Closed
Bug 660451
Opened 13 years ago
Closed 13 years ago
Crash [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ] during restyle
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: bc, Assigned: ehsan.akhgari)
References
Details
(Keywords: crash, reproducible, testcase)
Crash Data
Attachments
(4 files)
1. http://fashion.rayli.com.cn/mixmatch/2011-05-11/L0002001010_846320_10.html#nextpic 2. Crash Windows xp nightly/aurora, Windows 7 aurora (at least) Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x1c Thread 0 (crashed) 0 xul.dll!nsIFrame::GetParent() [nsIFrame.h : 796 + 0xa] eip = 0x1026d7ea esp = 0x0012c970 ebp = 0x0012c974 ebx = 0x00000000 esi = 0x046bf4c0 edi = 0x00000000 eax = 0x00000000 ecx = 0x00000000 edx = 0x00000019 efl = 0x00010246 Found by: given as instruction pointer in context 1 xul.dll!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) [nsCSSFrameConstructor.cpp : 8956 + 0x7] eip = 0x1028b51d esp = 0x0012c97c ebp = 0x0012c9a4 Found by: call frame info 2 xul.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent *,int) [nsCSSFrameConstructor.cpp : 9096 + 0x15] eip = 0x1028bb4c esp = 0x0012c9ac ebp = 0x0012c9e8 Found by: call frame info 3 xul.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList &) [nsCSSFrameConstructor.cpp : 7999 + 0xd] eip = 0x10288ffd esp = 0x0012c9f0 ebp = 0x0012ca34 Found by: call frame info 4 xul.dll!nsCSSFrameConstructor::RestyleElement(mozilla::dom::Element *,nsIFrame *,nsChangeHint,mozilla::css::RestyleTracker &,int) [nsCSSFrameConstructor.cpp : 8085 + 0x11] eip = 0x1028977a esp = 0x0012ca3c ebp = 0x0012cacc Found by: call frame info 5 xul.dll!mozilla::css::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element *,nsRestyleHint,nsChangeHint) [RestyleTracker.cpp : 156 + 0x2d] eip = 0x10276357 esp = 0x0012cad4 ebp = 0x0012cb80 Found by: call frame info
|
Reporter | |
Comment 1•13 years ago
|
||
1. http://www.raylizone.com/region/CO007.html 2. Crash Linux 32/64bit, Mac OS X nightly Operating system: Linux 0.0.0 Linux 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 CPU: amd64 family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x28 Thread 0 (crashed) 0 libxul.so!nsIFrame::GetParent [nsIFrame.h : 796 + 0x4] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091d2b8e rsp = 0x00007fff5a651a50 rbp = 0x00007fff5a651a50 Found by: given as instruction pointer in context 1 libxul.so!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval [nsCSSFrameConstructor.cpp : 8956 + 0xb] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091f1375 rsp = 0x00007fff5a651a60 rbp = 0x00007fff5a651ab0 Found by: call frame info 2 libxul.so!nsCSSFrameConstructor::RecreateFramesForContent [nsCSSFrameConstructor.cpp : 9096 + 0x16] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091f19d2 rsp = 0x00007fff5a651ac0 rbp = 0x00007fff5a651b50 Found by: call frame info 3 libxul.so!nsCSSFrameConstructor::ProcessRestyledFrames [nsCSSFrameConstructor.cpp : 7999 + 0x17] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091ee772 rsp = 0x00007fff5a651b60 rbp = 0x00007fff5a651be0 Found by: call frame info 4 libxul.so!nsCSSFrameConstructor::RestyleElement [nsCSSFrameConstructor.cpp : 8085 + 0x18] rbx = 0x0000000001cbcda0 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091eeb52 rsp = 0x00007fff5a651bf0 rbp = 0x00007fff5a651d30 Found by: call frame info 5 libxul.so!mozilla::css::RestyleTracker::ProcessOneRestyle [RestyleTracker.cpp : 156 + 0x44] rbx = 0x0000000001fa5e30 r12 = 0x0000000000000001 r13 = 0x0000000000000000 r14 = 0x0000000000b5dec0 r15 = 0x0000000000b61600 rip = 0x00007fef091da6e1 rsp = 0x00007fff5a651d40 rbp = 0x00007fff5a651e80 Found by: call frame info
|
|
Reporter | |
Comment 2•13 years ago
|
||
see also bug 526853, bug 656646 which also show nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval but which involve nsCSSFrameConstructor::ContentRemoved but the restyling.
|
||
Comment 3•13 years ago
|
||
In a Linux64 debug build I get a null-pointer crash here:
(gdb) fr 0
#0 nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval (this=0x7fffc892bc00, aFrame=0x7fffcb1e31c0, aResult=0x7fffffffc2bc) at nsCSSFrameConstructor.cpp:8956
8956 nsIFrame* parent = inFlowFrame->GetParent();
(gdb) p inFlowFrame
$1 = (nsIFrame *) 0x0
(gdb) list
8951 // Now check for possibly needing to reconstruct due to a pseudo parent
8952 nsIFrame* inFlowFrame =
8953 (aFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW) ?
8954 mPresShell->FrameManager()->GetPlaceholderFrameFor(aFrame) : aFrame;
8955 NS_ASSERTION(inFlowFrame, "How did that happen?");
8956 nsIFrame* parent = inFlowFrame->GetParent();
8957 if (IsTablePseudo(parent)) {
8958 if (FindFirstNonWhitespaceChild(parent) == inFlowFrame ||
8959 !FindNextNonWhitespaceSibling(inFlowFrame->GetLastContinuation()) ||
8960 // If we're a table-column-group, then the GetFirstChild check above is
(gdb)
There's lot's of assertions leading up to the crash:
###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 4708
###!!! ASSERTION: How did that happen?: 'aFrameItems.IsEmpty()', file layout/base/nsCSSFrameConstructor.cpp, line 1269
###!!! ASSERTION: Frames getting lost!: 'NS_SUCCEEDED(rv)', file layout/base/nsCSSFrameConstructor.cpp, line 1274
###!!! ASSERTION: Dangling child list. Someone forgot to insert it?: '!FirstChild()', file layout/base/nsCSSFrameConstructor.cpp, line 637
###!!! ASSERTION: not in child list: 'found', file layout/base/nsLayoutUtils.cpp, line 361
###!!! ASSERTION: unexpected child list: 'Error', file layout/generic/nsBlockFrame.cpp, line 5029
###!!! ASSERTION: asked to construct a frame for a node that already has a frame: '!child->GetPrimaryFrame() || child->GetPrimaryFrame()->GetContent() != child', file layout/base/nsCSSFrameConstructor.cpp, line 6857
###!!! ASSERTION: asked to create frame construction item for a node that already has a frame: 'Error', file layout/base/nsCSSFrameConstructor.cpp, line 5014
###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
frame: HTMLScroll(li)(3) (0x7fffcb1e31c0) style: 0x7fffcff0fba8 {}
###!!! ASSERTION: Wrong parent style context: 'Error', file layout/base/nsFrameManager.cpp, line 640
Wrong parent style context: style: 0x7fffda5fb7c8 {}
should be using: style: 0x7fffcff0f378 {}
###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
###!!! ASSERTION: no placeholder frame for out-of-flow frame: 'Not Reached', file layout/generic/nsFrame.cpp, line 6615
...
|
||
Comment 4•13 years ago
|
||
I'd guess it's the same and is a regression from Ehsan's absolute position changes.
|
||
Updated•13 years ago
|
Crash Signature: [@ nsIFrame::GetParent() | nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame *,unsigned int *) ]
|
||
Comment 5•13 years ago
|
||
This testcase is crashing for me on trunk, not on branch.
|
|
||
Comment 6•13 years ago
|
||
https://crash-stats.mozilla.com/report/index/e2a67ead-320a-43cf-ba1f-5e1302110623 0 xul.dll nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval layout/base/nsCSSFrameConstructor.cpp:8930 1 xul.dll nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9070 2 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames 3 xul.dll mozilla::css::RestyleTracker::ProcessRestyles layout/base/RestyleTracker.cpp:240 4 xul.dll nsCSSFrameConstructor::ProcessPendingRestyles layout/base/nsCSSFrameConstructor.cpp:11613 5 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4810 6 xul.dll PresShell::WillPaint layout/base/nsPresShell.cpp:7608 7 xul.dll nsViewManager::CallWillPaintOnObservers view/src/nsViewManager.cpp:1604 8 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:902 9 @0x80
|
Assignee | |
Comment 7•13 years ago
|
||
My existing patches fix this crash too. I'll post a crashtest here.
Assignee: nobody → ehsan
Keywords: testcase-wanted → testcase
|
|
Assignee | |
Comment 8•13 years ago
|
||
Attachment #542586 -
Flags: review?(roc)
Comment on attachment 542586 [details] [diff] [review] Crashtest Review of attachment 542586 [details] [diff] [review]: ----------------------------------------------------------------- Make it standards-mode.
Attachment #542586 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 10•13 years ago
|
||
Will do.
|
|
Assignee | |
Comment 11•13 years ago
|
||
This was landed in bug 656130. I pushed the test: https://hg.mozilla.org/mozilla-central/rev/af3668a89015
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
You need to log in
before you can comment on or make changes to this bug.
Description
•