Closed Bug 660451 Opened 14 years ago Closed 14 years ago

Crash [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ] during restyle

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla10

People

(Reporter: bc, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(4 files)

crash report xp nightly
53.17 KB, text/plain
Details
crash report linux x86_64 nightly
67.11 KB, text/plain
Details
testcase
450 bytes, text/html
Details
Crashtest
1.28 KB, patch
roc
: review+
Details | Diff | Splinter Review
1. http://fashion.rayli.com.cn/mixmatch/2011-05-11/L0002001010_846320_10.html#nextpic 2. Crash Windows xp nightly/aurora, Windows 7 aurora (at least) Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x1c Thread 0 (crashed) 0 xul.dll!nsIFrame::GetParent() [nsIFrame.h : 796 + 0xa] eip = 0x1026d7ea esp = 0x0012c970 ebp = 0x0012c974 ebx = 0x00000000 esi = 0x046bf4c0 edi = 0x00000000 eax = 0x00000000 ecx = 0x00000000 edx = 0x00000019 efl = 0x00010246 Found by: given as instruction pointer in context 1 xul.dll!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) [nsCSSFrameConstructor.cpp : 8956 + 0x7] eip = 0x1028b51d esp = 0x0012c97c ebp = 0x0012c9a4 Found by: call frame info 2 xul.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent *,int) [nsCSSFrameConstructor.cpp : 9096 + 0x15] eip = 0x1028bb4c esp = 0x0012c9ac ebp = 0x0012c9e8 Found by: call frame info 3 xul.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList &) [nsCSSFrameConstructor.cpp : 7999 + 0xd] eip = 0x10288ffd esp = 0x0012c9f0 ebp = 0x0012ca34 Found by: call frame info 4 xul.dll!nsCSSFrameConstructor::RestyleElement(mozilla::dom::Element *,nsIFrame *,nsChangeHint,mozilla::css::RestyleTracker &,int) [nsCSSFrameConstructor.cpp : 8085 + 0x11] eip = 0x1028977a esp = 0x0012ca3c ebp = 0x0012cacc Found by: call frame info 5 xul.dll!mozilla::css::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element *,nsRestyleHint,nsChangeHint) [RestyleTracker.cpp : 156 + 0x2d] eip = 0x10276357 esp = 0x0012cad4 ebp = 0x0012cb80 Found by: call frame info
1. http://www.raylizone.com/region/CO007.html 2. Crash Linux 32/64bit, Mac OS X nightly Operating system: Linux 0.0.0 Linux 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 CPU: amd64 family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x28 Thread 0 (crashed) 0 libxul.so!nsIFrame::GetParent [nsIFrame.h : 796 + 0x4] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091d2b8e rsp = 0x00007fff5a651a50 rbp = 0x00007fff5a651a50 Found by: given as instruction pointer in context 1 libxul.so!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval [nsCSSFrameConstructor.cpp : 8956 + 0xb] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091f1375 rsp = 0x00007fff5a651a60 rbp = 0x00007fff5a651ab0 Found by: call frame info 2 libxul.so!nsCSSFrameConstructor::RecreateFramesForContent [nsCSSFrameConstructor.cpp : 9096 + 0x16] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091f19d2 rsp = 0x00007fff5a651ac0 rbp = 0x00007fff5a651b50 Found by: call frame info 3 libxul.so!nsCSSFrameConstructor::ProcessRestyledFrames [nsCSSFrameConstructor.cpp : 7999 + 0x17] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091ee772 rsp = 0x00007fff5a651b60 rbp = 0x00007fff5a651be0 Found by: call frame info 4 libxul.so!nsCSSFrameConstructor::RestyleElement [nsCSSFrameConstructor.cpp : 8085 + 0x18] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091eeb52 rsp = 0x00007fff5a651bf0 rbp = 0x00007fff5a651d30 Found by: call frame info 5 libxul.so!mozilla::css::RestyleTracker::ProcessOneRestyle [RestyleTracker.cpp : 156 + 0x44] rbx = 0x0000000001fa5e30 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091da6e1 rsp = 0x00007fff5a651d40 rbp = 0x00007fff5a651e80 Found by: call frame info
see also bug 526853, bug 656646 which also show nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval but which involve nsCSSFrameConstructor::ContentRemoved but the restyling.
In a Linux64 debug build I get a null-pointer crash here: (gdb) fr 0 #0 nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval (this=0x7fffc892bc00, aFrame=0x7fffcb1e31c0, aResult=0x7fffffffc2bc) at nsCSSFrameConstructor.cpp:8956 8956 nsIFrame* parent = inFlowFrame->GetParent(); (gdb) p inFlowFrame $1 = (nsIFrame *) 0x0 (gdb) list 8951 // Now check for possibly needing to reconstruct due to a pseudo parent 8952 nsIFrame* inFlowFrame = 8953 (aFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW) ? 8954 mPresShell->FrameManager()->GetPlaceholderFrameFor(aFrame) : aFrame; 8955 NS_ASSERTION(inFlowFrame, "How did that happen?"); 8956 nsIFrame* parent = inFlowFrame->GetParent(); 8957 if (IsTablePseudo(parent)) { 8958 if (FindFirstNonWhitespaceChild(parent) == inFlowFrame || 8959 !FindNextNonWhitespaceSibling(inFlowFrame->GetLastContinuation()) || 8960 // If we're a table-column-group, then the GetFirstChild check above is (gdb) There's lot's of assertions leading up to the crash: ###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 4708 ###!!! ASSERTION: How did that happen?: 'aFrameItems.IsEmpty()', file layout/base/nsCSSFrameConstructor.cpp, line 1269 ###!!! ASSERTION: Frames getting lost!: 'NS_SUCCEEDED(rv)', file layout/base/nsCSSFrameConstructor.cpp, line 1274 ###!!! ASSERTION: Dangling child list. Someone forgot to insert it?: '!FirstChild()', file layout/base/nsCSSFrameConstructor.cpp, line 637 ###!!! ASSERTION: not in child list: 'found', file layout/base/nsLayoutUtils.cpp, line 361 ###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 5029 ###!!! ASSERTION: asked to construct a frame for a node that already has a frame: '!child->GetPrimaryFrame() || child->GetPrimaryFrame()->GetContent() != child', file layout/base/nsCSSFrameConstructor.cpp, line 6857 ###!!! ASSERTION: asked to create frame construction item for a node that already has a frame: 'Error', file layout/base/nsCSSFrameConstructor.cpp, line 5014 ###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615 frame: HTMLScroll(li)(3) (0x7fffcb1e31c0) style: 0x7fffcff0fba8 {} ###!!! ASSERTION: Wrong parent style context: 'Error', file layout/base/nsFrameManager.cpp, line 640 Wrong parent style context: style: 0x7fffda5fb7c8 {} should be using: style: 0x7fffcff0f378 {} ###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615 ###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615 ...
I'd guess it's the same and is a regression from Ehsan's absolute position changes.
Crash Signature: [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ]
Attached file testcase
This testcase is crashing for me on trunk, not on branch.
https://crash-stats.mozilla.com/report/index/e2a67ead-320a-43cf-ba1f-5e1302110623 0 xul.dll nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval layout/base/nsCSSFrameConstructor.cpp:8930 1 xul.dll nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9070 2 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames 3 xul.dll mozilla::css::RestyleTracker::ProcessRestyles layout/base/RestyleTracker.cpp:240 4 xul.dll nsCSSFrameConstructor::ProcessPendingRestyles layout/base/nsCSSFrameConstructor.cpp:11613 5 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4810 6 xul.dll PresShell::WillPaint layout/base/nsPresShell.cpp:7608 7 xul.dll nsViewManager::CallWillPaintOnObservers view/src/nsViewManager.cpp:1604 8 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:902 9 @0x80
Depends on: 656130
My existing patches fix this crash too. I'll post a crashtest here.
Assignee: nobody → ehsan
Keywords: testcase-wantedtestcase
Attached patch CrashtestSplinter Review
Attachment #542586 - Flags: review?(roc)
Comment on attachment 542586 [details] [diff] [review] Crashtest Review of attachment 542586 [details] [diff] [review]: ----------------------------------------------------------------- Make it standards-mode.
Attachment #542586 - Flags: review?(roc) → review+
Will do.
This was landed in bug 656130. I pushed the test: https://hg.mozilla.org/mozilla-central/rev/af3668a89015
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Blocks: 876194
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: