Closed Bug 570160 Opened 10 years ago Closed 10 years ago

[regression] crash when printing or in print preview and A4 as page format [@ nsIFrame::SetNextSibling]

Categories

(Core :: Layout: Floats, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla2.0
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: bugzilla.i.sekler, Assigned: mats)

References

()

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 3 obsolete files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a5pre) Gecko/20100604 Firefox/3.7a5pre
Build Identifier: 

Firefox crashes when printing or in print preview for the $URL if page format is not Letter (tested with A4).

Good: 2009-10-02, SourceStamp=a80414164888

Bad: 2009-10-03, SourceStamp=0a7dd88dbe67

Regression window: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-10-02+04%3A26%3A27&enddate=2009-10-03+02%3A36%3A30



Reproducible: Always

Steps to Reproduce:
1. Set page format to A4
2. Load <http://www.musicalcriticism.com/concerts/usherhall-rsno-clein-0510.shtml>
3. Print or print preview the page.
Actual Results:  
Crash.



The regression window is identical with <https://bugzilla.mozilla.org/show_bug.cgi?id=553972#c15>, so this bug might be a dupe of Bug 553972, which should be reopened in this case.

The crash report whith an old official nightly while searching for the first bad build: <http://crash-stats.mozilla.com/report/index/bp-66b61fb8-7e07-4fb5-9ac9-c973a2100604>

Wasn't able to make a minimal testcase yet.
crashes on windows xp too with 1.9.3 20100604040314

bp-9d5d052b-8df2-4dd9-9344-c75882100604
Signature	nsIFrame::SetNextSibling(nsIFrame*)
UUID	9d5d052b-8df2-4dd9-9344-c75882100604
Time 	2010-06-04 10:54:10.198115
Uptime	39
Last Crash	47257 seconds before submission
Product	Firefox
Version	3.7a5pre
Build ID	20100604040314
Branch	1.9.3
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x20
User Comments	Bug 570160

Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsIFrame::SetNextSibling(nsIFrame*) 	layout/generic/nsIFrame.h:952
1 	xul.dll 	nsFrameList::RemoveFrame(nsIFrame*) 	layout/generic/nsFrameList.cpp:133
2 	xul.dll 	nsBlockFrame::CollectFloats(nsIFrame*,nsFrameList&,int,int) 	layout/generic/nsBlockFrame.cpp:6645
3 	xul.dll 	nsBlockFrame::CollectFloats(nsIFrame*,nsFrameList&,int,int) 	layout/generic/nsBlockFrame.cpp:6651
4 	xul.dll 	nsBlockFrame::PushLines(nsBlockReflowState&,nsLineList_iterator) 	layout/generic/nsBlockFrame.cpp:4273
5 	xul.dll 	nsBlockFrame::PlaceLine(nsBlockReflowState&,nsLineLayout&,nsLineList_iterator,nsFloatManager::SavedState*,nsRect&,int&,int*) 	
6 	xul.dll 	nsAStreamCopier::Process() 	xpcom/io/nsStreamUtils.cpp:380
7 	nspr4.dll 	_PR_MD_UNLOCK 	nsprpub/pr/src/md/windows/w95cv.c:344
8 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
9 	xul.dll 	nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&,nsLineLayout&,nsLineList_iterator,nsIFrame*,LineReflowStatus*) 	layout/generic/nsBlockFrame.cpp:3722
10 	xul.dll 	nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&,nsLineLayout&,nsLineList_iterator,nsFlowAreaRect&,int&,nsFloatManager::SavedState*,int*,LineReflowStatus*,int) 	layout/generic/nsBlockFrame.cpp:3653
11 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
12 		@0x12b967
Component: General → Layout: Tables
Depends on: 563009
Keywords: crash, regression
OS: Linux → All
QA Contact: general → layout.tables
Version: unspecified → Trunk
Attached file framedump
###!!! ASSERTION: why CreateContinuingFrame for a non-splittable frame?: 'aFrame->GetSplittableType() != NS_FRAME_NOT_SPLITTABLE', file c:/moz/hg2/layout/base/nsCSSFrameConstructor.cpp, line 8512
###!!! ASSERTION: OOF must be first continuation: '!aFrame || !aFrame->GetPrevContinuation()', file c:\moz\hg2\layout\generic\nsPlaceholderFrame.h, line 115
###!!! ASSERTION: float manager state should match saved state: 'aState->mX == mX && aState->mY == mY && aState->mFloatInfoCount == mFloats.Length()', file c:\moz\hg2\layout\generic\nsFloatManager.h, line 263
###!!! ASSERTION: available space should never grow: 'aOldAvailableSpace.x <= aNewAvailableSpace.x && aOldAvailableSpace.XMost() >= aNewAvailableSpace.XMost()', file c:/moz/hg2/layout/generic/nsBlockFrame.cpp, line 828
###!!! ASSERTION: Broken frame linkage: 'prevSibling && prevSibling->GetNextSibling() == aFrame', file c:/moz/hg2/layout/generic/nsFrameList.cpp, line 132
###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aNextSibling', file c:\moz\hg2\layout\generic\nsIFrame.h, line 951


The first assertion is caused by trying to create a continuation for
a placeholder frame...
Assignee: nobody → matspal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached file Testcase
Patch coming up...
Blocks: 492627
Component: Layout: Tables → Layout: Floats
Keywords: testcase
QA Contact: layout.tables → layout.floats
Hardware: x86 → All
Summary: [regression] crash when printing or in print preview and A4 as page format → [regression] crash when printing or in print preview and A4 as page format [@ nsIFrame::SetNextSibling]
Attached patch Patch rev. 1 (obsolete) — Splinter Review
Call SplitFloat() for incomplete placeholders also in the break-after case.

It would be fairly easy to re-arrange the code to share the 
SplitFloat/CreateNextInFlow bits for the break-after and
!NS_FRAME_IS_FULLY_COMPLETE blocks.  Let me know if you'd prefer that
and I'll make a new patch.
Attachment #449530 - Flags: review?(fantasai.bugs)
Attached patch Patch rev. 1 (diff -w) (obsolete) — Splinter Review
Yes, I think that would be better.
Attachment #449530 - Flags: review?(fantasai.bugs) → review-
Attached patch Patch rev. 2 (obsolete) — Splinter Review
Rearranging the code, should be functionally the same as the last patch.
Attachment #449530 - Attachment is obsolete: true
Attachment #449531 - Attachment is obsolete: true
Attachment #454447 - Flags: review?(fantasai.bugs)
Comment on attachment 454447 [details] [diff] [review]
Patch rev. 2

Overall, looks good. I think, however, that this bit

+  PRBool isBreakAfter = NS_INLINE_IS_BREAK_AFTER(aStatus);
+  if (isBreakAfter ? NS_FRAME_IS_NOT_COMPLETE(aStatus)
+                   : !NS_FRAME_IS_FULLY_COMPLETE(aStatus)) {
+  [...]
+  if (isBreakAfter) {

should be
+  if (!NS_FRAME_IS_FULLY_COMPLETE(aStatus)) {
+  [...]
+  if (NS_INLINE_IS_BREAK_AFTER(aStatus)) {

r+ with that change, unless you disagree
Attachment #454447 - Flags: review?(fantasai.bugs) → review+
Ok, I thought about that too, but I kept the old logic to minimize risk.
(the old logic doesn't make a continuation for
  "isBreakAfter && NS_FRAME_OVERFLOW_INCOMPLETE")
Are you saying that combination cannot occur or is the old logic
simply broken and it should have made a continuation in that case too?
(I'll add an assertion if it shouldn't occur)
I believe it should have made a continuation in that case, too. I suspect I didn't update it to handle overflow containers in that instance because there was no code to handle placeholders, so it seemed there were nothing to handle.
Ok, thanks for clarifying.
Attached patch Patch rev. 3Splinter Review
Updated per review comments.  I'll land this when the tree reopens...
Attachment #454447 - Attachment is obsolete: true
http://hg.mozilla.org/mozilla-central/rev/c0536c4f3a90
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0
Blocks: 574958
Crash Signature: [@ nsIFrame::SetNextSibling]
You need to log in before you can comment on or make changes to this bug.