Closed Bug 399994 Opened 17 years ago Closed 15 years ago

Crash [@ nsPropertyTable::PropertyList::Equals] on closing print preview with page-break-after: always, position: fixed

Categories

(Core :: Layout, defect, P4)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1
Tracking Flags:
Tracking Status
status1.9.1 --- .4-fixed

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

Details

(4 keywords, Whiteboard: [dbaron-1.9:RwCo])

Crash Data

Attachments

(4 files, 1 obsolete file)

testcase
179 bytes, text/html
Details
more straightforward testcase
209 bytes, text/html
Details
valgrind's explanation for crash
15.98 KB, text/plain; charset=UTF-8
Details
patch
2.93 KB, patch
roc
: review+
dveditz
: approval1.9.1.4+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes when print previewing it, and then closing the print preview window. This seems to have regressed between 2007-10-01 and 2007-10-02, so I think a regression of bug 154892, somehow. http://crash-stats.mozilla.com/report/index/5bc73961-7be2-11dc-8288-001a4bd43e5c 0 nsPropertyTable::PropertyList::Equals(unsigned short, nsIAtom*) mozilla/content/base/src/nsPropertyTable.cpp:85 1 nsPropertyTable::GetPropertyListFor(unsigned short, nsIAtom*) mozilla/content/base/src/nsPropertyTable.cpp:295 2 nsPropertyTable::GetPropertyInternal(nsPropertyOwner, unsigned short, nsIAtom*, int, unsigned int*) mozilla/content/base/src/nsPropertyTable.cpp:190 3 nsPropertyTable::UnsetProperty(nsPropertyOwner, nsIAtom*, unsigned int*) mozilla/content/base/src/nsPropertyTable.h:212 4 nsContainerFrame::GetOverflowFrames(nsPresContext*, int) mozilla/layout/generic/nsContainerFrame.cpp:1077 5 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:264 6 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 7 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259 8 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 9 nsFrameList::Destroy() mozilla/layout/generic/nsFrameList.cpp:57 10 DestroyPropertyEnumerator mozilla/content/base/src/nsPropertyTable.cpp:336 11 PL_DHashTableEnumerate pldhash.c:724 12 nsPropertyTable::PropertyList::Destroy() mozilla/content/base/src/nsPropertyTable.cpp:346 13 nsPropertyTable::DeleteAllProperties() mozilla/content/base/src/nsPropertyTable.cpp:106 14 PresShell::Destroy() mozilla/layout/base/nsPresShell.cpp:1675 15 nsPrintObject::DestroyPresentation() mozilla/layout/printing/nsPrintObject.cpp:96 16 nsPrintObject::~nsPrintObject() mozilla/layout/printing/nsPrintObject.cpp:61 17 nsPrintData::~nsPrintData() mozilla/layout/printing/nsPrintData.cpp:124 18 nsPrintEngine::Destroy() mozilla/layout/printing/nsPrintEngine.cpp:259 19 DocumentViewerImpl::ReturnToGalleyPresentation() mozilla/layout/base/nsDocumentViewer.cpp:3930 20 DocumentViewerImpl::ExitPrintPreview() mozilla/layout/base/nsDocumentViewer.cpp:3701 21 NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 22 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2326 23 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) mozilla/js/src/xpconnect/src/xpcwrappednativejsop
Flags: blocking1.9?
Also crashes on Windows Vista. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007101605 Minefield/3.0a9pre ID:2007101605
Assignee: nobody → fantasai.bugs
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:RwCo]
This one also isn't crashing for me anymore. See bug 400190 comment 2
I still crash when I do "Print Preview" on Mac.
Forgot to run print preview on that. Here's a simpler test case. This bug triggers several assertions before it crashes, ###!!! ASSERTION: must have doc root as pageContentFrame's only child: 'overflow && !overflow->GetNextSibling()', file /home/fantasai/moz/mozilla/layout/generic/nsPageContentFrame.cpp, line 77 ###!!! ASSERTION: null child frame pointer: 'aChildFrame', file /home/fantasai/moz/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 421 ###!!! ASSERTION: null ptr: 'nsnull != aFrameList', file /home/fantasai/moz/mozilla/layout/generic/nsFrameList.cpp, line 203 The first one shows a pretty major problem: the 'overflow' frame is null, and it's not expected to be null. I think what's happening is that the page-break-after code is requesting a new nsPageContentFrame, but that frame is empty because the root frame and all its content fit entirely on the first page. Normally a fixed-positioned box won't split: it's told it has infinite availableHeight to lay itself out and it gets cropped if it doesn't fit. But our page-break code is wacky, and doesn't work through the same pathway.
Moving to wanted list...
Flags: wanted1.9+
Flags: blocking1.9-
Flags: blocking1.9+
Flags: wanted1.9.0.x+
Flags: wanted1.9-
Flags: wanted1.9+
Still crashing, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041807 Minefield/3.0pre
Attached file testcase2 (obsolete) —
This is a testcase that crashes on reload. It uses -moz-column-count. It seems to be about the same issue, because it has the same stacktrace.
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Flags: blocking1.9.2?
Comment on attachment 318009 [details] testcase2 This one doesn't crash anymore in current trunk build.
Attachment #318009 - Attachment is obsolete: true
This is using DEBUG_TRACEMALLOC_FRAMEARENA, attachment 290918 [details]. I wonder about the ordering of the calls within PresShell::Destroy.
Flags: wanted1.9.2?
Flags: wanted1.9.2?
Flags: wanted1.9.2?
Flags: blocking1.9.1.1?
Summary: Crash [@ nsPropertyTable::PropertyList::Equals] on closing print preview with page-break-after: always, position: fixed and input → Crash [@ nsPropertyTable::PropertyList::Equals] on closing print preview with page-break-after: always, position: fixed
I'm not sure why we'd block on this now? Martijn?
I guess not, but it would be nice to get it fixed within the next 2 years or so.
Not blocking then, but wanted.
Flags: blocking1.9.1.1? → wanted1.9.1.x+
So I think we should destroy the property table before we destroy the style set. (I would have thought destroying the frame tree would have destroyed all the properties of those frames -- but perhaps we suppress that?)
Yes, we don't destroy frame properties while we're tearing down the entire frame tree.
Attached patch patchSplinter Review
So the obvious patch here works. I used attachment 290918 [details] for a crashtest; it crashes in the reftest harness without the patch, and doesn't crash with the patch.
Assignee: fantasai.bugs → dbaron
Status: NEW → ASSIGNED
Attachment #390138 - Flags: review?(roc)
http://hg.mozilla.org/mozilla-central/rev/16120b84f2a3
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
OS: Windows XP → All
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Comment on attachment 390138 [details] [diff] [review] patch We probably want to think about landing this on 1.9.1 after it's baked a bit on mozilla-central.
Attachment #390138 - Flags: approval1.9.1.3?
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Comment on attachment 390138 [details] [diff] [review] patch Approved for 1.9.1.4, a=dveditz for release-drivers
Attachment #390138 - Flags: approval1.9.1.3? → approval1.9.1.4+
Verified fixed for 1.9.1.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090914 Shiretoko/3.5.4pre after crashing with 1.9.1.3.
Keywords: verified1.9.1
Crash Signature: [@ nsPropertyTable::PropertyList::Equals]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: