Closed Bug 489008 Opened 15 years ago Closed 15 years ago

Crash [@ nsINode::HasSlots] loading the given page and clicking the Upload Resume button

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: geeknik, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, fixed1.9.1, Whiteboard: [sg:critical?])

Crash Data

Attachments

(6 files)

valgrind log
175.43 KB, text/plain
Details
valgrind's explanation for crash
20.29 KB, text/plain; charset=UTF-8
Details
testcase
131.87 KB, text/html
Details
simple testcase
153 bytes, text/html
Details
testcase for two assertions
168 bytes, text/html
Details
fix
1.05 KB, patch
bzbarsky
: review+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090418 Shiretoko/3.5b4pre Firefox/3.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090418 Shiretoko/3.5b4pre

Nightly Firefox 3.5b4pre build 20090418045023 crashes when you click the Upload Resume button @ the URL provided. 

http://crash-stats.mozilla.com/report/index/03e15174-2ee1-46dc-84eb-9bc122090418
http://crash-stats.mozilla.com/report/index/7b627f0a-4b89-4204-a2b7-348f12090418

Reproducible: Always

Steps to Reproduce:
1. Open Firefox.
2. Visit URL provided.
3. Click Upload Resume.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
Keywords: crash
Version: unspecified → 1.9.1 Branch
If I set jit.content = false, the crash does not happen.
Works on trunk, should be fixed today
FYI, this crash is still present in hourly 3.5b4pre build 20090418203959, but instead of the above error message, it is now [@ js3250.dll@0xab0c9 ] as per http://crash-stats.mozilla.com/report/index/8eb7a932-09a3-494f-bebc-c2ddb2090418. The crash can still be avoided if you set jit.content = false.
Nightly 3.5b4pre build 200904200044915 is still crashing here. It didn't trigger the crash reporter though, but XP's Event Viewer shows this:

Faulting application firefox.exe, version 1.9.1.3397, faulting module js3250.dll, version 4.0.0.0, fault address 0x000aaa99.
Flags: blocking1.9.1?
Stack dump:

###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file ../../../layout/base/nsFrameManager.cpp, line 334

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdddddded
nsINode::HasSlots () at nsINode.h:855
855	  {
(gdb) 
(gdb) 
(gdb) 
(gdb) bt
#0  nsINode::HasSlots () at nsINode.h:855
#1  nsINode::GetFlags () at nsINode.h:861
#2  nsINode::HasFlag () at nsINode.h:721
#3  IsBindingAncestor [inlined] () at nsINode.h:153
#4  IsBindingAncestor [inlined] () at nsINode.h:153
#5  nsCSSFrameConstructor::FindFrameWithContent (this=0x18a14f30, aFrameManager=0x181ac41c, aParentFrame=0xfb4620, aParentContent=0x18d57130, aContent=0x18d57700, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#6  0x127bfdf7 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57700, aFrame=0xbfffa158, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#7  0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57700, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#8  0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57840, aFrame=0x18d576a0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#9  0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57840, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#10 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57c80, aFrame=0x18d577f0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#11 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57c80, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#12 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18b74910, aFrame=0x18d57a10, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#13 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18b74910, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#14 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18b749b0, aFrame=0x18b74830, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#15 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18b749b0, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#16 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57d70, aFrame=0x18b74980, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#17 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57d70, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#18 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57df0, aFrame=0x4532e0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#19 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57df0, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#20 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57ee0, aFrame=0x18d57da0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#21 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57ee0, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#22 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d57fa0, aFrame=0x18d57eb0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#23 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d57fa0, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#24 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d5a1f0, aFrame=0x18d57f70, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#25 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d5a1f0, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#26 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d5a250, aFrame=0x18d59de0, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#27 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d5a250, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#28 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d5a390, aFrame=0x18d5a220, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#29 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d5a390, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#30 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d5a450, aFrame=0x18d5a330, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#31 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d5a450, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#32 0x127bfd99 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x18a14f30, aFrameManager=0x181ac41c, aContent=0x18d74c50, aFrame=0x18b74b70, aHint=0x0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#33 0x1280e8e9 in nsFrameManager::GetPrimaryFrameFor (this=0x181ac41c, aContent=0x18d74c50, aIndexHint=-1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#34 0x1282dc53 in PresShell::GetPrimaryFrameFor (this=0x181ac400, aContent=0x18616250) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#35 0x12c49380 in nsGenericHTMLElement::GetFormControlFrameFor (aContent=0x18616250, aDocument=0x18d74c50, aFlushContent=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#36 0x12c8fbea in IsBindingAncestor [inlined] () at nsINode.h:153
#37 0x12c8fbea in nsHTMLInputElement::GetValue (this=0x4532e0, aValue=@0xbfffac10) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#38 0x12c8a63d in nsHTMLInputElement::SaveState (this=0x18d74c50) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#39 0x12c538d3 in nsGenericHTMLFormElement::UnbindFromTree (this=0x18d74c50, aDeep=409035344, aNullParent=1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#40 0x12ae7bef in IsBindingAncestor [inlined] () at nsINode.h:153
#41 0x12ae7bef in nsContentUtils::DestroyAnonymousContent (aContent=0x18d74c50) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#42 0x1293b1ea in IsBindingAncestor [inlined] () at nsINode.h:153
#43 0x1293b1ea in nsFileControlFrame::Destroy (this=0x185f9d8c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#44 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x18601b44) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#45 0x1285e083 in nsBlockFrame::Destroy (this=0x18601b00) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#46 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x1861617c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#47 0x1285e083 in nsBlockFrame::Destroy (this=0x18616138) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#48 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18618d94) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#49 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#50 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#51 0x12883add in nsContainerFrame::Destroy (this=0x18618d5c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#52 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18619940) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#53 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#54 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#55 0x12883add in nsContainerFrame::Destroy (this=0x18619908) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#56 0x128a7f4d in nsFrameList::DestroyFrames (this=0x185fbc50) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#57 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#58 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#59 0x12883add in nsContainerFrame::Destroy (this=0x185fbc18) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#60 0x128a7f4d in nsFrameList::DestroyFrames (this=0x186187ac) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#61 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#62 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#63 0x12883add in nsContainerFrame::Destroy (this=0x18618774) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#64 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18618760) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#65 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#66 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#67 0x12883add in nsContainerFrame::Destroy (this=0x18618728) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#68 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x18619e08) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#69 0x1285e083 in nsBlockFrame::Destroy (this=0x18619dc4) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#70 0x128a7f4d in nsFrameList::DestroyFrames (this=0x186183d8) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#71 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#72 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#73 0x12883add in nsContainerFrame::Destroy (this=0x186183a0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#74 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18618290) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#75 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#76 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#77 0x12883add in nsContainerFrame::Destroy (this=0x18618258) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#78 0x128a7f4d in nsFrameList::DestroyFrames (this=0x185fb8e0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#79 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#80 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#81 0x12883add in nsContainerFrame::Destroy (this=0x185fb8a8) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#82 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18617fec) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#83 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#84 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#85 0x12883add in nsContainerFrame::Destroy (this=0x18617fb4) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#86 0x128a7f4d in nsFrameList::DestroyFrames (this=0x18617fa0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#87 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#88 0x12883add in IsBindingAncestor [inlined] () at nsINode.h:153
#89 0x12883add in nsContainerFrame::Destroy (this=0x18617f68) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#90 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x186186ec) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#91 0x1285e083 in nsBlockFrame::Destroy (this=0x186186a8) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#92 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x185fc098) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#93 0x1285e083 in nsBlockFrame::Destroy (this=0x185fc054) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#94 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0x18616428) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#95 0x1285e083 in nsBlockFrame::Destroy (this=0x186163e4) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#96 0x128d694d in nsLineBox::DeleteLineList (aPresContext=0x181be800, aLines=@0xfb4664) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#97 0x1285e083 in nsBlockFrame::Destroy (this=0xfb4620) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#98 0x128a8cbe in nsFrameList::DestroyFrame (this=0x18616250, aFrame=0xfb4620) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#99 0x12858b00 in nsAbsoluteContainingBlock::RemoveFrame (this=0x1800a35c, aDelegatingFrame=0x1800a310, aListName=0x808e2c, aOldFrame=0xfb4620) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#100 0x128bf569 in CanvasFrame::RemoveFrame (this=0x1800a310, aListName=0x808e2c, aOldFrame=0xfb4620) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#101 0x1280ee0f in nsFrameManager::RemoveFrame (this=0x181ac41c, aParentFrame=0x1800a310, aListName=0x18616250, aOldFrame=0xfb4620) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#102 0x127c4959 in DeletingFrameSubtree (aFrameManager=0x181ac41c, aFrame=<value temporarily unavailable, due to optimizations>) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#103 0x127d1f8e in nsCSSFrameConstructor::ContentRemoved (this=0x18a14f30, aContainer=0x18a11040, aChild=0x18b13870, aIndexInContainer=1, aDidReconstruct=0xbfffbaa0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#104 0x127d28b6 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x18a14f30, aContent=0x18b13870) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#105 0x127d2c3d in nsCSSFrameConstructor::ProcessRestyledFrames (this=0x18a14f30, aChangeList=@0xbfffbb7c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#106 0x127d3418 in nsCSSFrameConstructor::RestyleElement (this=0x18a14f30, aContent=0x18b13870, aPrimaryFrame=0xfaac0c, aMinHint=<value temporarily unavailable, due to optimizations>) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#107 0x127d36a2 in nsCSSFrameConstructor::ProcessOneRestyle (this=0x18a14f30, aContent=0xfaac0c, aRestyleHint=<value temporarily unavailable, due to optimizations>, aChangeHint=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#108 0x127d39f2 in nsCSSFrameConstructor::ProcessPendingRestyles (this=0x18a14f30) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#109 0x12845774 in IsBindingAncestor [inlined] () at nsINode.h:153
#110 0x12845774 in IsBindingAncestor [inlined] () at nsINode.h:153
#111 0x12845774 in PresShell::DoFlushPendingNotifications (this=0x181ac400, aType=Flush_Layout, aInterruptibleReflow=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#112 0x12845c70 in PresShell::FlushPendingNotifications (this=0x18616250, aType=409035344) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#113 0x12b353a3 in nsDocument::FlushPendingNotifications (this=0x181d2c00, aType=Flush_Layout) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#114 0x12e50845 in nsGlobalWindow::ScrollTo (this=0x165f84f0, aXScroll=0, aYScroll=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#115 0x0041d638 in NS_InvokeByIndex_P (that=0x165f84f0, methodIndex=14, paramCount=2, params=0xbfffc6cc) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#116 0x1114edf8 in XPCWrappedNative::CallMethod (ccx=@0xbfffc4b4, mode=XPCWrappedNative::CALL_METHOD) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#117 0x1115a52e in XPC_WN_CallMethod (cx=0xc44800, obj=0x18616250, argc=409035344, argv=0x18035860, vp=0x18616250) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#118 0x00233db1 in js_Invoke (cx=0xc44800, argc=2, vp=0x18035858, flags=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#119 0x0020bda1 in js_Interpret (cx=0xc44800) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#120 0x00233dfe in js_Invoke (cx=0xc44800, argc=0, vp=0x1803576c, flags=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#121 0x00202c40 in js_fun_apply (cx=0xc44800, argc=2, vp=0x18035734) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#122 0x00222e55 in js_Interpret (cx=0xc44800) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#123 0x00233dfe in js_Invoke (cx=0xc44800, argc=1, vp=0x18035624, flags=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#124 0x0023404f in js_InternalInvoke (cx=0xc44800, obj=<value temporarily unavailable, due to optimizations>, fval=454889888, flags=0, argc=1, argv=0x18035620, rval=0xbfffd8b4) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#125 0x001ca996 in JS_CallFunctionValue (cx=0xc44800, obj=0x18616250, fval=409035344, argc=409035344, argv=0x18616250, rval=0x18616250) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#126 0x12e42bc5 in nsJSContext::CallEventHandler (this=0x165f86b0, aTarget=0x18d557d0, aScope=0x172ddf00, aHandler=<value temporarily unavailable, due to optimizations>, aargv=0x18a7e7c0, arv=0xbfffda5c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#127 0x12ebcba4 in IsBindingAncestor [inlined] () at nsINode.h:153
#128 0x12ebcba4 in IsBindingAncestor [inlined] () at nsINode.h:153
#129 0x12ebcba4 in IsBindingAncestor [inlined] () at nsINode.h:153
#130 0x12ebcba4 in nsJSEventListener::HandleEvent (this=0x18d55950, aEvent=0x18d6c5ec) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#131 0x12bf3ceb in nsEventListenerManager::HandleEventSubType (this=0x18d558f0, aListenerStruct=0x18d55918, aListener=0x18d55950, aDOMEvent=0x18d6c5ec, aCurrentTarget=0x18d557d0, aPhaseFlags=2) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#132 0x12bf46ac in nsEventListenerManager::HandleEvent (this=0x18d558f0, aPresContext=0x181be800, aEvent=0xbfffdf4c, aDOMEvent=0xbfffddd0, aCurrentTarget=0x18d557d0, aFlags=2, aEventStatus=0xbfffddd4) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#133 0x12c332c2 in IsBindingAncestor [inlined] () at nsINode.h:153
#134 0x12c332c2 in nsEventTargetChainItem::HandleEvent (this=0x184cc440, aVisitor=@0xbfffddc8, aFlags=2, aMayHaveNewListenerManagers=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#135 0x12c336ef in nsEventTargetChainItem::HandleEventTargetChain (this=0xfdd810, aVisitor=@0xbfffddc8, aFlags=6, aCallback=0xbfffde54, aMayHaveNewListenerManagers=1) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#136 0x12c346c4 in nsEventDispatcher::Dispatch (aTarget=0x18d559b0, aPresContext=0x181be800, aEvent=0xbfffdf4c, aDOMEvent=0x0, aEventStatus=0xbfffe328, aCallback=0xbfffde54) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#137 0x12841651 in IsBindingAncestor [inlined] () at nsINode.h:153
#138 0x12841651 in IsBindingAncestor [inlined] () at nsINode.h:153
#139 0x12841651 in PresShell::HandleEventInternal (this=0x181ac400, aEvent=0xbfffdf4c, aView=0x0, aStatus=0xbfffe328) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#140 0x1284adae in PresShell::HandleEventWithTarget (this=0x181ac400, aEvent=0x18616250, aFrame=0x18616250, aContent=0x18616250, aStatus=0x18616250) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#141 0x12c003d4 in nsEventStateManager::CheckForAndDispatchClick (this=0x18a11400, aPresContext=0x181be800, aEvent=0xbfffe5a0, aStatus=0xbfffe328) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#142 0x12c0d137 in nsEventStateManager::PostHandleEvent (this=0x18a11400, aPresContext=0x181be800, aEvent=0xbfffe5a0, aTargetFrame=0x185d0380, aStatus=0xbfffe328, aView=0x18a11970) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#143 0x12841872 in PresShell::HandleEventInternal (this=0x181ac400, aEvent=0xbfffe5a0, aView=0x18a11970, aStatus=0xbfffe328) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#144 0x1284b05b in PresShell::HandlePositionedEvent (this=0x181ac400, aView=0x18a11970, aTargetFrame=0x185d0380, aEvent=0xbfffe5a0, aEventStatus=0xbfffe328) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#145 0x1284bb11 in PresShell::HandleEvent (this=0x181ac400, aView=0x18a11970, aEvent=0xbfffe5a0, aEventStatus=0xbfffe328) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#146 0x12e29995 in nsViewManager::HandleEvent (this=0x18a11910, aView=0x18a11970, aPoint=@0xbfffe41c, aEvent=0xbfffe5a0, aCaptured=0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#147 0x12e2dc39 in nsViewManager::DispatchEvent (this=0x18a11910, aEvent=0xbfffe5a0, aStatus=0xbfffe46c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#148 0x12e22146 in HandleEvent (aEvent=0xbfffe5a0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#149 0x1152edb2 in nsChildView::DispatchEvent (this=0x18daab30, event=0xbfffe5a0, aStatus=@0xbfffe55c) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#150 0x11520392 in nsChildView::DispatchWindowEvent (this=0x18d57130, event=@0x18616250) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#151 0x11534185 in IsBindingAncestor [inlined] () at nsINode.h:153
#152 0x11534185 in IsBindingAncestor [inlined] () at nsINode.h:153
#153 0x11534185 in -[ChildView mouseUp:] (self=0x18da0860, _cmd=0x941c52a8, theEvent=0x1993f4c0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#154 0x95c58241 in -[NSWindow sendEvent:] ()
#155 0x1151b77c in -[NSWindow(MethodSwizzling) nsCocoaWindow_NSWindow_sendEvent:] (self=0x125ede00, _cmd=0x941bc4b8, anEvent=0x1993f4c0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#156 0x11517168 in -[ToolbarWindow sendEvent:] (self=0x125ede00, _cmd=0x941bc4b8, anEvent=0x1993f4c0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#157 0x95c24d49 in -[NSApplication sendEvent:] ()
#158 0x95b8269f in -[NSApplication run] ()
#159 0x1151269a in nsAppShell::Run (this=0x635cb0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#160 0x120bf11e in nsAppStartup::Run (this=0x64fad0) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#161 0x000816d2 in XRE_main (argc=1, argv=0xbffff20c, aAppData=0x60e940) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
#162 0x00002870 in main (argc=1, argv=0x60bb30) at ../../../layout/base/nsCSSFrameConstructor.cpp:8510
I don't see any obvious jit involvement here but of course something might have gone wrong earlier. Ccing jst. Looks like we are crashing in CSS.
(Forgot to mention this above, confirmed on TM trunk, it takes a few clicks, not just one, but this definitively crashes.)
(In reply to comment #6)
> I don't see any obvious jit involvement here but of course something might have
> gone wrong earlier. Ccing jst. Looks like we are crashing in CSS.

If I set jit.content = off (Nightly 3.5b4pre Build), there's no crash no matter how much I reload the page or click on the link.
Status: UNCONFIRMED → NEW
Ever confirmed: true
One other, probably more informative in concert with the stack, assertion occurs when the page is loaded:

###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /Users/jwalden/moz/2/layout/base/../generic/nsPlaceholderFrame.h, line 175

Given the stack of the eventual crash, it looks like floats (those are the only places placeholders are being used, I think) are getting screwed up and then the event-handling code for the click triggers some badness associated with that.  CCing the usual suspects for placeholder/out-of-flow bugs and moving to a first-cut more accurate component...

In any case, crashing @ 0xdddddddd == superbad mojo and very likely exploitable, hiding and moving to a more accurate component.  There may be a JS bug here if we don't crash with JIT off, but the layout crash here is more worrisome (and probably not the JIT's fault since it should only be calling well-recognized entry points), and it'd probably be hard to debug with this red-herring crash in the mix.
Assignee: general → nobody
Group: core-security
Component: JavaScript Engine → Layout
OS: Windows XP → All
QA Contact: general → layout
Hardware: x86 → All
Summary: Nightly Firefox 3.5b4pre build crashes after clicking javascript link [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*) ] → Crash [@ nsINode::HasSlots] loading the given page and clicking the Upload Resume button
Whiteboard: [sg:critical?]
Version: 1.9.1 Branch → Trunk
If somebody can reproduce this crash on Linux, it might be worth running under valgrind (especially with the "//#define DEBUG_TRACEMALLOC_FRAMEARENA 1" in nsPresShell.cpp *un*commented, followed by rebuilding in layout/base and then layout/build) and seeing if anything interesting turns up.
I was able to reproduce on macosx so linux is likely going to crash too. Any volunteer to test this? I will add our resident valgrind guru.
I just tried using a 32-bit Linux 1.9.1 nightly and it didn't crash for me.
You have to click repeatedly on macosx.
The layout asserts seem to be due to trying to SaveState on the text input inside a file control while destroying the file control.

I have no idea why that doesn't happen in general when removing an ancestor of a file input from the DOM.  Or does it?  At least the "GetPrimaryFrameFor() called while frames are being destroyed!" assert....
(In reply to comment #0)
> Nightly Firefox 3.5b4pre build 20090418045023 crashes when you [snip]

FWIW: I couldn't reproduce this crash in an up-to-date nightly build (I tried both mozilla-central and Shiretoko on both Linux and Mac).

However, I *can* reproduce the crash in my linux mozilla-central *debug* build.  So, at least from my testing, this is much easier to hit in a debug build.
Yeah, in a debug build we 0xdddddddd the destroyed frames.
If you can repro on Linux, could you try comment 10?  (I haven't been able to do a 32-bit build, and if this requires JIT, I'd need it.)
(In reply to comment #1)
> If I set jit.content = false, the crash does not happen.

My Linux debug build actually crashes with JIT off, though it takes two clicks on the "Upload Resume" button instead of one.  So, I don't think there's any JIT connection here at all.

(Brian, I'm guessing that JIT affected your nightly build's behavior simply because we happen to get lucky and dereference "nicer" freed memory with JIT turned off.)

(In reply to comment #17)
> If you can repro on Linux, could you try comment 10?

Yeah, I'll give that a shot.
Not sure it's relevant because it was XBL-related, but a couple of years ago we had a crash at the same location (bug 401569) which was fixed by bz in bug 400794.

qawanted: we need a reduced testcase attached to the bug in case that page ever changes. Which it may do if they discover their Firefox-using fans are crashing a lot.
Keywords: qawanted, testcase-wanted
Attached file valgrind log 
Here's a valgrind log from running the following command, and then triggering the crash.
./dist/bin/firefox -no-remote -profile deleteme/ about:blank -g -d valgrind  1> ~/Desktop/valgrind.out 2>&1

(I had jit disabled, and I uncommented the line mentioned in comment 10.)
Attachment #373983 - Attachment mime type: application/octet-stream → text/plain
(In reply to comment #14)
> The layout asserts seem to be due to trying to SaveState on the text input
> inside a file control while destroying the file control.

So do you have a set of rules that clearly say which function is doing something it's not allowed to do?
That's a really good question.

The crash seems to be happening over here because when we make that GetPrimaryFrameFor call, we end up going up the frame tree finding parent content primary frames (so we can search their child lists), until we get to an nsBlockFrame for which GetFirstChild(nsnull) returns a deleted frame.  Then we try to do something with its content node and crash.

Offhand, the fact that an already-destroyed frame is in the frame list looks like a bug to me.

The issue triggering the asserts is basically that we're calling UnbindFromTree on native anonymous content as we recursively destroy a frame subtree, and that the UnbindFromTree implementation ends up calling GetPrimaryFrameFor on the content node being unbound.  In general, getting primary frames during unbind is ok; perhaps the right solution here is to unbind the native anon content after we're done destroying frames (just like we'd unbind regular DOM content after sending the ContentRemoved notifications)?

Another option would be to skip the SaveState thing for native anon content, I guess.  I'm not sure I like that as much.

In any case, the issue of why an already-destroyed frame is still in the frame tree is interesting to me.
Two other thoughts (out of scope for this bug):

 * I still think it's wrong for text controls to store their state in the frame tree; if we had all form state in content things would probably be easier.

 * We should probably get rid of the whole FindFrameWithContent mess, at least for everything other than text nodes, and just require that all frames for elements by in the primary frame map.
Flags: blocking1.9.1? → wanted1.9.1+
Assignee: nobody → roc
When Olli's landed document cloning for printing (and that might not be far away), we can get rid of multiple presentations altogether and just store the primary frame pointer in each content node, so FindFrameWithContent will go away.
Attached file testcase 
This single-file testcase triggers the assertions about calling GetPrimaryFrameFor at a bad time. It could still use a lot of reduction, a bug chunk of Microsoft's Atlas framework is in there...
Attached file simple testcase 
OK, all you have to do to trigger assertions is to remove an <input type="file"> from the document!

I think we should move the unbinding of anonymous content out until after frame removal is done. The question of why the block frame has a deleted first child is also interesting, but frankly reducing this page is so painful we should just wait for a better testcase.
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file layout/base/nsFrameManager.cpp, line 334
Right; I guess I should have made the "file input == assert" issue clearer in comment 23.  Like I said, I think we need to fix that, but it still really worries me that we have this dead frame in the frame tree...
###!!! ASSERTION: GetPrimaryFrameFor() called while frames are being destroyed!: '!mIsDestroyingFrames', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 334

###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /Users/jruderman/central/layout/base/../generic/nsPlaceholderFrame.h, line 175
OK, I've implemented deferral of destroying anonymous content, but it doesn't fix the crash --- we're still crashing on the dead frame in the tree during GetPrimaryFrameFor. So I guess I'll need to re-reduce that again. (It also doesn't fix the "null out-of-flow for placeholder" warning in Jesse's patch.)
> during GetPrimaryFrameFor

Now from your deferred destruction?
Ah, it's because nsCSSFrameConstructor calls RemoveFrame twice, once for the out-of-flow and then again for the placeholder, and I'm destroying anonymous content after the first one.
Attached patch fixSplinter Review 
I had been creating my own deferred content-unbind-queue, but it seems easier to just run these off script blockers. So this patch does that. This fixes all the assertions in the testcases here.
Attachment #376841 - Flags: review?(bzbarsky)
Whiteboard: [sg:critical?] → [sg:critical?][needs review]
Comment on attachment 376841 [details] [diff] [review]
fix

The script runner needs to take strong refs to mContent->GetCurrentDoc() and mContent->GetParent() that it takes in the constructor (because otherwise those could die before mContent, and wouldn't know to unset its dangling pointers).

With that change, r=me
Attachment #376841 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/mozilla-central/rev/b9ed83c9953f

The test should be landed when this bug is uncloaked.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [sg:critical?][needs review] → [sg:critical?][needs 191 approval]
Attachment #376841 - Flags: approval1.9.1? → approval1.9.1+
Whiteboard: [sg:critical?][needs 191 approval] → [sg:critical?][needs 191 landing]
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/000522a24804
Keywords: fixed1.9.1
Whiteboard: [sg:critical?][needs 191 landing] → [sg:critical?]
Crash Signature: [@ nsINode::HasSlots]
Group: core-security
Issue is Resolved - removing QA-Wanted Keywords - QA-Wanted query clean-up task
Keywords: qawanted, testcase-wanted
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: