crashes [@ nsFrameManager::Destroy] upon loading page with iframe

VERIFIED FIXED

Status

()

Core
Layout
--
critical
VERIFIED FIXED
10 years ago
6 years ago

People

(Reporter: Adnan Mukhtar, Assigned: mats)

Tracking

({crash, verified1.8.1.12})

1.8 Branch
x86
All
crash, verified1.8.1.12
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.8.1.x +
wanted1.8.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: 1.8 branch only., crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

firefox crashes when a page has an iframe. seems to happen when the page reloads and the iframe's onload event is executed.

i'm trying to develop a page that has multiple iframes ("blocks") that load in the "background" to speed up the perceived performance of the page. the iframe has zero size, but upon iframe.onload, i'm copying the iframe.innerHTML to parent.someelement.innerHTML. see attached javascript.

i've been restyling and redesigning the page, and then the crashes started to happen. i'm not sure /exactly/ what's wrong with the page. but it definitely seems to be related to when the iframes are loaded.

any help would be appreciated.



Reproducible: Sometimes

Steps to Reproduce:
1.
2.
3.
Did you also test this in Firefox's -safe-mode or with a new profile?

http://kb.mozillazine.org/Safe_Mode_(Firefox)
http://kb.mozillazine.org/Profile_Folder
See also http://kb.mozillazine.org/Firefox_crashes

Could you attach a testcase or page that shows the problem?
(Reporter)

Comment 2

10 years ago
Created attachment 268868 [details]
web page that crashes
(Reporter)

Comment 3

10 years ago
(In reply to comment #2)
> Created an attachment (id=268868) [details]
> web page that crashes
> 

yes, i removed all add-ons and also tested in safe-mode. i also now have a completely new profile
(Reporter)

Comment 4

10 years ago
i can now recreate the problem, everytime:

1) in the attachment 268868 [details], open the file called "index.html"
2) put the keyboard's blinking cursor on the location bar at the very end of the url. make sure nothing is selected.
3) hit enter and viola, my firefox crashes
I'm indeed crashing with a recent branch build with the steps to reproduce in comment 4.
Talkback ID: TB33251260X
nsFrameManager::Destroy  [mozilla/layout/base/nsFrameManager.cpp, line 289]
DocumentViewerImpl::Destroy  [mozilla/layout/base/nsDocumentViewer.cpp, line 1555]
nsDocShell::Destroy  [mozilla/docshell/base/nsDocShell.cpp, line 3529]
nsFrameLoader::Destroy  [mozilla/content/base/src/nsFrameLoader.cpp, line 251]
nsGenericHTMLFrameElement::UnbindFromTree  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3677]
nsGenericElement::RemoveChildAt  [mozilla/content/base/src/nsGenericElement.cpp, line 2913]
nsGenericElement::RemoveChild  [mozilla/content/base/src/nsGenericElement.cpp, line 3658]
nsRange::DeleteContents  [mozilla/content/base/src/nsRange.cpp, line 1539]
nsGenericHTMLElement::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 949]
nsGenericHTMLElementTearoff::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet  [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty  [mozilla/js/src/jsobj.c, line 3655]
js_Interpret  [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue  [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent  [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1762]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2232]
nsGlobalWindow::HandleDOMEvent  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1750]
DocumentViewerImpl::LoadComplete  [mozilla/layout/base/nsDocumentViewer.cpp, line 1014]
nsDocShell::EndPageLoad  [mozilla/docshell/base/nsDocShell.cpp, line 4795]
nsWebShell::EndPageLoad  [mozilla/docshell/base/nsWebShell.cpp, line 665]
nsDocShell::OnStateChange  [mozilla/docshell/base/nsDocShell.cpp, line 4710]
nsDocLoader::FireOnStateChange  [mozilla/uriloader/base/nsDocLoader.cpp, line 1210]
nsDocLoader::doStopDocumentLoad  [mozilla/uriloader/base/nsDocLoader.cpp, line 844]
nsDocLoader::OnStopRequest  [mozilla/uriloader/base/nsDocLoader.cpp, line 665]
nsLoadGroup::RemoveRequest  [mozilla/netwerk/base/src/nsLoadGroup.cpp, line 732]
PresShell::RemoveDummyLayoutRequest  [mozilla/layout/base/nsPresShell.cpp, line 7190]
PresShell::Destroy  [mozilla/layout/base/nsPresShell.cpp, line 2032]
DocumentViewerImpl::Hide  [mozilla/layout/base/nsDocumentViewer.cpp, line 2033]
nsDocShell::SetVisibility  [mozilla/docshell/base/nsDocShell.cpp, line 3782]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsFrameList::DestroyFrame  [mozilla/layout/generic/nsFrameList.cpp, line 234]
nsFrameManager::RemoveFrame  [mozilla/layout/base/nsFrameManager.cpp, line 717]
nsCSSFrameConstructor::ContentRemoved  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10156]
nsCSSFrameConstructor::ReinsertContent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9687]
nsCSSFrameConstructor::ContentAppended  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8797]
PresShell::ContentAppended  [mozilla/layout/base/nsPresShell.cpp, line 5525]
nsHTMLDocument::ContentAppended  [mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1190]
nsFragmentObserver::Notify  [mozilla/content/base/src/nsGenericElement.cpp, line 3296]
nsGenericElement::InsertBefore  [mozilla/content/base/src/nsGenericElement.cpp, line 3068]
nsGenericHTMLElementTearoff::SetInnerHTML  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 218]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet  [mozilla/js/src/jsinterp.c, line 1540]
js_SetProperty  [mozilla/js/src/jsobj.c, line 3655]
js_Interpret  [mozilla/js/src/jsinterp.c, line 3704]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue  [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsJSEventListener::HandleEvent  [mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1655]

I haven't been able to crash with a trunk build.
It might be interesting to know when this was fixed on trunk.
Severity: major → critical
Status: UNCONFIRMED → NEW
Component: General → Layout
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → layout
Summary: crashes upon loading page with iframe → crashes [@ nsFrameManager::Destroy] upon loading page with iframe
Version: unspecified → 1.8 Branch
(Reporter)

Comment 6

10 years ago
what i'm really looking for, is what i can do to work around this problem.

a span element /must not/ contain a div element according the xhtml1-transitional dtd. however, there are such constructs in the attached code.

i've just discovered that when i change the span element to a div element, in order be to be standards compliant, the browser doesn't crash anymore.
(Reporter)

Comment 7

10 years ago
even when i make the span a div, but style it as a span, the browser still crashes:

<div style="display: inline" id="frame-container">
   <div>Loading block...</div>
   <iframe .... </iframe>
</div>

i want to make the "frame-container" element an inline, because, after the iframe content loads, but it's empty, it doesn't take up vertical space. this is very important to me. is there any other way to achieve this, as a workaround to this problem?
This was fixed on trunk between 2005-08-22-10 and 2005-08-22-22:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-08-22+09%3A00&maxdate=2005-08-22+23%3A00
(Assignee)

Comment 9

10 years ago
(In reply to comment #8)
I see RemoveDummyLayoutRequest on the stack so my guess would be bug 294114.
OS: Windows XP → All
(Assignee)

Comment 10

10 years ago
Created attachment 269061 [details]
stack

reentrant PresShell::Destroy().  It appears to be a null-ptr crash on Linux...
(Assignee)

Comment 11

10 years ago
Created attachment 269062 [details] [diff] [review]
wallpaper

I think this could work as a wallpaper if we can't find a better fix...
(Assignee)

Updated

10 years ago
(Assignee)

Updated

10 years ago
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Unless there's more to this doesn't look like a stop-ship bug, but I'll put it on the "wanted" list. Get some reviews on the patch and if people are OK with it we can approve it.
Assignee: nobody → mats.palmgren
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: 1.8 branch only.
(Assignee)

Updated

10 years ago
Attachment #269062 - Flags: review?(dbaron)
What about doing the dummy layout request removal off an event?

Probably in addition to this patch, which is a good idea to start with.  But as things stand, the onload causes script to run during frame tree destruction, which is sorta bad.

Note that on trunk the unblock was in fact asynchronous (until that code got removed altogether).
Comment on attachment 269062 [details] [diff] [review]
wallpaper

r=dbaron, but maybe consider what bz suggests too?
Attachment #269062 - Flags: review?(dbaron) → review+
Blocks: 402495
Blocks: 396895
Comment on attachment 269062 [details] [diff] [review]
wallpaper

Is this still appropriate for the 1.8.1 branch?
Attachment #269062 - Flags: approval1.8.1.12?
Mats or dbaron, we'd like to get this on the branch. Does it still apply and is it still valid?
Whiteboard: 1.8 branch only. → 1.8 branch only. [need answer=dbaron or mats]
(Assignee)

Comment 17

9 years ago
Yes, this patch still applies and fixes the crash.
I was hoping to implement Boris' suggestion in comment 13 as well,
but I'm not sure I'll manage to do that before Jan. 18.
(Assignee)

Updated

9 years ago
Whiteboard: 1.8 branch only. [need answer=dbaron or mats] → 1.8 branch only.
Comment on attachment 269062 [details] [diff] [review]
wallpaper

approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #269062 - Flags: approval1.8.1.12? → approval1.8.1.12+
(Assignee)

Comment 19

9 years ago
Comment on attachment 269062 [details] [diff] [review]
wallpaper

sr=me since I think it's implied from comment 13/14.
Attachment #269062 - Flags: superreview+
(Assignee)

Comment 20

9 years ago
I filed bug 412539 to handle "dummy layout request removal off an event".

mozilla/layout/base/nsDocumentViewer.cpp 	1.442.4.22 

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: crash, fixed1.8.1.12
Resolution: --- → FIXED
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. No crashing any longer. Verified crash in 2.0.0.11.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Changing status since this is a branch only bug.
Status: RESOLVED → VERIFIED
Duplicate of this bug: 396895
Duplicate of this bug: 402495
Crash Signature: [@ nsFrameManager::Destroy]
You need to log in before you can comment on or make changes to this bug.