Closed Bug 695430 Opened 8 years ago Closed 8 years ago

crash on print preview - nsFrameList::InsertFrames

Categories

(Core :: Layout: Tables, defect, critical)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla10

People

(Reporter: bugzilla, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(7 files)

This bug was filed from the Socorro interface and is 
report bp-2a675e02-4a6c-4395-a343-725de2111018 .
============================================================= 

My Linux 32bit FF7 always crashes when selecting "print preview" on both "_crash" testcases attached.

Furter reducing the testcases is tricky: as soon as any vertical dimension changes, the crash disappears for me.

I created _nocrash to test if it depended on page height only: The first table is exactly as high as first+second in _crash. In my case, this makes the crash disappear.

Also, replacing the IMG with a DIV of identical dimensions makes the crash disappear.

I have reports of FF10.0a1 on Win7 32 bit crashing even on a print preview of _nocrash.

On the other hand, I have a report of a SeaMonkey 2.7a1 (which is Gecko 10.0a1) on Linux only crashing on print preview of the original, unreduced testcase and on none of mine.

Also, no reduced testcase crash for FF7 on Win7 64 bit, but crash on unreduced testcase.

Same crash for SeaMonkey: bp-b21a6804-f60d-41ed-b63d-028fb2111018

Might be closely related to bug 679787, but I don't see a crash on links provided by the crash stats there.
Attached file unreduced testcase
Attached file reduced testcase 1
Attached file reduced testcase 2
Ahhh, Bugzilla eats file names in the primary bug view - sorry about that.

The reduced testcases I reference by name above are:

_crash: reduced testcases 1+2 (695430_test_crash.html and 695430_test_crash_noborders.html)
_nocrash: reduced testcase 3 (695430_test_nocrash.html)
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
I hereby take back he "nocrash" for Firefox 7. With official Mozilla builds, I see a crash there too.

Reports suggest that paper size and justification matter. In my case, that's A4 portrait and US letter portrait.

32bit Linux crashes from official builds (probably overkill, since the crash should be the same one in every case, but meh):

testcase 1
Firefox 7.0.1 bp-bf1b0b04-554b-434f-9d12-5d87c2111018
Aurora 9.0a2 bp-ae9d8d11-8912-44cd-bd2f-f02a82111018
Trunk (10.0a1/20111018) bp-2fcd00b5-9e2e-4506-ac06-a0ab92111018

testcase 2
Firefox 7.0.1 bp-e9e14674-7388-45b3-93a4-b9ffa2111018
Aurora 9.0a2 bp-46388f86-27b7-44ce-a7c8-538482111018
Trunk (10.0a1/20111018) bp-f791101b-a5e6-4d24-8198-e586f2111018

testcase 3
Firefox 7.0.1 bp-d9489cbf-cbaa-4354-8a8a-7584e2111018
Aurora 9.0a2 bp-242c575b-c294-494c-b8cc-343a82111018
Trunk (10.0a1/20111018) bp-808b71c1-7124-48a3-9ab6-4b56e2111018
Duplicate of this bug: 695338
Print Preview A4 Portrait with my SM 2.7a1/Linux for testcases 1,2,3: crashes with some scale values, especially 100%, 200% and Shrink To Fit but no crash with other scale values e.g. 70%, 80% and 90%.
Regression window,
Works:
http://hg.mozilla.org/mozilla-central/rev/41dd493c42c9
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090918 Minefield/3.7a1pre ID:20090918042213
Fails(crashes with attachment 567821 [details]):
http://hg.mozilla.org/mozilla-central/rev/333967132e88
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090919 Minefield/3.7a1pre ID:20090919050513
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=41dd493c42c9&tochange=333967132e88

Triggered by:
Bug 233463 - Have faster methods for getting at last frames
Blocks: 233463
Keywords: regression
Attached file reduced testcase
the crash with attachment 568888 [details] occures with 90% scaling on A4. If it does not crash for you just adapt the spacer height till the image should be at the page boundary.
this is bug in table code
Component: Layout → Layout: Tables
QA Contact: layout → layout.tables
(In reply to Bernd from comment #13)
> Created attachment 568889 [details] [diff] [review] [diff] [details] [review]
> where the problem is

Applying this attachment solves the problem for my SM 2.7a1/Linux. For all testcases and also for the webpage which was the reason for filing this bug.
Assignee: nobody → bernd_mozilla
Attached patch patchSplinter Review
InsertFrames was previously tolerant against inserting empty frame lists, it did warn but it did not crash.
Attachment #568927 - Flags: review?(bzbarsky)
Try run for 12b61a5aeb6d is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=12b61a5aeb6d
Results (out of 33 total builds):
    success: 30
    warnings: 3
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bmlk@gmx.de-12b61a5aeb6d
the test failures are 

/bin/sh: line 1:  8616 Segmentation fault      XPCOM_DEBUG_BREAK=stack-and-abort /builds/slave/try-lnx/build/obj-firefox/dist/bin/run-mozilla.sh ../../../../../dist/bin/$f
make[5]: *** [check] Error 139
make[5]: Leaving directory `/builds/slave/try-lnx/build/obj-firefox/toolkit/components/places/tests/cpp'

This is a permaorange on try.
Keywords: testcase
Comment on attachment 568927 [details] [diff] [review]
patch

r=me.  Sorry about the semantics change to InsertFrames and insufficient caller auditing.  :(  Serves me right for assuming that assertions aren't being triggered....
Attachment #568927 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/ce4005246dc9
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Flags: in-testsuite+
Crash Signature: [@ nsFrameList::InsertFrames] → [@ nsFrameList::InsertFrames(nsIFrame*, nsIFrame*, nsFrameList&) ] [@ nsFrameList::InsertFrames]
You need to log in before you can comment on or make changes to this bug.