Closed
Bug 405732
Opened 17 years ago
Closed 17 years ago
Crash [@ nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*, int) ]
Categories
(Core :: Layout, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: polidobj, Assigned: roc)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
|
24.67 KB,
text/plain
|
Details | |
|
8.53 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
I see plenty of Breakpad reports with this URL. And visiting it crashes for me. I see bug 354908 and bug 346014 but those look like they don't occur on trunk and are blocking1.9-. bp-5667a3ae-9c8b-11dc-acbf-001a4bd43e5c
Flags: blocking1.9?
This looks like a layout bug. We're crashing while doing the initial reflow if the document.
Component: XSLT → Layout
QA Contact: xslt → layout
|
Assignee | |
Updated•17 years ago
|
Assignee: nobody → roc
|
|
Assignee | |
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
|
Assignee | |
Comment 2•17 years ago
|
||
We're crashing because there is no root view. That suggests some kind of error in presentation setup. Still looking.
|
|
Assignee | |
Comment 3•17 years ago
|
||
I get loads of "not thread-safe" errors but they're probably related to Java and perhaps not this bug.
|
|
Assignee | |
Comment 4•17 years ago
|
||
The problem is timing-related because if I set a breakpoint in nsViewManager::SetRootView that just dumps some stack and continues, we don't crash.
|
|
Assignee | |
Comment 5•17 years ago
|
||
The problem is that we're calling DocumentViewer::SetDOMDocument after we've already constructed frames. I don't know if that represents a deeper bug, but anyway SetDOMDocument is trying to recover by destroying the current mPresShell. The recovery doesn't work because destroying the presshell tears down the frame tree, and destroying the root frame destroys the root view, so we end up with a prescontext, a viewmanager, but no root view. So when we build a new preshell and construct frames again, the new viewport frame (which would normally be assigned the root view) doesn't get a view, and badness ensues. The solution in this patch is just to run MakeWindow during recovery. That creates a new viewmanager, root view and root widget, replacing the existing ones. As far as I can tell that is quite safe at this point --- the presshell has been destroyed so there shouldn't be a reference to the old viewmanager hanging around. I refactored MakeWindow a little bit to make it easier to call from SetDOMDocument.
Attachment #290853 -
Flags: superreview?(bzbarsky)
Attachment #290853 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•17 years ago
|
Whiteboard: [needs review]
|
|
Assignee | |
Comment 6•17 years ago
|
||
Note that there is no need to do mWindow->Destroy() here ... it has already been destroyed when the root view was destroyed when the root frame was destroyed.
whow!! It's a know problem that calling SetDOMDocument after initial reflow causes crashes. I didn't realize that's what was going on here. Are you really fixing that? That would rock bigtime! (It would allow for all sorts of coolness, such as having DOM APIs to set the document for a given window) We've been trying real hard to avoid that from ever happening by trying to prevent initial reflow from ever happening for XSLT documents. I would be very interested to know why it's happening in this case. Brian, any chance you could try to reduce bseindia.com into a smaller testcase that also crashes for you?
|
|
Assignee | |
Comment 8•17 years ago
|
||
I don't claim to be fixing the general problem, but I'm doing enough to fix the crash on this page. The page seems to work fine after loading.
|
|
Assignee | |
Comment 9•17 years ago
|
||
(but I actually don't know which part is XSLT-generated)
|
||
Comment 10•17 years ago
|
||
Comment on attachment 290853 [details] [diff] [review] fix >+ // Reset the bounds offset so the root view is set to 0,0. The >+ // offset is specified in nsIViewManager::Init above. That second sentence doesn't make that much sense... r+sr=bzbarsky with it beaten into shape. Thanks for making this code more robust! I do think it's worth understanding why we're starting layout before the transform runs here, in a followup bug.
Attachment #290853 -
Flags: superreview?(bzbarsky)
Attachment #290853 -
Flags: superreview+
Attachment #290853 -
Flags: review?(bzbarsky)
Attachment #290853 -
Flags: review+
|
|
Assignee | |
Comment 11•17 years ago
|
||
Checked in. Filed bug 406301 on the XSLT issue.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [needs review]
|
||
Comment 12•16 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008050706 Minefield/3.0pre. No crash on Mac nightly either using the URL.
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Crash Signature: [@ nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*, int) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•