Closed
Bug 641724
Opened 14 years ago
Closed 11 years ago
Crash [@ nsIFrame::GetStyleDisplay()] | ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)' | ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow'
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
People
(Reporter: bc, Assigned: jwir3)
References
()
Details
(4 keywords)
Crash Data
Attachments
(2 files)
1. http://www.pad-store.ru/catalog/pads/filter
2. crash 2.0.0 debug win/mac/linux
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file /work/mozilla/builds/2.0.0/mozilla/layout/base/nsLayoutUtils.cpp, line 3998
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsFrame.cpp, line 443
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /work/mozilla/builds/2.0.0/mozilla/layout/base/../generic/nsPlaceholderFrame.h, line 200
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000018
0x04e89454 in nsIFrame::GetStyleDisplay (this=0x0) at nsStyleStructList.h:95
95 STYLE_STRUCT_RESET(Display, nsnull, ())
(gdb) bt
#0 0x04e89454 in nsIFrame::GetStyleDisplay (this=0x0) at nsStyleStructList.h:95
#1 0x04d5e803 in nsLayoutUtils::GetFloatFromPlaceholder (aFrame=0xe615f0) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsLayoutUtils.cpp:417
#2 0x04e5164f in nsLineLayout::ReflowFrame (this=0xbfff9d78, aFrame=0xe615f0, aReflowStatus=@0xbfff9bd0, aMetrics=0x0, aPushedFrame=@0xbfff9bcc) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsLineLayout.cpp:878
#3 0x04dda001 in nsBlockFrame::ReflowInlineFrame (this=0xe60b30, aState=@0xbfffa44c, aLineLayout=@0xbfff9d78, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aFrame=0xe615f0, aLineReflowStatus=0xbfff9c7c) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3811
#4 0x04de043f in nsBlockFrame::DoReflowInlineFrames (this=0xe60b30, aState=@0xbfffa44c, aLineLayout=@0xbfff9d78, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aFloatAvailableSpace=@0xbfff9e3c, aAvailableSpaceHeight=@0xbfff9e34, aFloatStateBeforeLine=0xbfff9e1c, aKeepReflowGoing=0xbfffa0d0, aLineReflowStatus=0xbfff9e38, aAllowPullUp=1) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3607
#5 0x04de0ecb in nsBlockFrame::ReflowInlineFrames (this=0xe60b30, aState=@0xbfffa44c, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aKeepReflowGoing=0xbfffa0d0) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3466
In nsLayoutUtils::GetFloatFromPlaceholder(nsIFrame * aFrame) Line 418
nsIFrame *outOfFlowFrame =
nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
NS_ASSERTION(outOfFlowFrame->GetStyleDisplay()->IsFloating(),
"How did that happen?");
outOfFlowFrame is null and is not null checked in the ASSERTION.
Comment 1•14 years ago
|
||
> outOfFlowFrame is null
That's not supposed to happen!
Mats, can you look into this?
Reporter | ||
Comment 2•14 years ago
|
||
I forgot to mention, standards mode is required. Removing the DOCTYPE makes the issue go away.
Reporter | ||
Comment 3•14 years ago
|
||
Note: I'm now getting this stack and assertion on the test case in bug 589787 (attachment 521405 [details])
Reporter | ||
Comment 4•14 years ago
|
||
update crash bugs to critical per guidelines.
Severity: minor → critical
Reporter | ||
Comment 5•14 years ago
|
||
still happening on trunk. Mats: ping?
Updated•14 years ago
|
Crash Signature: [@ nsIFrame::GetStyleDisplay()]
Reporter | ||
Comment 6•13 years ago
|
||
Now occurring with web developer articles on css3 multiple column layouts.
http://d3pr5r64n04s3o.cloudfront.net/articles/040_css3_columns/examples/CSS3-Multiple-Column-Layout-Other.html
http://webdesigntutsplus.s3.amazonaws.com/articles/040_css3_columns/examples/CSS3-Multiple-Column-Layout-Other.html
The related socorro signature is [@ nsFrameManager::ReResolveStyleContext ]
Crash Signature: [@ nsIFrame::GetStyleDisplay()] → [@ nsIFrame::GetStyleDisplay() ]
[@ nsFrameManager::ReResolveStyleContext ]
Reporter | ||
Comment 7•13 years ago
|
||
Still happening on Beta/11, Aurora/12, Nightly/13 on Linux, Mac, Windows.
This is a frequent crash in the crash automation with socorro showing 195 crashes in the last week.
Reporter | ||
Updated•13 years ago
|
status-firefox12:
--- → affected
status-firefox13:
--- → affected
status-firefox14:
--- → affected
tracking-firefox14:
--- → ?
Comment 8•13 years ago
|
||
This bug isn't a recent regression, or a particular pain point for our users. If there's reason to believe that the crash will get worse upon FF14's release, please re-nominate.
Comment 9•12 years ago
|
||
I got that crash yesterday while trying to find a broadband in the UK.
The steps to reproduce are simple and 100% reproducible:
1. Install NoScript (version 2.6.2)
2. Go to "sky.com"
3. Hover "Sky Products"
4. Click "Sky Boardbands"
5. CRASH
I have been able to reproduce this with Firefox 17 and trunk so I assume all version of Firefox are affected.
I wasn't able to reproduce the crash without NoScript but it is one of the top 10 most popular extensions as far as I know.
status-firefox17:
--- → affected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
tracking-firefox-esr17:
--- → ?
Keywords: reproducible
Hardware: x86 → All
Comment 10•12 years ago
|
||
Comment 11•12 years ago
|
||
This isn't something we're try to rush to fix for a respin of 17 since it's been around for a long time and the STR don't appear too common (or high volume) at this point.
Comment 12•12 years ago
|
||
Mats - any chance you can take a look at this new STR? It's an old issue with low volume, but if you give us a sense of where this falls in priority for you right now that would help with deciding whether or not to track it with this new info.
Assignee: nobody → matspal
Updated•12 years ago
|
Comment 13•12 years ago
|
||
From the attached stack trace:
#0 0x00007ffff217b394 in nsIFrame::GetStyleDisplay (this=0x0)
#1 0x00007ffff217bb00 in nsIFrame::IsFloating (this=0x0)
#2 0x00007ffff2205c34 in nsLayoutUtils::GetFloatFromPlaceholder
[...]
#12 0x00007ffff22a911b in nsColumnSetFrame::Reflow
I'm pretty sure the underlying problem is bug 724978.
(I have no intention of taking that bug.)
Fwiw, in this case it looks like it's a safe null-pointer crash.
Assignee: matspal → nobody
Comment 14•11 years ago
|
||
Is this bug still up to date? I couldn't reproduce any of the cases with current Nightly.
Flags: needinfo?(bclary)
Reporter | ||
Comment 15•11 years ago
|
||
Found fix between 20130318130735-20130320011514
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e23e43a2c14e&tochange=0bba6ba92467
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/03/2013-03-19-mozilla-central-debug/firefox-22.0a1.en-US.debug-linux-x86_64.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/03/2013-03-20-mozilla-central-debug/firefox-22.0a1.en-US.debug-linux-x86_64.tar.bz2
I think this was fixed by bug 600100.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bclary)
Resolution: --- → FIXED
Whiteboard: fixed-by-bug-600100
Comment 16•11 years ago
|
||
I think we should land "semi reduced testcase" as a crashtest as is.
Flags: in-testsuite?
Updated•11 years ago
|
Assignee: nobody → jaywir3
Depends on: 600100
Whiteboard: fixed-by-bug-600100
Target Milestone: --- → mozilla22
Comment 17•9 years ago
|
||
Comment 18•9 years ago
|
||
bugherder |
Updated•9 years ago
|
Flags: in-testsuite? → in-testsuite+
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•