Closed Bug 42372 Opened 24 years ago Closed 24 years ago

crash during frame destruction code while leaving page

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joki, Assigned: buster)

References

(
URL
)

Details

(Keywords: crash, helpwanted, Whiteboard: [nsbeta3+])

Attachments

(5 files)

Stack trace
4.51 KB, text/plain
Details
debug log, loading the page and dumping frames. Note the error in parentage. That's the reason for the crash.
2.82 KB, text/plain
Details
Minimal test case, 2 span elements, outer rel, inner abs pos
68 bytes, text/html
Details
proposed patch
9.70 KB, patch
Details | Diff | Splinter Review
here's the real patch
1.94 KB, patch
Details | Diff | Splinter Review 
This is a test case from bug #22636, an event handling bug of mine.  We had a 
lot of problems getting the parsing and event handling of this test case 
correct.  Now that all of them seem to work I'm getting a crash here.  However, 
at the time the parsing and event handling changes were made a month and a half 
back the test case still worked so I don't think the changes made to fix the bug 
are at issue.

Anyway, while attempting to verfiy I started running into a reproducible crash 
while clicking on the link in the test case running WinNT.  I'll attach a stack 
trace as well.
Attached file Stack trace 

    
    

    
  
Adding crash keyword
Keywords: crash

    
    

    
  
frame parentage issues can be tricky.  this is a pretty obscure case, an 
absolutely positioned element inside of a relatively positioned element.  could 
be a simple error, so it's worth a quick look.  but if it's not quick, I'd 
suggest *not* holding beta2 for this one, and fixing this for beta3 (when I get 
back.)

cc-ing waterson and karnaze in case either wants to look into it. 

marking "helpwanted" because it would be great if someone could build a little 
test suite of various combinations of positioned elements inside each other, to 
make sure we catch all the cases.
Keywords: nsbeta3

    
  
Priority: P3 → P1

    
    

    
  
Crasher. PDT team please approve.

    
    

    
  
*** Bug 45738 has been marked as a duplicate of this bug. ***

    
    

    
  
Taking a stab at prioritizing buster's nsbeta3 bugs...
Whiteboard: [nsbeta3+]

    
    

    
  
*** Bug 47200 has been marked as a duplicate of this bug. ***

    
    

    
  
This crash occurs on www.crn.com, and the page layout is really awful too 
(tabbed DIV contents are not contained correctly, general mucking up of abs and 
rel positioning) - see bug 47200.

    
    

    
  
*** Bug 45842 has been marked as a duplicate of this bug. ***

    
    

    
  
staring at the code....
Severity: normal → critical
Status: NEW → ASSIGNED
Target Milestone: --- → M18

    
    

    
  
Interesting....this only happens if the outer tag is an inline.  Some 
block-in-inline badness, no doubt.  Still researching....

    
    

    
  
I think I have this fixed.  Patch coming soon.
There were 2 basic problems.  First, the frame and view trees were not being
updated together when a frame was reparented.  Second, a subtle bug in the use
of a stack-based variable was causing the frame parentage to be wrong in some
cases, when the variable's destructor was prematurely fired. 
Whiteboard: [nsbeta3+] → [nsbeta3+] [fix in hand]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed patchSplinter Review
      

    


  

    
    

    
  
Which code is relevant to this bug in the patch you've attached? (This patch
also appears to include some image debugging printf's and the text edit initial
reflow stuff...)

    
    

    
  
From Steve's email it looks like nsCSSFrameConstructor.cpp and 
nsHTMLReflowState.cpp are the changes for this bug. If those are the important 
changes, then they look reasonable to my (bloodshot) eyes, but I have not run 
'em.

    
    

    
  
damn, sorry, I attached the wrong patch file.  I had hand-edited a concise patch 
file, but that one didn't make it.  When I get to the office, I'll do it right.

    
    

    
  
*** Bug 46356 has been marked as a duplicate of this bug. ***

    
    

    
  


  

    
    

    
  
turns out the part of the fix for the view tree was a red herring.  with the 
other part of the fix (in nsCSSFrameConstructor::ConstructInline()), the view 
tree stays in synch without the additional code.  However, I think that code 
could be useful, if only I could find a test case that triggers the problem!  
So, I'm commenting it out but leaving it in the file with a comment about what 
to look for and how it could be useful.

    
    

    
  
r=waterson
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta3+] [fix in hand] → [nsbeta3+]

    
    

    
  
Steve,

What's the best way I can verify this problem has been fixed ?


    
    

    
  
to verify:
1. load the test case
2. load any other page, or just hit reload
3. if you crash, it ain't fixed

    
    

    
  
No longer crashing. Tested with the Aug 24th build.


Status: RESOLVED → VERIFIED

    
    

    
  
*** Bug 50831 has been marked as a duplicate of this bug. ***

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: