Closed
Bug 79508
Opened 24 years ago
Closed 24 years ago
crash on adding 2nd table ( styled text outside the table)
Categories
(Core :: DOM: Editor, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.1
People
(Reporter: shrir, Assigned: attinasi)
References
Details
(Keywords: crash)
Attachments
(4 files)
2.13 KB,
patch
|
Details | Diff | Splinter Review | |
681 bytes,
patch
|
Details | Diff | Splinter Review | |
878 bytes,
patch
|
Details | Diff | Splinter Review | |
1.84 KB,
text/html
|
Details |
nice crasher, 0508 trunk windows steps: 1 launch composer 2 type a table heading , say, "table1" and apply Bold or Italics style to it 3 Hit ENTER and click on 'tables' button in composition toolbar to add table 4 add the default size table 5 Now, click below the table and repeat step 2 6 Click on Tables button from toolbar and press OK to see the browser crash note: I f I do not apply style to the text outside the table, there is no crash. stack : Call Stack: (Signature = 0x00000000 fc60dea2) 0x00000000 nsBlockFrame::IsIncrementalDamageConstrained [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 1960] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 829] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 569] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 339] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2980] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2247] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2051] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 800] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 745] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 324] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 869] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 525] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 985] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp, line 377] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 985] nsContainerBox::LayoutChildAt [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp, line 595] nsGfxScrollFrameInner::LayoutBox [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1039] nsGfxScrollFrameInner::Layout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1149] nsGfxScrollFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1047] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 985] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 781] nsGfxScrollFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 738] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 745] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 538] nsHTMLReflowCommand::Dispatch [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLReflowCommand.cpp, line 145] PresShell::ProcessReflowCommand [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5758] PresShell::ProcessReflowCommands [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5813] PresShell::FlushPendingNotifications [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4790] PresShell::EndReflowBatching [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4816] nsEditor::EndUpdateViewBatch [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp, line 4271] nsEditor::EndTransaction [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp, line 671] nsHTMLEditorLog::EndTransaction [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditorLog.cpp, line 234] nsEditorShell::EndBatchChanges [d:\builds\seamonkey\mozilla\editor\base\nsEditorShell.cpp, line 4814] XPTC_InvokeByIndex [d:\builds\seamonkey\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp, line 139] nsXPCWrappedNativeClass::CallWrappedMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativeclass.cpp, line 937] WrappedNative_CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp, line 245] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 815] js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2709] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 831] js_InternalInvoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 903] JS_CallFunctionValue [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3344] nsJSContext::CallEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 945] nsJSEventListener::HandleEvent [d:\builds\seamonkey\mozilla\dom\src\events\nsJSEventListener.cpp, line 155] nsEventListenerManager::HandleEventSubType [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1064] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1986] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3676] PresShell::HandleDOMEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5608] nsButtonBoxFrame::MouseClicked [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsButtonBoxFrame.cpp, line 181] nsButtonBoxFrame::HandleEvent [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsButtonBoxFrame.cpp, line 128] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5577] PresShell::HandleEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5532] nsEventStateManager::CheckForAndDispatchClick [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 2350] nsEventStateManager::PostHandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 1450] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5581] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5487] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 377] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 2055] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 68] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 708] USER32.dll + 0x1a43f (0x77e8a43f) nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4043] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4286] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3051]
Reporter | ||
Comment 1•24 years ago
|
||
corrected summary
Summary: crash on adding 2 table ( styled text outside the table) → crash on adding 2nd table ( styled text outside the table)
Comment 2•24 years ago
|
||
assigning to kin for initial debug
Assignee: beppe → kin
Priority: -- → P1
Target Milestone: --- → mozilla0.9.1
The problem here is that layout is in the middle of processing a reflow command targeted at an inline frame ... during this reflow nsLineLayout::ReflowFrame() causes the inline frame to be deleted, so as the stack unwinds any code that tries to access the target of the current reflow command will be accessing a deleted pointer. Here's the stack trace that occurs during the processing of the reflow command and the actual deleting of the inline frame: nsContainerFrame::~nsContainerFrame() line 56 nsHTMLContainerFrame::~nsHTMLContainerFrame() + 15 bytes nsInlineFrame::~nsInlineFrame() + 15 bytes nsInlineFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::Destroy(nsFrame * const 0x023c4c70, nsIPresContext * 0x03f038d0) line 427 + 34 bytes nsContainerFrame::Destroy(nsContainerFrame * const 0x023c4c70, nsIPresContext * 0x03f038d0) line 120 nsBlockFrame::DoRemoveFrame(nsIPresContext * 0x03f038d0, nsIFrame * 0x023c4c70) line 4689 nsBlockFrame::DeleteChildsNextInFlow(nsIPresContext * 0x03f038d0, nsIFrame * 0x023a473c) line 4785 nsLineLayout::ReflowFrame(nsIFrame * 0x023a473c, nsIFrame * * 0x001273a4, unsigned int & 17152, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1203 nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineBox * 0x023a46ac, nsIFrame * 0x023a473c, unsigned char * 0x00126928) line 3472 + 29 bytes nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineBox * 0x023a46ac, int * 0x00126f90, unsigned char * 0x00126dec, int 0, int 1) line 3356 + 28 bytes nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineBox * 0x023a46ac, int * 0x00126f90, unsigned char * 0x00126dec, int 0, int 1) line 3281 + 42 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox * 0x023a46ac, int * 0x00126f90, int 1, int 0) line 3226 + 32 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x023a46ac, int * 0x00126f90, int 1) line 2360 + 29 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2050 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x023a4594, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 798 + 15 bytes nsBlockReflowContext::DoReflowBlock(nsHTMLReflowState & {...}, nsReflowReason eReflowReason_Incremental, nsIFrame * 0x023a4594, const nsRect & {...}, int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 568 + 36 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x023a4594, const nsRect & {...}, int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 336 + 50 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 0x023a46d4, int * 0x00127af4) line 2979 + 56 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x023a46d4, int * 0x00127af4, int 1) line 2242 + 23 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2050 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x023a4548, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 798 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x023a4548, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 722 + 31 bytes CanvasFrame::Reflow(CanvasFrame * const 0x023a37e4, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 321 nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 6240, int 6195, int 1) line 866 nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x023a44dc, nsBoxLayoutState & {...}) line 523 + 52 bytes nsBox::Layout(nsBox * const 0x023a44dc, nsBoxLayoutState & {...}) line 985 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x023a38fc, nsBoxLayoutState & {...}) line 377 nsBox::Layout(nsBox * const 0x023a38fc, nsBoxLayoutState & {...}) line 985 nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x023a38fc, const nsRect & {...}) line 591 + 16 bytes nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x023a38fc, const nsRect & {...}) line 1038 + 17 bytes nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1144 nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x023a3854, nsBoxLayoutState & {...}) line 1046 + 15 bytes nsBox::Layout(nsBox * const 0x023a3854, nsBoxLayoutState & {...}) line 985 nsBoxFrame::Reflow(nsBoxFrame * const 0x023a381c, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 781 nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x023a381c, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 735 + 25 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x023a381c, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 722 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x023a37a8, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 538 nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x048273a0, nsIPresContext * 0x03f038d0, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 145 PresShell::ProcessReflowCommand(nsVoidArray & {...}, int 0, nsHTMLReflowMetrics & {...}, nsSize & {...}, nsIRenderingContext & {...}) line 5700 PresShell::ProcessReflowCommands(int 0) line 5755 PresShell::FlushPendingNotifications(PresShell * const 0x03ecb490) line 4732 PresShell::EndReflowBatching(PresShell * const 0x03ecb490, int 1) line 4755 + 15 bytes nsEditor::EndUpdateViewBatch() line 4269 nsEditor::EndTransaction(nsEditor * const 0x04385080) line 671 nsHTMLEditorLog::EndTransaction(nsHTMLEditorLog * const 0x04385080) line 233 + 9 bytes nsEditorShell::EndBatchChanges(nsEditorShell * const 0x03ecf3d0) line 4815 + 23 bytes XPTC_InvokeByIndex(nsISupports * 0x03ecf3d0, unsigned int 136, unsigned int 0, nsXPTCVariant * 0x00128ea0) line 139 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 1815 + 42 bytes XPC_WN_CallMethod(JSContext * 0x043cf810, JSObject * 0x0237c488, unsigned int 0, long * 0x023ece64, long * 0x001290d4) line 1249 + 11 bytes js_Invoke(JSContext * 0x043cf810, unsigned int 0, unsigned int 0) line 813 + 23 bytes js_Interpret(JSContext * 0x043cf810, long * 0x00129e64) line 2708 + 15 bytes js_Invoke(JSContext * 0x043cf810, unsigned int 1, unsigned int 2) line 830 + 13 bytes js_InternalInvoke(JSContext * 0x043cf810, JSObject * 0x023e8528, long 37541192, unsigned int 0, unsigned int 1, long * 0x0012a03c, long * 0x00129f8c) line 902 + 20 bytes JS_CallFunctionValue(JSContext * 0x043cf810, JSObject * 0x023e8528, long 37541192, unsigned int 1, long * 0x0012a03c, long * 0x00129f8c) line 3342 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x043cf9c0, void * 0x023e8528, void * 0x023cd548, unsigned int 1, void * 0x0012a03c, int * 0x0012a038, int 0) line 933 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04416280, nsIDOMEvent * 0x04840b24) line 139 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04416200, nsIDOMEvent * 0x04840b24, nsIDOMEventTarget * 0x04401f58, unsigned int 8, unsigned int 7) line 1148 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x044162d0, nsIPresContext * 0x043e0e40, nsEvent * 0x0012aa64, nsIDOMEvent * * 0x0012a928, nsIDOMEventTarget * 0x04401f58, unsigned int 7, nsEventStatus * 0x0012aaac) line 2068 + 36 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x04401f50, nsIPresContext * 0x043e0e40, nsEvent * 0x0012aa64, nsIDOMEvent * * 0x0012a928, unsigned int 1, nsEventStatus * 0x0012aaac) line 3640 PresShell::HandleDOMEventWithTarget(PresShell * const 0x043e2740, nsIContent * 0x04401f50, nsEvent * 0x0012aa64, nsEventStatus * 0x0012aaac) line 5547 + 39 bytes nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x043e0e40, nsGUIEvent * 0x0012ac60) line 181 nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x023da0e4, nsIPresContext * 0x043e0e40, nsGUIEvent * 0x0012ac60, nsEventStatus * 0x0012af54) line 128 PresShell::HandleEventInternal(nsEvent * 0x0012ac60, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012af54) line 5515 + 41 bytes PresShell::HandleEventWithTarget(PresShell * const 0x043e2740, nsEvent * 0x0012ac60, nsIFrame * 0x023da0e4, nsIContent * 0x04401f50, unsigned int 1, nsEventStatus * 0x0012af54) line 5473 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const 0x044114a0, nsIPresContext * 0x043e0e40, nsMouseEvent * 0x0012b060, nsEventStatus * 0x0012af54) line 2351 + 61 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x044114a8, nsIPresContext * 0x043e0e40, nsEvent * 0x0012b060, nsIFrame * 0x023da0e4, nsEventStatus * 0x0012af54, nsIView * 0x043e2df0) line 1450 + 28 bytes PresShell::HandleEventInternal(nsEvent * 0x0012b060, nsIView * 0x043e2df0, unsigned int 1, nsEventStatus * 0x0012af54) line 5520 + 43 bytes PresShell::HandleEvent(PresShell * const 0x043e2744, nsIView * 0x043e2df0, nsGUIEvent * 0x0012b060, nsEventStatus * 0x0012af54, int 1, int & 1) line 5427 + 25 bytes nsView::HandleEvent(nsView * const 0x043e2df0, nsGUIEvent * 0x0012b060, unsigned int 28, nsEventStatus * 0x0012af54, int 1, int & 1) line 377 nsViewManager::DispatchEvent(nsViewManager * const 0x043e2f20, nsGUIEvent * 0x0012b060, nsEventStatus * 0x0012af54) line 2055 HandleEvent(nsGUIEvent * 0x0012b060) line 68 nsWindow::DispatchEvent(nsWindow * const 0x043e2cb4, nsGUIEvent * 0x0012b060, nsEventStatus & nsEventStatus_eIgnore) line 704 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012b060) line 725 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4041 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4286 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 13041741, long * 0x0012b430) line 3022 + 24 bytes nsWindow::WindowProc(HWND__ * 0x002d05fc, unsigned int 514, unsigned int 0, long 13041741) line 959 + 27 bytes USER32! 77e7124c()
Assignee: kin → attinasi
Status: ASSIGNED → NEW
Assignee | ||
Comment 5•24 years ago
|
||
Ugh. I cannot reproduce this on Mac or Windows using a CVS build from 5/14. Looking at the code, it is very curious that we would be crashing with address NULL in IsIncrementalDamageConstrained, where indicated. If I am reading it correctly, the crash is on a dereference of a null 'target' pointer, but I cannot see how it can ever be null! while (target) { // starting with the target's parent, scan for a text control nsIFrame *parent; target->GetParent(&parent); // THIS IS THE CRASH FROM FIRST STACk TRACE if ((nsIFrame*)this==parent || !parent) break; nsCOMPtr<nsIAtom> frameType; parent->GetFrameType(getter_AddRefs(frameType)); if (frameType) { if (nsLayoutAtoms::textInputFrame == frameType.get()) return PR_TRUE; // damage is constrained to the text control innards } target = parent; // advance the loop up the frame tree } The while-loop is controlling the null 'target' and there is no place for a release of control such that it can be changed to null. I'll continue trying to repro this - if somebody else could sanity-check I'd appreciate it.
Reporter | ||
Comment 6•24 years ago
|
||
still happens on win 0515 trunk. Steps: type a word in composer, make it BOLD, hit ENTER Add a default 2x2 table press OK click below table and write a word, make it BOLD, hit ENTER Again try to add a 2x2 table and observe that clicking OK to add the table crashes the browser
Assignee | ||
Comment 7•24 years ago
|
||
Er, I get the crash now (what was happening before?). The null is not the target, btw, it is the vtable of the target.
Right target is *not* null ... but the frame it was pointing to was free'd. Look at the stack trace I posted above. It shows how it gets free'd ... then as the stack unwinds back down, some of the code tries to access the target pointer which is now pointing at free'd memory.
Assignee | ||
Comment 9•24 years ago
|
||
So, it looks like the target frame is reflowed correctly, then we delete the next-in-flow which ends up deleting the target frame that we just reflowed. This seems very similar to another bug 73170 where styled frames are not getting removed completly and end up causing grief, however here it is more immediate because the target of a reflow is pretty quickly referenced again. One common thread between them is the use of styling tags (<b>, <i>), but I cannot yet figure out the content model being created because when I switch to HTML view it is changed (and it no longer crashes). I know that we have some nasty that takes care of blocks-in-inlines and I suspect something in there. I'll set some breakpoints in that code and see if it is getting hit...
Assignee | ||
Comment 10•24 years ago
|
||
Assignee | ||
Comment 11•24 years ago
|
||
Patch 34919 was just attached. It fixes the crash by detecting when the next-in-flow of a reflowed inline frame is also the target of the current reflow command. If it is, we skip the deletion of the next-in-flow. This skipping of the deletion is already happening for frames that are BREAK_BEFORE, but I'm not sure what that is all about (I suppose it is possible that this is really the same condition but the state bit is not set for some reason). There appear to be no ill-effects of skipping the deletion of the Next-In-Flow here, and I have not been able to trigger the condition outside of Composer. Nonetheless, I'd like to get some more knowledgable eyes on this patch to help me understand if it is just semi-random hackery, or a real solution. CC'ing waterson for a sanity check on the patch...
Comment 12•24 years ago
|
||
I have to confess that this _does_ feel a little bit hacky, but I haven't carefully read the code around here to understand why line layout thinks it can delete the frame, and what the effect of leaving it around might otherwise be. I'll try to take a deeper look today.
Assignee | ||
Comment 13•24 years ago
|
||
It looks to me like the next in flow is always deleted when the frame is complete 'NS_FRAME_IS_COMPLETE(aReflowStatus)' unless there is a BREAK_BEFORE, in which case it pushes the frame. I think that this means that the line broke before the frame was placed so it wants to try and reflow it on the next line. But, why are we deleting the next of flow when the frame is complete? I don't understand that mechanism. Anyway, the more I look at it the more this change I made appears to be just masking some other problem. It only catches the problem of the reflow target being the next in flow, but it could (conceptually) be the next in flow of the next in flow... Indeed, if the target of the reflow is deleted for ANY reason we will have the same problem. It fixes the crash, but should probably be viewed as a temporary fix, and suitably commented as such (unless of course a better, *real* solution is found - but I'm running out of time). If anybody has any pointers or other ideas, speak up, please.
Assignee | ||
Comment 14•24 years ago
|
||
Time has run out and I have not found or heard anything better. Requesting a review for the attached patch, even if it is a hack. What I'd like to do is get the patch in for the 0.9.1 cut, and open another bug to find a more general solution, or figure out why this is happening. Basically, I want to get rid of the crash since it is so easy to cause, and then determine why the special-case check is needed here. I'll add more profuse comments about the temporary nature of the patch too. Anybody willing to put their name on the r= line?
Comment 15•24 years ago
|
||
I cannot reproduce the problem with today's build.
Assignee | ||
Comment 16•24 years ago
|
||
Still crashes for me, using a NS6 build (2001052104) and my CVS build from today. Here are the steps I take: 0) Open new Composer window 1) type 'TEST' 2) highlight the text entered in [1] and press the B button to make it bold 3) press the right-arrow to get the cursor past the text 4) press ENTER 5) insert a table (press the table icon in the toolbar, select OK to dialog) 6) position the cursor under the new table using the mouse 7) type 'TEST2' - it should already be bold 8) press ENTER 9) insert an HR by pressing the toolbar button for HR (or you can insert another table as in step [5]).
Comment 17•24 years ago
|
||
Okay, so I'm going to go out on a limb here and say that an incremental reflow should not be targeted at a continuing frame. Incremental reflow means ``your content has changed'', and for a continuing frame to be notified at all seems inappropriate. That said, Peter Linss made this all happen way back in September 1999, so if it's really a design problem, it has been with us for a while. (Longer than this bug has, AFAICT.)
Comment 18•24 years ago
|
||
Comment 19•24 years ago
|
||
So, above is how I'd fix the bug (given my current amateur understanding of layout). Specifically, if the impact of the change is going to be NS_STYLE_HINT_REFLOW (or worse), then don't bother marking any of the next-in- flows, because the reflow (or frame re-creation) will take care of it by definition. If I understand correctly, there should never be a case where a continuing frame's style context differs from the primary frame's style context in a way that would necessitate reflow to the continuing frame but not the primary frame. (Would the style contexts ever differ _at all_?) Feel free to thrash me. (I can here peterl's booming voice from the mountain: ``Please refrain from criticizing a system that you do not understand1'')
Comment 20•24 years ago
|
||
Comment 21•24 years ago
|
||
N.B. that the above patch also appears to fix bug 81860. (Marc's might too, I haven't tried it.)
Comment 22•24 years ago
|
||
cc'ing dbaron and rbs, who might be able to back me up, or debunk me.
Assignee | ||
Comment 23•24 years ago
|
||
Chris, I like your change lots better. It has a wider impact than mine, but it sure seems like the correct approach. Continuation frames have the same content as their prev-in-flow, and the same pseudoclasses, so they should have the same style data. The only aspect of it that I do not like is that the knowledge of what is going to happen in the frames is spread around a bit, like now the FrameManager has to know that some kinds of reflow will take care of the continuations and some will not. I wonder if it might be better to always have the non-continuation take care of the continuation, so the FrameManager never has to? But I have to admit, it is a much better solution than my hack - it gets at the root of the problem instead of bandaging the symptom.
Comment 24•24 years ago
|
||
attinasi wrote:
>But, why are we deleting the next of flow when the frame is complete? I don't
>understand that mechanism.
It seems this is needed if the frame is changing from a previous non-complete
status to a complete status. E.g., if a long hyphenated word is wrapped, and the
the first part is deleted (e.g., with JS), then the frame can now become
complete, and so its dangling next-in-flow needs to be cleared.
waterson's patch looks sensible to me, though marc raised some good points about
the assumptions that are being introduced in this way in the system. But the
scope seems well-defined and appears as a lesser evil than this easy to get
crash... I could only think of a case where continuations can have different
style data from the primary frame. It is the case of :first-letter. If
waterson't patch doesn't break this, then I guess things could be fine for the
time being.
Comment 25•24 years ago
|
||
*** Bug 81860 has been marked as a duplicate of this bug. ***
Comment 26•24 years ago
|
||
Marc, I think I agree that forcing the frame manager to do _anything_ with continuing frames is wrong. If you look at the code in nsCSSFrameConstructor (e.g., ProcessRestyledFrames(), AttributeChanged() et al.), it looks like the only case where we take advantage of the fact that we're walking continuations is when the change is NS_STYLE_HINT_VISUAL. Specifically, in this case, we avoid making the frame invalidate its continuations (but that seems silly, and more like something nsSplittableFrame could do on its own). The only other quesetion I have is, ``why did all these bugs crop up all of a sudden''? Were they latent? Are we (well, I'll speak for myself -- am I) making an invalid assumption about incremental reflow? Anyway, I guess I'd say that in some sense, my patch is as much of a band-aid as yours, and the real fix would be to refactor this logic so that frame manager only worried about primary frames, and let the primary frame handle its own response to the style change.
Comment 27•24 years ago
|
||
That might be a performance boost as well since that will cut down on the number of re-resolve done for continuations... And speaking of this, the incertitude so far with your patch lies there: that some continuations that are left in the flow may wrongly retain the style context with which they were init'ed. Re-factoring the logic will help to clear this doubt for the long run. I tend to agree that these were latent bugs (as we have seen, incremental reflow isn't as optimized as one would wish). If the whole lot is reflowed, chances are that there won't be any bugs at all. The bugs are being exposed by the ongoing push to make incremental reflow what it really should be. (These Ctrl+- zoom with _immediate access_ to vulnerable wrapped links, and buster's IsIncrementalDamageConstrained() -- according to "Additional Comments From kin@netscape.com 2000-08-16 14:32" on bug 45152", are relatively recent additions.)
Assignee | ||
Comment 28•24 years ago
|
||
Why don't we get this fix in and work on the encapsulation of the continuing frame stuff later? I would like to make this crash go away for 0.9.1 and we are running out of time. sr=attinasi on waterson's patch (id=35542)
Assignee | ||
Comment 29•24 years ago
|
||
BTW: this was not crashing on Netscape 6.01 - I'm not sure if the editorRules have changed, or if something else has changed, but I'm not as convinced as rbs that this is simply latent bad code that is being flushed out due to recent incremental reflow changes. In the case of the editor, there is no incremental reflow happening here, as these content insertions and deletions are pretty much syncronous. I'd like to try some older builds and see where this started, but that takes so much time... but it coul dhelp us understand why these started cropping up.
Comment 30•24 years ago
|
||
So 6.01 doesn't have the bug, and I couldn't reproduce its dupplicate bug 81860 (Ctrl+-) in m0.9. I haven't tried to reproduce the present bug in m0.9 but according to its date, it was entered soon after the branch cut for m0.9. And bug 81860 only happens inside a table-cell. Time is running out though, and to join marc in his pragmatism, r=rbs on the band-aid hack that will stop the crash in m0.9.1.
Comment 31•24 years ago
|
||
Looking again at your patch, rather than breaking out of the loop, you could instead keep going, but just add the primary frame to the change list. This way, everybody will get an updated style context, but only the primary frame will kick off the reflow. I will feel more secure with a patch along these lines, as it will guarantee that all style contexts will be kept up-to-date in all situations. And if the primary frame later wants to reflow its continuations (i.e., not delete them), unexpected side-effects will be reduced.
Comment 32•24 years ago
|
||
rbs, good point re: style contexts; however, the bad news is that stuff gets added to the change list way down in the bowels of ReResolveStyleContext(). I was about to write that I've gone through the HTML frames to verify that everyone is, in fact, calling through to nsFrame::Init() which will share the style context from the first-in-flow, and then not doing any monkey-business with the style context afterwards. (The one exception I found was the button frame, but that would never be continued.) I'll attach a naive test case which I think illustrates that right stuff is happening during a restyle; can you think of a better way to stress this?
Comment 33•24 years ago
|
||
Comment 34•24 years ago
|
||
The thing is, I am behind a firewall at the momemnt, and I don't have a Mozilla build and cannot try things out to see for myself :-) What happens when you add this case to your little test suite: body.styled p.firstletter:first-letter { color: blue; }
Comment 35•24 years ago
|
||
And ... <style> [...] p.floated { float: left; } </style> [...] <p class="floated firstletter">...</p>
Comment 36•24 years ago
|
||
I may be missing the target with my rules. Want I aiming at are some rules that will select the -non- first-letter portion. That portion is a continuation with its own distinct style context.
Comment 37•24 years ago
|
||
Unfortunately, it looks like the attribute change on the body doesn't trigger re-resolution of the :first-line or :first-letter pseudos, so I guess we're ``safe'' for now. :-/ I've filed bug 82289.
Comment 38•24 years ago
|
||
So so. Not much to add then. Go ahead with your check in.
Comment 39•24 years ago
|
||
Ok, fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•