crash on print preview - nsFrameList::InsertFrames

RESOLVED FIXED in mozilla10



Layout: Tables
6 years ago
6 years ago


(Reporter: Cédric "chewey" Menge, Assigned: Bernd)


({crash, regression, testcase})

crash, regression, testcase
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(crash signature)


(7 attachments)



6 years ago
This bug was filed from the Socorro interface and is 
report bp-2a675e02-4a6c-4395-a343-725de2111018 .

My Linux 32bit FF7 always crashes when selecting "print preview" on both "_crash" testcases attached.

Furter reducing the testcases is tricky: as soon as any vertical dimension changes, the crash disappears for me.

I created _nocrash to test if it depended on page height only: The first table is exactly as high as first+second in _crash. In my case, this makes the crash disappear.

Also, replacing the IMG with a DIV of identical dimensions makes the crash disappear.

I have reports of FF10.0a1 on Win7 32 bit crashing even on a print preview of _nocrash.

On the other hand, I have a report of a SeaMonkey 2.7a1 (which is Gecko 10.0a1) on Linux only crashing on print preview of the original, unreduced testcase and on none of mine.

Also, no reduced testcase crash for FF7 on Win7 64 bit, but crash on unreduced testcase.

Same crash for SeaMonkey: bp-b21a6804-f60d-41ed-b63d-028fb2111018

Might be closely related to bug 679787, but I don't see a crash on links provided by the crash stats there.

Comment 1

6 years ago
Created attachment 567821 [details]
unreduced testcase

Comment 2

6 years ago
Created attachment 567823 [details]
reduced testcase 1

Comment 3

6 years ago
Created attachment 567824 [details]
reduced testcase 2

Comment 4

6 years ago
Created attachment 567825 [details]
reduced testcase 3 - doesn't crash FF7

Comment 5

6 years ago
Ahhh, Bugzilla eats file names in the primary bug view - sorry about that.

The reduced testcases I reference by name above are:

_crash: reduced testcases 1+2 (695430_test_crash.html and 695430_test_crash_noborders.html)
_nocrash: reduced testcase 3 (695430_test_nocrash.html)


6 years ago
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout

Comment 6

6 years ago
I hereby take back he "nocrash" for Firefox 7. With official Mozilla builds, I see a crash there too.

Reports suggest that paper size and justification matter. In my case, that's A4 portrait and US letter portrait.

32bit Linux crashes from official builds (probably overkill, since the crash should be the same one in every case, but meh):

testcase 1
Firefox 7.0.1 bp-bf1b0b04-554b-434f-9d12-5d87c2111018
Aurora 9.0a2 bp-ae9d8d11-8912-44cd-bd2f-f02a82111018
Trunk (10.0a1/20111018) bp-2fcd00b5-9e2e-4506-ac06-a0ab92111018

testcase 2
Firefox 7.0.1 bp-e9e14674-7388-45b3-93a4-b9ffa2111018
Aurora 9.0a2 bp-46388f86-27b7-44ce-a7c8-538482111018
Trunk (10.0a1/20111018) bp-f791101b-a5e6-4d24-8198-e586f2111018

testcase 3
Firefox 7.0.1 bp-d9489cbf-cbaa-4354-8a8a-7584e2111018
Aurora 9.0a2 bp-242c575b-c294-494c-b8cc-343a82111018
Trunk (10.0a1/20111018) bp-808b71c1-7124-48a3-9ab6-4b56e2111018


6 years ago
Duplicate of this bug: 695338

Comment 8

6 years ago
Print Preview A4 Portrait with my SM 2.7a1/Linux for testcases 1,2,3: crashes with some scale values, especially 100%, 200% and Shrink To Fit but no crash with other scale values e.g. 70%, 80% and 90%.

Comment 9

6 years ago
Regression window,
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090918 Minefield/3.7a1pre ID:20090918042213
Fails(crashes with attachment 567821 [details]):
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090919 Minefield/3.7a1pre ID:20090919050513

Triggered by:
Bug 233463 - Have faster methods for getting at last frames
Blocks: 233463
Keywords: regression

Comment 10

6 years ago
Created attachment 568888 [details]
reduced testcase

Comment 11

6 years ago
the crash with attachment 568888 [details] occures with 90% scaling on A4. If it does not crash for you just adapt the spacer height till the image should be at the page boundary.

Comment 12

6 years ago
this is bug in table code
Component: Layout → Layout: Tables
QA Contact: layout → layout.tables

Comment 13

6 years ago
Created attachment 568889 [details] [diff] [review]
where the problem is

Comment 14

6 years ago
(In reply to Bernd from comment #13)
> Created attachment 568889 [details] [diff] [review] [diff] [details] [review]
> where the problem is

Applying this attachment solves the problem for my SM 2.7a1/Linux. For all testcases and also for the webpage which was the reason for filing this bug.


6 years ago
Assignee: nobody → bernd_mozilla

Comment 15

6 years ago
Created attachment 568927 [details] [diff] [review]

InsertFrames was previously tolerant against inserting empty frame lists, it did warn but it did not crash.
Attachment #568927 - Flags: review?(bzbarsky)

Comment 16

6 years ago
Try run for 12b61a5aeb6d is complete.
Detailed breakdown of the results available here:
Results (out of 33 total builds):
    success: 30
    warnings: 3
Builds available at

Comment 17

6 years ago
the test failures are 

/bin/sh: line 1:  8616 Segmentation fault      XPCOM_DEBUG_BREAK=stack-and-abort /builds/slave/try-lnx/build/obj-firefox/dist/bin/ ../../../../../dist/bin/$f
make[5]: *** [check] Error 139
make[5]: Leaving directory `/builds/slave/try-lnx/build/obj-firefox/toolkit/components/places/tests/cpp'

This is a permaorange on try.


6 years ago
Keywords: testcase
Comment on attachment 568927 [details] [diff] [review]

r=me.  Sorry about the semantics change to InsertFrames and insufficient caller auditing.  :(  Serves me right for assuming that assertions aren't being triggered....
Attachment #568927 - Flags: review?(bzbarsky) → review+

Comment 19

6 years ago
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10


6 years ago
Flags: in-testsuite+


6 years ago
Crash Signature: [@ nsFrameList::InsertFrames] → [@ nsFrameList::InsertFrames(nsIFrame*, nsIFrame*, nsFrameList&) ] [@ nsFrameList::InsertFrames]
You need to log in before you can comment on or make changes to this bug.