Closed Bug 455407 Opened 16 years ago Closed 16 years ago

Crash [@ nsSubDocumentFrame::Reflow] with generated content and resizing iframe

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

testcase
754 bytes, text/html
Details
stacktrace from debug build
13.32 KB, text/plain
Details
Attached file testcase
See testcase, which crashes current trunk build within 1s or so. This regressed between 2008-09-07 and 2008-09-08: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-09-07+04%3A00%3A00&enddate=2008-09-08+11%3A00%3A00 My bet is on bug 243519. The iframe content consists of this: <html><head></head><body> <style id="e">body::before { content:"b"; }</style> <script>window.frameElement.style.width=Math.floor(Math.random()*100)+'%'; </script> <iframe src="http://mozilla.org"></iframe> </body></html> Debug output prior to the crash: ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU tils::IsSafeToRunScript()', file c:/mozilla-build-1.3/mozilla-central/layout/bas e/nsPresShell.cpp, line 4521 ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU tils::IsSafeToRunScript()', file c:/mozilla-build-1.3/mozilla-central/layout/bas e/nsPresShell.cpp, line 4521 ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU tils::IsSafeToRunScript()', file c:/mozilla-build-1.3/mozilla-central/layout/bas e/nsPresShell.cpp, line 4521 ###!!! ASSERTION: Someone forgot to block scripts: 'aIsSafeToFlush == nsContentU tils::IsSafeToRunScript()', file c:/mozilla-build-1.3/mozilla-central/layout/bas e/nsPresShell.cpp, line 4521 WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa youtPhase_FrameC] == 0', file c:\mozilla-build-1.3\mozilla-central\layout\base\n sPresContext.h, line 988 ###!!! ASSERTION: What's going on?: 'mInnerView', file c:/mozilla-build-1.3/mozi lla-central/layout/generic/nsFrameFrame.cpp, line 916 ###!!! ASSERTION: reflowing in the middle of frame construction: 'mPresContext-> mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file c:\mozilla-build-1.3\mozilla- central\layout\base\nsPresContext.h, line 977 Crash itself: > gklayout.dll!nsIView::GetViewManager() Line 144 + 0xa bytes C++ gklayout.dll!nsSubDocumentFrame::Reflow(nsPresContext * aPresContext=0x08684090, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 558 + 0xb bytes C++ gklayout.dll!nsLineLayout::ReflowFrame(nsIFrame * aFrame=0x0be14ca4, unsigned int & aReflowStatus=0, nsHTMLReflowMetrics * aMetrics=0x00000000, int & aPushedFrame=0) Line 853 + 0x2d bytes C++ gklayout.dll!nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & aState={...}, nsLineLayout & aLineLayout={...}, nsLineList_iterator aLine={...}, nsIFrame * aFrame=0x0be14ca4, LineReflowStatus * aLineReflowStatus=0x0012c4e0) Line 3569 + 0x16 bytes C++ gklayout.dll!nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & aState={...}, nsLineLayout & aLineLayout={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012c8ac, LineReflowStatus * aLineReflowStatus=0x0012c61c, int aAllowPullUp=1) Line 3392 + 0x20 bytes C++ gklayout.dll!nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012c8ac) Line 3241 + 0x2a bytes C++ gklayout.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012c8ac) Line 2307 + 0x1b bytes C++ gklayout.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...}) Line 1888 + 0x1b bytes C++ gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x08684090, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 946 + 0xf bytes C++ etc..
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
I can't reproduce on Linux using an up-to-date mozilla-central debug build. Martijn, can you still reproduce this? (if so, I guess it's Windows-only)
Yeah, seems to be worksforme.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Is it also worksforme on the 1.9.1 builds?
er, that comment was from before we branched. I guess I'll just add the fixed1.9.1 keyword since we don't have a worksforme1.9.1.
Whiteboard: fixed1.9.1
Crash Signature: [@ nsSubDocumentFrame::Reflow]
crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/74fb3240e2e0
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: