Closed Bug 660451 Opened 13 years ago Closed 12 years ago

Crash [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ] during restyle

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla10

People

(Reporter: bc, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(4 files)

crash report xp nightly
53.17 KB, text/plain
Details
crash report linux x86_64 nightly
67.11 KB, text/plain
Details
testcase
450 bytes, text/html
Details
Crashtest
1.28 KB, patch
roc
: review+
Details | Diff | Splinter Review 
1. http://fashion.rayli.com.cn/mixmatch/2011-05-11/L0002001010_846320_10.html#nextpic

2. Crash Windows xp nightly/aurora, Windows 7 aurora (at least)

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0x1c

Thread 0 (crashed)
 0  xul.dll!nsIFrame::GetParent() [nsIFrame.h : 796 + 0xa]
    eip = 0x1026d7ea   esp = 0x0012c970   ebp = 0x0012c974   ebx = 0x00000000
    esi = 0x046bf4c0   edi = 0x00000000   eax = 0x00000000   ecx = 0x00000000
    edx = 0x00000019   efl = 0x00010246
    Found by: given as instruction pointer in context
 1  xul.dll!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) [nsCSSFrameConstructor.cpp : 8956 + 0x7]
    eip = 0x1028b51d   esp = 0x0012c97c   ebp = 0x0012c9a4
    Found by: call frame info
 2  xul.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent *,int) [nsCSSFrameConstructor.cpp : 9096 + 0x15]
    eip = 0x1028bb4c   esp = 0x0012c9ac   ebp = 0x0012c9e8
    Found by: call frame info
 3  xul.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList &) [nsCSSFrameConstructor.cpp : 7999 + 0xd]
    eip = 0x10288ffd   esp = 0x0012c9f0   ebp = 0x0012ca34
    Found by: call frame info
 4  xul.dll!nsCSSFrameConstructor::RestyleElement(mozilla::dom::Element *,nsIFrame *,nsChangeHint,mozilla::css::RestyleTracker &,int) [nsCSSFrameConstructor.cpp : 8085 + 0x11]
    eip = 0x1028977a   esp = 0x0012ca3c   ebp = 0x0012cacc
    Found by: call frame info
 5  xul.dll!mozilla::css::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element *,nsRestyleHint,nsChangeHint) [RestyleTracker.cpp : 156 + 0x2d]
    eip = 0x10276357   esp = 0x0012cad4   ebp = 0x0012cb80
    Found by: call frame info
1. http://www.raylizone.com/region/CO007.html
2. Crash Linux 32/64bit, Mac OS X nightly

Operating system: Linux
                  0.0.0 Linux 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64
CPU: amd64
     family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x28

Thread 0 (crashed)
 0  libxul.so!nsIFrame::GetParent [nsIFrame.h : 796 + 0x4]
    rbx = 0x0000000001cbcda0   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091d2b8e
    rsp = 0x00007fff5a651a50   rbp = 0x00007fff5a651a50
    Found by: given as instruction pointer in context
 1  libxul.so!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval [nsCSSFrameConstructor.cpp : 8956 + 0xb]
    rbx = 0x0000000001cbcda0   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091f1375
    rsp = 0x00007fff5a651a60   rbp = 0x00007fff5a651ab0
    Found by: call frame info
 2  libxul.so!nsCSSFrameConstructor::RecreateFramesForContent [nsCSSFrameConstructor.cpp : 9096 + 0x16]
    rbx = 0x0000000001cbcda0   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091f19d2
    rsp = 0x00007fff5a651ac0   rbp = 0x00007fff5a651b50
    Found by: call frame info
 3  libxul.so!nsCSSFrameConstructor::ProcessRestyledFrames [nsCSSFrameConstructor.cpp : 7999 + 0x17]
    rbx = 0x0000000001cbcda0   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091ee772
    rsp = 0x00007fff5a651b60   rbp = 0x00007fff5a651be0
    Found by: call frame info
 4  libxul.so!nsCSSFrameConstructor::RestyleElement [nsCSSFrameConstructor.cpp : 8085 + 0x18]
    rbx = 0x0000000001cbcda0   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091eeb52
    rsp = 0x00007fff5a651bf0   rbp = 0x00007fff5a651d30
    Found by: call frame info
 5  libxul.so!mozilla::css::RestyleTracker::ProcessOneRestyle [RestyleTracker.cpp : 156 + 0x44]
    rbx = 0x0000000001fa5e30   r12 = 0x0000000000000001
    r13 = 0x0000000000000000   r14 = 0x0000000000b5dec0
    r15 = 0x0000000000b61600   rip = 0x00007fef091da6e1
    rsp = 0x00007fff5a651d40   rbp = 0x00007fff5a651e80
    Found by: call frame info
see also bug 526853, bug 656646 which also show nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval but which involve nsCSSFrameConstructor::ContentRemoved but the restyling.
In a Linux64 debug build I get a null-pointer crash here:

(gdb) fr 0
#0  nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval (this=0x7fffc892bc00, aFrame=0x7fffcb1e31c0, aResult=0x7fffffffc2bc) at nsCSSFrameConstructor.cpp:8956
8956      nsIFrame* parent = inFlowFrame->GetParent();
(gdb) p inFlowFrame
$1 = (nsIFrame *) 0x0
(gdb) list
8951      // Now check for possibly needing to reconstruct due to a pseudo parent
8952      nsIFrame* inFlowFrame =
8953        (aFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW) ?
8954          mPresShell->FrameManager()->GetPlaceholderFrameFor(aFrame) : aFrame;
8955      NS_ASSERTION(inFlowFrame, "How did that happen?");
8956      nsIFrame* parent = inFlowFrame->GetParent();
8957      if (IsTablePseudo(parent)) {
8958        if (FindFirstNonWhitespaceChild(parent) == inFlowFrame ||
8959            !FindNextNonWhitespaceSibling(inFlowFrame->GetLastContinuation()) ||
8960            // If we're a table-column-group, then the GetFirstChild check above is
(gdb) 


There's lot's of assertions leading up to the crash:

###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 4708
###!!! ASSERTION: How did that happen?: 'aFrameItems.IsEmpty()', file layout/base/nsCSSFrameConstructor.cpp, line 1269
###!!! ASSERTION: Frames getting lost!: 'NS_SUCCEEDED(rv)', file layout/base/nsCSSFrameConstructor.cpp, line 1274
###!!! ASSERTION: Dangling child list.  Someone forgot to insert it?: '!FirstChild()', file layout/base/nsCSSFrameConstructor.cpp, line 637
###!!! ASSERTION: not in child list: 'found', file layout/base/nsLayoutUtils.cpp, line 361
###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 5029
###!!! ASSERTION: asked to construct a frame for a node that already has a frame: '!child->GetPrimaryFrame() || child->GetPrimaryFrame()->GetContent() != child', file layout/base/nsCSSFrameConstructor.cpp, line 6857
###!!! ASSERTION: asked to create frame construction item for a node that already has a frame: 'Error', file layout/base/nsCSSFrameConstructor.cpp, line 5014
###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
frame: HTMLScroll(li)(3) (0x7fffcb1e31c0) style: 0x7fffcff0fba8 {}
###!!! ASSERTION: Wrong parent style context: 'Error', file layout/base/nsFrameManager.cpp, line 640
Wrong parent style context:  style: 0x7fffda5fb7c8 {}
should be using:  style: 0x7fffcff0f378 {}

###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
...
I'd guess it's the same and is a regression from Ehsan's absolute position changes.
Crash Signature: [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ]
Attached file testcase 
This testcase is crashing for me on trunk, not on branch.
https://crash-stats.mozilla.com/report/index/e2a67ead-320a-43cf-ba1f-5e1302110623
0 	xul.dll 	nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval 	layout/base/nsCSSFrameConstructor.cpp:8930
1 	xul.dll 	nsCSSFrameConstructor::RecreateFramesForContent 	layout/base/nsCSSFrameConstructor.cpp:9070
2 	xul.dll 	nsCSSFrameConstructor::ProcessRestyledFrames 	
3 	xul.dll 	mozilla::css::RestyleTracker::ProcessRestyles 	layout/base/RestyleTracker.cpp:240
4 	xul.dll 	nsCSSFrameConstructor::ProcessPendingRestyles 	layout/base/nsCSSFrameConstructor.cpp:11613
5 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4810
6 	xul.dll 	PresShell::WillPaint 	layout/base/nsPresShell.cpp:7608
7 	xul.dll 	nsViewManager::CallWillPaintOnObservers 	view/src/nsViewManager.cpp:1604
8 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:902
9 		@0x80
Depends on: 656130
My existing patches fix this crash too.  I'll post a crashtest here.
Assignee: nobody → ehsan
Keywords: testcase-wantedtestcase
Attached patch CrashtestSplinter Review 

        Attachment #542586 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 542586 [details] [diff] [review]
Crashtest

Review of attachment 542586 [details] [diff] [review]:
-----------------------------------------------------------------

Make it standards-mode.

        Attachment #542586 -
        Flags: review?(roc) → review+

    
    

    
  
Will do.

    
    

    
  
This was landed in bug 656130.  I pushed the test: https://hg.mozilla.org/mozilla-central/rev/af3668a89015
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Blocks: 876194

          You need to log in
          before you can comment on or make changes to this bug.