what's wrong with the page. but it definitely seems to be related to when the iframes are loaded.

any help would be appreciated.



Reproducible: Sometimes

Steps to Reproduce:
1.
2.
3.
Comment 1 Ria Klaassen (not reading all bugmail) 2007-06-18 14:58:37 PDT
Did you also test this in Firefox's -safe-mode or with a new profile?

http://kb.mozillazine.org/Safe_Mode_(Firefox)
http://kb.mozillazine.org/Profile_Folder
See also http://kb.mozillazine.org/Firefox_crashes

Could you attach a testcase or page that shows the problem?
Comment 2 Adnan Mukhtar 2007-06-18 16:29:32 PDT
Created attachment 268868 [details]
web page that crashes
Comment 3 Adnan Mukhtar 2007-06-18 16:30:30 PDT
(In reply to comment #2)
> Created an attachment (id=268868) [details]
> web page that crashes
> 

yes, i removed all add-ons and also tested in safe-mode. i also now have a completely new profile
Comment 4 Adnan Mukhtar 2007-06-18 16:36:37 PDT
i can now recreate the problem, everytime:

1) in the attachment 268868 [details], open the file called "index.html"
2) put the keyboard's blinking cursor on the location bar at the very end of the url. make sure nothing is selected.
3) hit enter and viola, my firefox crashes
Comment 5 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-06-18 17:30:17 PDT
I'm indeed crashing with a recent branch build with the steps to reproduce in comment 4.
Talkback ID: TB33251260X
nsFrameManager::Destroy  [mozilla/layout/base/nsFrameManager.cpp, line 289]
DocumentViewerImpl::Destroy  [mozilla/layout/base/nsDocumentViewer.cpp, line 1555]
nsDocShell::Destroy  [mozilla/docshell/base/nsDocShell.cpp, line 3529]
nsFrameLoader::Destroy  [mozilla/content/base/src/nsFrameLoader.cpp, line 251]
nsGenericHTMLFrameElement::UnbindFromTree  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3677]
nsGenericElement::RemoveChildAt  [mozilla/content/base/src/nsGenericElement.cpp, line 2913]
nsGenericElement::RemoveChild  [mozilla/content/base/src/nsGenericElement.cpp, line 3658]
nsRange::DeleteContents  [mozilla/content/base/src/nsRange.cpp, line 1539]
nsGenericHTMLElement::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 949]
nsGenericHTMLElementTearoff::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet  [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty  [mozilla/js/src/jsobj.c, line 3655]
js_Interpret  [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue  [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent  [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1762]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2232]
nsGlobalWindow::HandleDOMEvent  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1750]
DocumentViewerImpl::LoadComplete  [mozilla/layout/base/nsDocumentViewer.cpp, line 1014]
nsDocShell::EndPageLoad  [mozilla/docshell/base/nsDocShell.cpp, line 4795]
nsWebShell::EndPageLoad  [mozilla/docshell/base/nsWebShell.cpp, line 665]
nsDocShell::OnStateChange  [mozilla/docshell/base/nsDocShell.cpp, line 4710]
nsDocLoader::FireOnStateChange  [mozilla/uriloader/base/nsDocLoader.cpp, line 1210]
nsDocLoader::doStopDocumentLoad  [mozilla/uriloader/base/nsDocLoader.cpp, line 844]
nsDocLoader::OnStopRequest  [mozilla/uriloader/base/nsDocLoader.cpp, line 665]
nsLoadGroup::RemoveRequest  [mozilla/netwerk/base/src/nsLoadGroup.cpp, line 732]
PresShell::RemoveDummyLayoutRequest  [mozilla/layout/base/nsPresShell.cpp, line 7190]
PresShell::Destroy  [mozilla/layout/base/nsPresShell.cpp, line 2032]
DocumentViewerImpl::Hide  [mozilla/layout/base/nsDocumentViewer.cpp, line 2033]
nsDocShell::SetVisibility  [mozilla/docshell/base/nsDocShell.cpp, line 3782]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsFrameList::DestroyFrame  [mozilla/layout/generic/nsFrameList.cpp, line 234]
nsFrameManager::RemoveFrame  [mozilla/layout/base/nsFrameManager.cpp, line 717]
nsCSSFrameConstructor::ContentRemoved  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10156]
nsCSSFrameConstructor::ReinsertContent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9687]
nsCSSFrameConstructor::ContentAppended  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8797]
PresShell::ContentAppended  [mozilla/layout/base/nsPresShell.cpp, line 5525]
nsHTMLDocument::ContentAppended  [mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1190]
nsFragmentObserver::Notify  [mozilla/content/base/src/nsGenericElement.cpp, line 3296]
nsGenericElement::InsertBefore  [mozilla/content/base/src/nsGenericElement.cpp, line 3068]
nsGenericHTMLElementTearoff::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet  [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty  [mozilla/js/src/jsobj.c, line 3655]
js_Interpret  [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue  [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent  [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]

I haven't been able to crash with a trunk build.
It might be interesting to know when this was fixed on trunk.
Comment 6 Adnan Mukhtar 2007-06-19 10:33:17 PDT
what i'm really looking for, is what i can do to work around this problem.

a span element /must not/ contain a div element according the xhtml1-transitional dtd. however, there are such constructs in the attached code.

i've just discovered that when i change the span element to a div element, in order be to be standards compliant, the browser doesn't crash anymore.
Comment 7 Adnan Mukhtar 2007-06-19 11:01:02 PDT
even when i make the span a div, but style it as a span, the browser still crashes:

<div style="display: inline" id="frame-container">
   <div>Loading block...</div>
   <iframe .... </iframe>
</div>

i want to make the "frame-container" element an inline, because, after the iframe content loads, but it's empty, it doesn't take up vertical space. this is very important to me. is there any other way to achieve this, as a workaround to this problem?
Comment 8 Ria Klaassen (not reading all bugmail) 2007-06-19 13:57:11 PDT
This was fixed on trunk between 2005-08-22-10 and 2005-08-22-22:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-08-22+09%3A00&maxdate=2005-08-22+23%3A00
Comment 9 Mats Palmgren (:mats) 2007-06-20 03:35:17 PDT
(In reply to comment #8)
I see RemoveDummyLayoutRequest on the stack so my guess would be bug 294114.
Comment 10 Mats Palmgren (:mats) 2007-06-20 03:51:59 PDT
Created attachment 269061 [details]
stack

reentrant PresShell::Destroy().  It appears to be a null-ptr crash on Linux...
Comment 11 Mats Palmgren (:mats) 2007-06-20 03:59:34 PDT
Created attachment 269062 [details] [diff] [review]
wallpaper

I think this could work as a wallpaper if we can't find a better fix...
Comment 12 Daniel Veditz [:dveditz] 2007-06-21 14:28:00 PDT
Unless there's more to this doesn't look like a stop-ship bug, but I'll put it on the "wanted" list. Get some reviews on the patch and if people are OK with it we can approve it.
Comment 13 Boris Zbarsky [:bz] (still a bit busy) 2007-07-09 02:19:26 PDT
What about doing the dummy layout request removal off an event?

Probably in addition to this patch, which is a good idea to start with.  But as things stand, the onload causes script to run during frame tree destruction, which is sorta bad.

Note that on trunk the unblock was in fact asynchronous (until that code got removed altogether).
Comment 14 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2007-07-17 15:57:00 PDT
Comment on attachment 269062 [details] [diff] [review]
wallpaper

r=dbaron, but maybe consider what bz suggests too?
Comment 15 Daniel Veditz [:dveditz] 2008-01-07 15:46:02 PST
Comment on attachment 269062 [details] [diff] [review]
wallpaper

Is this still appropriate for the 1.8.1 branch?
Comment 16 Samuel Sidler (old account; do not CC) 2008-01-10 16:13:49 PST
Mats or dbaron, we'd like to get this on the branch. Does it still apply and is it still valid?
Comment 17 Mats Palmgren (:mats) 2008-01-15 02:51:03 PST
Yes, this patch still applies and fixes the crash.
I was hoping to implement Boris' suggestion in comment 13 as well,
but I'm not sure I'll manage to do that before Jan. 18.
Comment 18 Daniel Veditz [:dveditz] 2008-01-15 15:42:02 PST
Comment on attachment 269062 [details] [diff] [review]
wallpaper

approved for 1.8.1.12, a=dveditz for release-drivers
Comment 19 Mats Palmgren (:mats) 2008-01-15 17:43:54 PST
Comment on attachment 269062 [details] [diff] [review]
wallpaper

sr=me since I think it's implied from comment 13/14.
Comment 20 Mats Palmgren (:mats) 2008-01-15 17:48:32 PST
I filed bug 412539 to handle "dummy layout request removal off an event".

mozilla/layout/base/nsDocumentViewer.cpp 	1.442.4.22 

-> FIXED
Comment 21 Al Billings [:abillings] 2008-01-18 13:41:39 PST
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. No crashing any longer. Verified crash in 2.0.0.11.
Comment 22 Al Billings [:abillings] 2008-01-18 13:42:23 PST
Changing status since this is a branch only bug.
Comment 23 Jesse Ruderman on Windows 2009-09-14 19:12:49 PDT
*** Bug 396895 has been marked as a duplicate of this bug. ***
Comment 24 Jesse Ruderman on Windows 2009-09-14 20:20:55 PDT
*** Bug 402495 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.