Closed Bug 506349 Opened 16 years ago Closed 16 years ago

Crash [@ nsContainerFrame::SyncFrameViewProperties] on reload with overflow:scroll, float, select, li display: table-cell and textZoom

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 396367

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

testcase (uses enhanced privileges)
833 bytes, text/html
Details
various stacks + frame dump
98.44 KB, text/html
Details
wallpaper
792 bytes, patch
bzbarsky
: review+
Details | Diff | Splinter Review
See testcase, which crashes current trunk build on reload. This seems to have regressed between 2009-06-28 and 2009-06-29: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-06-28+04%3A00%3A00&enddate=2009-06-29+07%3A00%3A00 I'm guessing bug 500556. http://crash-stats.mozilla.com/report/index/2cefdc18-e2d2-424a-bc41-02a592090724?p=1 0 xul.dll nsContainerFrame::SyncFrameViewProperties layout/generic/nsContainerFrame.cpp:638 1 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7429 2 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 3 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 4 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 5 xul.dll DoApplyRenderingChangeToTree layout/base/nsCSSFrameConstructor.cpp:7475 6 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7449 7 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 8 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 9 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 10 xul.dll UpdateViewsForTree layout/base/nsCSSFrameConstructor.cpp:7452 11 xul.dll DoApplyRenderingChangeToTree layout/base/nsCSSFrameConstructor.cpp:7475 12 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:7777 13 xul.dll xul.dll@0x3d7c67 14 xul.dll nsPresContext::RebuildAllStyleData layout/base/nsPresContext.cpp:1501 15 xul.dll xul.dll@0x3d7fcb 16 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 17 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2710
The flush request from nsContentUtils::GenerateStateKey() leads to nested frame construction, which destroys some frames: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsContentUtils.cpp#2014 This attachment contains stacks for nested frame construction and the ~nsView call for the view that we later try to use and crash, and also the frame tree.
OS: Windows Vista → All
Hardware: x86 → All
Attached patch wip (obsolete) — Splinter Review
Perhaps we should flush content notifications up front in DocumentViewerImpl::SetTextZoom() -- or is that just wallpapering?
For now, I think it's the right thing. We shouldn't be entering restyle processing with an unflushed sink. It can easily lead to totally bogus behavior (e.g. double-construction of frames).
It's a "regression" from bug 482578, I cloned changeset 3820403125c2 (containing the fix) which crash, then backed out that fix which made it not crash. I'm guessing the fix in bug 482578 blocks a content notification leaving the sink dirty for the SetTextZoom call. I'll see if I can dig up some more details, and see how noisy the new assertions are...
Assignee: nobody → matspal
Blocks: 482578
Other way around; it allowed content flushes even during frame construction...
Ah, right. Hmm, that seems like it would lead to even more cases of nested frame construction though... :-(
Attached patch wallpaperSplinter Review
Attachment #390762 - Attachment is obsolete: true
Attachment #390996 - Flags: review?(bzbarsky)
Comment on attachment 390996 [details] [diff] [review] wallpaper Looks good. The non-wallpaper fix is switching to the HTML5 parser and getting rid of content sink flushes. :)
Attachment #390996 - Flags: review?(bzbarsky) → review+
That'll be great for trunk, but it's not going to happen on branches I would presume? Will adding asserts help with prompting more wallpapers like this for branch?
Adding asserts where?
Changing the "recurring into frame construction" warning to an assert for example. It'll be a little noisy but maybe we can mute some of the cases we think are safe.
On branch that would fire all the time; once for every text input, for example.
http://hg.mozilla.org/mozilla-central/rev/3b6268073ecb -> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Backed out since it caused a test to fail: 31054 ERROR TEST-UNEXPECTED-FAIL | /tests/docshell/test/navigation/test_bug430624.html | Check we're contentEditable after reload - got "contentEditable", expected "Still contentEditable"
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I think this might be the same issue as bug 396367. Indeed, the patch in that bug fixes the crash for me.
And the patch in bug 396367 doesn't fail test_bug430624.html on my box (the patch in this bug does fail on my box).
Yes, your patch looks better.
Assignee: matspal → nobody
Depends on: 396367
Target Milestone: mozilla1.9.3a1 → ---
Duping per above comments.
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsContainerFrame::SyncFrameViewProperties]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: