Closed Bug 686421 Opened 14 years ago Closed 13 years ago

Printing email crashes Thunderbird [@ nsIFrame::SetNextSibling(nsIFrame*) ]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Version:
6 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: nick, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Email which causes print/print preview crash
79.19 KB, application/octet-stream
Details
frame dumps, stacks for reftest layout/reftests/bugs/421710-1.html
264.89 KB, text/html
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20110902133214 Steps to reproduce: I received an email (an invoice from our broadband supplier). It did not have any attachments. I selected "Print" or "Print Preview". Actual results: Thunderbird crashed. Here are the details: AdapterDeviceID: 2a02 AdapterVendorID: 8086 Add-ons: sendvia@doublesix:1.0.2,{41e52bd9-defc-4a0f-a542-cf643a0776d1}:1.9.1,{58D4392A-842E-11DE-B51A-C7B855D89593}:1.4.0,{C8534C26-F59A-11DA-9804-B622A1EF5492}:5.0,compatibility@addons.mozilla.org:0.9,en-GB@dictionaries.addons.mozilla.org:1.19.1,extra-cols@jminta_gmail.com:1.1.3,showInOut@ggbs.de:1.0.0,tbsortfolders@xulforum.org:1.0.1,{e2fda1a4-762b-4020-b5ad-a41df1933103}:1.0b5,mintrayr@tn123.ath.cx:1.0,ignoreaero@rsjtdrjgfuzkfg.com:1.0.0.1 AvailableVirtualMemory: 1710157824 BuildID: 20110902221921 CrashTime: 1315898453 EMCheckCompatibility: false FramePoisonBase: 00000000f0de0000 FramePoisonSize: 65536 InstallTime: 1315862266 Notes: AdapterVendorID: 8086, AdapterDeviceID: 2a02, AdapterDriverVersion: 8.15.10.1930 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ ProductName: Thunderbird ReleaseChannel: release StartupTime: 1315862266 SystemMemoryUsePercentage: 69 Theme: ignoreaero Throttleable: 1 TotalVirtualMemory: 2147352576 URL: Vendor: Version: 6.0.2 Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IP] : 2 : 3 : MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [UDP/IPv6] : 2 : 2 : MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll RSVP TCPv6 Service Provider : 2 : 1 : RSVP TCP Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll RSVP UDPv6 Service Provider : 2 : 2 : RSVP UDP Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD RfComm [Bluetooth] : 2 : 1 : This report also contains technical information about the state of the application when it crashed. Expected results: The email should have printed (or the print preview should have appeared). The email itself does not contain any particularly sensitive information so I can save it as a file and upload it if necessary for testing.
please post your crash ID see http://support.mozillamessaging.com/en-US/kb/Mozilla-Crash-Reporter#w_viewing-crash-reports
Severity: normal → critical
Keywords: crash
Have just reproduced the crash again. ID is: bp-6ddb4620-d856-4636-9d6c-030f32110913
Ludo, can you check if this is leftovers from Bug 563009? Print preview crashes Firefox [@ nsIFrame::SetNextSibling(nsIFrame*) ] Nick, can you attach a testcase message to the bug? (In reply to Nick Greaves from comment #2) > Have just reproduced the crash again. ID is: > > bp-6ddb4620-d856-4636-9d6c-030f32110913 EXCEPTION_ACCESS_VIOLATION_READ 0x20 0 xul.dll nsIFrame::SetNextSibling layout/generic/nsIFrame.h:1057 1 xul.dll nsFrameList::RemoveFrame layout/generic/nsFrameList.cpp:133 2 xul.dll nsTableFrame::PushChildren layout/tables/nsTableFrame.cpp:1958 3 xul.dll nsTableFrame::ReflowChildren layout/tables/nsTableFrame.cpp:2883 4 xul.dll nsTableFrame::ReflowTable layout/tables/nsTableFrame.cpp:1900 5 xul.dll nsTableFrame::Reflow layout/tables/nsTableFrame.cpp:1804 6 xul.dll nsContainerFrame::ReflowChild layout/generic/nsContainerFrame.cpp:959 7 xul.dll nsTableOuterFrame::OuterDoReflowChild layout/tables/nsTableOuterFrame.cpp:946 8 xul.dll nsTableOuterFrame::Reflow layout/tables/nsTableOuterFrame.cpp:1088 9 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:296 10 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3211 11 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2518 12 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:2000 13 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:1081 14 xul.dll nsBlockReflowContext::ReflowBlock layout/generic/nsBlockReflowContext.cpp:296 15 xul.dll nsBlockFrame::ReflowBlockFrame layout/generic/nsBlockFrame.cpp:3211 16 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2518
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsIFrame::SetNextSibling(nsIFrame*) ]
Ever confirmed: true
Summary: Printing email crashes Thunderbird → Printing email crashes Thunderbird [@ nsIFrame::SetNextSibling(nsIFrame*) ]
(In reply to Wayne Mery (:wsmwk) from comment #3) > Ludo, can you check if this is leftovers from Bug 563009? Print preview > crashes Firefox [@ nsIFrame::SetNextSibling(nsIFrame*) ] > > Nick, can you attach a testcase message to the bug? Forgive my ignorance, but what is it you want me to do? If you want me to save the email message that causes the crash and attach the file then yes, I can do that. I presume *.eml format is OK?
Component: General → Layout
Keywords: testcase
Product: Thunderbird → Core
QA Contact: general → layout
Version: 6 → 6 Branch
Component: Layout → Layout: Tables
QA Contact: layout → layout.tables
The crashes with nsTableFrame::PushChildren on the stack has crash address near zero, so it's clear 'prevSibling' is null here: http://hg.mozilla.org/mozilla-central/annotate/0d5ad6a6f814/layout/generic/nsFrameList.cpp#l129 That means 'aFrame' isn't on this frame list. One stack frame up it means we have a frame (rgFrame) in the provided list of child frames to push (aRowGroups) that doesn't belong to this table frame: http://hg.mozilla.org/mozilla-central/annotate/0d5ad6a6f814/layout/tables/nsTableFrame.cpp#l1956 The crash data doesn't name a specific line in nsTableFrame::ReflowChildren but I'm pretty sure the PushChildren() call is the one on line 2898: http://hg.mozilla.org/mozilla-central/annotate/0d5ad6a6f814/layout/tables/nsTableFrame.cpp#l2893 The code here seems wrong for the case the kid has an existing next-in-flow with a different table parent. The "if (!kidNextInFlow)" block is not run and we put 'kidNextInFlow' into 'rowGroups' for it to be pushed, but we don't really now this is our kid, if it isn't then it would fit perfectly with the crash symptoms.
Attached patch fix (obsolete) — Splinter Review
I think we should only put a newly created next-in-flow child in the child frame array to be pushed. If the kid already has an existing next-in-flow, there are two cases: 1. the NIF is already one of our kids and thus is already present in the array; 2. the NIF belongs to a different table frame; in both those cases we don't want to add it.
Assignee: nobody → matspal
Attachment #592448 - Flags: review?(bernd.mielke)
Mats, Here comes the typical story, while away from desk I suspect this to be wallpaper. First I can't imagine that we have already a nif. Tables are never reflowed twice on printing. Ok there is the generated content crash, which I own, but thats a different story. I would like to know how we try to reflow a row group twice. This needs to be stopped. Second I insist on a test case a in crash patch. I know this is a high burden, but unless this is a top crash, where swift action is required, this needs to handled by the rules. If the burden is to high for you I will create the test case as I do not tolerate crashes in this component.
> First I can't imagine that we have already a nif. Well, apparently we have one. Even if that shouldn't occur, there's no reason to leave the code as is IMO, since it's obviously wrong in that case. Anyway, it *does* occur when running the reftest layout/reftests/bugs/421710-1.html > Tables are never reflowed twice on printing. Well, it actually *does* occur. Same test. The table we reflow twice even has a row-group with a NIF! Fortunately, the NIF is still on the Overflow-list in this case. It looks like we reflow the table and create a NIF for the row-group and then decide to push the table to the next page... > I would like to know how we try to reflow a row group twice. This happens *all the time* in print mode. As an example: layout/reftests/bugs/409084-1b.html (in print preview) Run it in gdb and put a break point in nsTableRowGroupFrame::Reflow You have: nsTableFrame::ReflowTable nsTableFrame::ReflowChildren nsTableFrame::SetupHeaderFooterChild nsContainerFrame::ReflowChild nsTableRowGroupFrame::Reflow (this=0x7fffe4767280 ... and then a little later: nsTableFrame::ReflowTable nsTableFrame::ReflowChildren nsContainerFrame::ReflowChild nsTableRowGroupFrame::Reflow (this=0x7fffe4767280 ... from the same nsTableFrame::ReflowChildren call. > Second I insist on a test case a in crash patch I agree tests are valuable, but I disagree that it should block fixes from landing. After all, there are real users behind the crash stats...
The first frame dump is the frame tree after frame construction before reflow. The last frame tree is when the table frame (red) enters its second reflow.
> Second I insist on a test case a in crash patch >I agree tests are valuable, but I disagree that it should block fixes from >landing. After all, there are real users behind the crash stats... The reason to insist is that the stack trace look to me very similar to bug 675490 and bug 642088 which I worked on and both are fixed in firefox8. In both cases the crash reason was something completely different and if I had taken the short path, that I suspect here, none of the roots would have been eradicated. If this crash is still real then I would prefer to know what really goes wrong instead of silently closing it. Therefor a test case helps tremendously. It also helps to verify that the patch fixes the bug and not something else. When I tried to create a testcase from the eml file I noticed that I tried this already in Oct. 2011 and failed. This bug could be easily a dupe of the above mentioned bugs which would make the moral argument moot as this bug might be wfm. I checked the crash stats for setnextsibling on TB 9.0.1 and the first 10 none dup crashes of them had not removeframe but the insertframe call on stack which would be the other couple of bugs that I worked last time on like bug 695430. Further there is no crash with RemoveFrame on 9.0.1 that is table related. Would your patch alter the behavior on layout/reftests/bugs/421710-1.html?
This patch basically backs out bug 347367
Mats please take the test case from bug 696640 to fulfill the testcase requirement. Add a assert that (!NIF || reorder) to make sure that the NIF is a old one.
and you might move with the patch to bug 696640, I believe this one is wfm.
Comment on attachment 592448 [details] [diff] [review] fix as I said before I will review the patch with the test case.
Attachment #592448 - Flags: review?(bernd.mielke) → review-
Should be fixed by bug 696640.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Depends on: 696640
Attachment #592448 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: