Closed Bug 641724 Opened 9 years ago Closed 6 years ago

Crash [@ nsIFrame::GetStyleDisplay()] | ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)' | ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow'

Categories

(Core :: Layout, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox12 --- wontfix
firefox13 --- wontfix
firefox14 - wontfix
firefox17 - wontfix
firefox18 - wontfix
firefox19 - wontfix
firefox20 - wontfix
firefox-esr17 - wontfix

People

(Reporter: bc, Assigned: jwir3)

References

(Blocks 1 open bug, )

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file semi reduced testcase
1. http://www.pad-store.ru/catalog/pads/filter
2. crash 2.0.0 debug win/mac/linux

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file /work/mozilla/builds/2.0.0/mozilla/layout/base/nsLayoutUtils.cpp, line 3998
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsFrame.cpp, line 443
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /work/mozilla/builds/2.0.0/mozilla/layout/base/../generic/nsPlaceholderFrame.h, line 200

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000018
0x04e89454 in nsIFrame::GetStyleDisplay (this=0x0) at nsStyleStructList.h:95
95	STYLE_STRUCT_RESET(Display, nsnull, ())

(gdb) bt
#0  0x04e89454 in nsIFrame::GetStyleDisplay (this=0x0) at nsStyleStructList.h:95
#1  0x04d5e803 in nsLayoutUtils::GetFloatFromPlaceholder (aFrame=0xe615f0) at /work/mozilla/builds/2.0.0/mozilla/layout/base/nsLayoutUtils.cpp:417
#2  0x04e5164f in nsLineLayout::ReflowFrame (this=0xbfff9d78, aFrame=0xe615f0, aReflowStatus=@0xbfff9bd0, aMetrics=0x0, aPushedFrame=@0xbfff9bcc) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsLineLayout.cpp:878
#3  0x04dda001 in nsBlockFrame::ReflowInlineFrame (this=0xe60b30, aState=@0xbfffa44c, aLineLayout=@0xbfff9d78, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aFrame=0xe615f0, aLineReflowStatus=0xbfff9c7c) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3811
#4  0x04de043f in nsBlockFrame::DoReflowInlineFrames (this=0xe60b30, aState=@0xbfffa44c, aLineLayout=@0xbfff9d78, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aFloatAvailableSpace=@0xbfff9e3c, aAvailableSpaceHeight=@0xbfff9e34, aFloatStateBeforeLine=0xbfff9e1c, aKeepReflowGoing=0xbfffa0d0, aLineReflowStatus=0xbfff9e38, aAllowPullUp=1) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3607
#5  0x04de0ecb in nsBlockFrame::ReflowInlineFrames (this=0xe60b30, aState=@0xbfffa44c, aLine={mCurrent = 0xf19610, mListLink = 0xe60b7c}, aKeepReflowGoing=0xbfffa0d0) at /work/mozilla/builds/2.0.0/mozilla/layout/generic/nsBlockFrame.cpp:3466

In nsLayoutUtils::GetFloatFromPlaceholder(nsIFrame * aFrame)  Line 418

    nsIFrame *outOfFlowFrame =
      nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
    NS_ASSERTION(outOfFlowFrame->GetStyleDisplay()->IsFloating(),
                 "How did that happen?");

outOfFlowFrame is null and is not null checked in the ASSERTION.
> outOfFlowFrame is null

That's not supposed to happen!

Mats, can you look into this?
I forgot to mention, standards mode is required. Removing the DOCTYPE makes the issue go away.
Note: I'm now getting this stack and assertion on the test case in bug 589787 (attachment 521405 [details])
update crash bugs to critical per guidelines.
Severity: minor → critical
still happening on trunk. Mats: ping?
Keywords: testcase
Crash Signature: [@ nsIFrame::GetStyleDisplay()]
Now occurring with web developer articles on css3 multiple column layouts.

http://d3pr5r64n04s3o.cloudfront.net/articles/040_css3_columns/examples/CSS3-Multiple-Column-Layout-Other.html

http://webdesigntutsplus.s3.amazonaws.com/articles/040_css3_columns/examples/CSS3-Multiple-Column-Layout-Other.html

The related socorro signature is [@ nsFrameManager::ReResolveStyleContext ]
Crash Signature: [@ nsIFrame::GetStyleDisplay()] → [@ nsIFrame::GetStyleDisplay() ] [@ nsFrameManager::ReResolveStyleContext ]
Still happening on Beta/11, Aurora/12, Nightly/13 on Linux, Mac, Windows.

This is a frequent crash in the crash automation with socorro showing 195 crashes in the last week.
This bug isn't a recent regression, or a particular pain point for our users. If there's reason to believe that the crash will get worse upon FF14's release, please re-nominate.
I got that crash yesterday while trying to find a broadband in the UK.

The steps to reproduce are simple and 100% reproducible:
1. Install NoScript (version 2.6.2)
2. Go to "sky.com"
3. Hover "Sky Products"
4. Click "Sky Boardbands"
5. CRASH

I have been able to reproduce this with Firefox 17 and trunk so I assume all version of Firefox are affected.

I wasn't able to reproduce the crash without NoScript but it is one of the top 10 most popular extensions as far as I know.
Attached file Stack trace
This isn't something we're try to rush to fix for a respin of 17 since it's been around for a long time and the STR don't appear too common (or high volume) at this point.
Mats - any chance you can take a look at this new STR?  It's an old issue with low volume, but if you give us a sense of where this falls in priority for you right now that would help with deciding whether or not to track it with this new info.
Assignee: nobody → matspal
From the attached stack trace:
#0  0x00007ffff217b394 in nsIFrame::GetStyleDisplay (this=0x0)
#1  0x00007ffff217bb00 in nsIFrame::IsFloating (this=0x0)
#2  0x00007ffff2205c34 in nsLayoutUtils::GetFloatFromPlaceholder
[...]
#12 0x00007ffff22a911b in nsColumnSetFrame::Reflow 

I'm pretty sure the underlying problem is bug 724978.
(I have no intention of taking that bug.)

Fwiw, in this case it looks like it's a safe null-pointer crash.
Assignee: matspal → nobody
Depends on: 724978
Blocks: 698783
Is this bug still up to date? I couldn't reproduce any of the cases with current Nightly.
Flags: needinfo?(bclary)
I think we should land "semi reduced testcase" as a crashtest as is.
Flags: in-testsuite?
Assignee: nobody → jaywir3
Depends on: 600100
Whiteboard: fixed-by-bug-600100
Target Milestone: --- → mozilla22
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.