Closed Bug 81754 Opened 24 years ago Closed 24 years ago

sigsegv from nsSliderFrame

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 82194

People

(Reporter: old-mozilla, Assigned: eric)

References

(
URL
)

Details

(Keywords: crash)

This is a problem that's been happening for a week or so now, in both my own builds and nightly rpms. I can repro it about 70% of the time I try it. The process is to start moz from scratch and load megatokyo, then scroll down and click the "prev" button (below the comic, on the right) repeat this three or four times (moving back a week or two through the archives, say back to the last one you read ;). Now scroll down through the whole comic and use then use the back button or context menu to work through moz's history (moving forward in time through the comics), repeat this (read the comic, then use history to move "back" to the "future") untill it blows up (usually the first or second history action). MT is not the only page that demonstrates this, but it seems to be the best. (If you do the initial page loads fast enough you'll also see a good example of a libpr0n bug I'm still trying to figure out.) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 10037)] 0x41f1c9bd in nsSliderFrame::CurrentPositionChanged (this=0x4509734c, aPresContext=0x45eebce0) at nsSliderFrame.cpp:692 692 thumbFrame->GetRect(thumbRect); Current language: auto; currently c++ (gdb) bt #0 0x41f1c9bd in nsSliderFrame::CurrentPositionChanged (this=0x4509734c, aPresContext=0x45eebce0) at nsSliderFrame.cpp:692 #1 0x41f1b3ba in nsSliderFrame::AttributeChanged (this=0x4509734c, aPresContext=0x45eebce0, aChild=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=4) at nsSliderFrame.cpp:222 #2 0x41ea8459 in nsCSSFrameConstructor::AttributeChanged (this=0x450ad3e0, aPresContext=0x45eebce0, aContent=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=3) at nsCSSFrameConstructor.cpp:9989 #3 0x419268f2 in StyleSetImpl::AttributeChanged (this=0x450ad3a8, aPresContext=0x45eebce0, aContent=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=-1) at nsStyleSet.cpp:1289 #4 0x41e25070 in PresShell::AttributeChanged (this=0x45ee89d0, aDocument=0x429b1470, aContent=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=-1) at nsPresShell.cpp:4814 #5 0x418b7deb in nsDocument::AttributeChanged (this=0x429b1470, aChild=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=-1) at nsDocument.cpp:1645 #6 0x41793d53 in nsHTMLDocument::AttributeChanged (this=0x429b1470, aContent=0x45084f38, aNameSpaceID=0, aAttribute=0x8194ab0, aHint=-1) at nsHTMLDocument.cpp:1322 #7 0x4181a149 in nsXULElement::SetAttribute (this=0x45084f38, aNodeInfo=0x450763e8, aValue=@0xbfffdb20, aNotify=1) at nsXULElement.cpp:3055 #8 0x4181a33d in nsXULElement::SetAttribute (this=0x45084f38, aNameSpaceID=0, aName=0x8194ab0, aValue=@0xbfffdb20, aNotify=1) at nsXULElement.cpp:3076 #9 0x4188c5f8 in nsXBLPrototypeBinding::AttributeChanged (this=0x43761788, aAttribute=0x8194ab0, aNameSpaceID=0, aRemoveFlag=0, aChangedElement=0x45052140, aAnonymousContent=0x44265710) at nsXBLPrototypeBinding.cpp:669 #10 0x41886575 in nsXBLBinding::AttributeChanged (this=0x44265a30, aAttribute=0x8194ab0, aNameSpaceID=0, aRemoveFlag=0) at nsXBLBinding.cpp:1347 #11 0x41819cef in nsXULElement::SetAttribute (this=0x45052140, aNodeInfo=0x450d0490, aValue=@0xbfffe070, aNotify=1) at nsXULElement.cpp:3019 #12 0x4181a33d in nsXULElement::SetAttribute (this=0x45052140, aNameSpaceID=0, aName=0x8194ab0, aValue=@0xbfffe070, aNotify=1) at nsXULElement.cpp:3076 #13 0x41e4701f in nsGfxScrollFrameInner::SetAttribute (this=0x4507e828, aBox=0x45096fec, aAtom=0x8194ab0, aSize=684, aReflow=1) at nsGfxScrollFrame.cpp:1422 #14 0x41e45632 in nsGfxScrollFrameInner::ScrollPositionDidChange (this=0x4507e828, aScrollable=0x45eeec90, aX=0, aY=10260) at nsGfxScrollFrame.cpp:849 #15 0x42018799 in nsScrollPortView::ScrollTo (this=0x45eeec30, aX=0, aY=10260, aUpdateFlags=0) at nsScrollPortView.cpp:332 #16 0x41ee31e6 in nsScrollBoxFrame::DoLayout (this=0x450967a4, aState=@0xbfffe650) at nsScrollBoxFrame.cpp:524 #17 0x41eff585 in nsBox::Layout (this=0x450967dc, aState=@0xbfffe650) at nsBox.cpp:983 #18 0x41f054b5 in nsContainerBox::LayoutChildAt (aState=@0xbfffe650, aBox=0x450967dc, aRect=@0xbfffe500) at nsContainerBox.cpp:591 #19 0x41e45e93 in nsGfxScrollFrameInner::LayoutBox (this=0x4507e828, aState=@0xbfffe650, aBox=0x450967dc, aRect=@0xbfffe500) at nsGfxScrollFrame.cpp:1038 #20 0x41e46163 in nsGfxScrollFrameInner::Layout (this=0x4507e828, aState=@0xbfffe650) at nsGfxScrollFrame.cpp:1141 #21 0x41e45ee9 in nsGfxScrollFrame::DoLayout (this=0x450966fc, aState=@0xbfffe650) at nsGfxScrollFrame.cpp:1046 #22 0x41eff585 in nsBox::Layout (this=0x45096734, aState=@0xbfffe650) at nsBox.cpp:983 #23 0x41f14289 in nsBoxFrame::Reflow (this=0x450966fc, aPresContext=0x45eebce0, aDesiredSize=@0xbfffe890, aReflowState=@0xbfffe7c0, aStatus=@0xbfffea08) at nsBoxFrame.cpp:778 #24 0x41e45168 in nsGfxScrollFrame::Reflow (this=0x450966fc, aPresContext=0x45eebce0, aDesiredSize=@0xbfffe890, aReflowState=@0xbfffe7c0, aStatus=@0xbfffea08) at nsGfxScrollFrame.cpp:735 #25 0x41ddaa0a in nsContainerFrame::ReflowChild (this=0x45096688, aKidFrame=0x450966fc, aPresContext=0x45eebce0, aDesiredSize=@0xbfffe890, aReflowState=@0xbfffe7c0, aX=0, aY=0, aFlags=0, aStatus=@0xbfffea08) at nsContainerFrame.cpp:722 #26 0x41e433d1 in ViewportFrame::Reflow (this=0x45096688, aPresContext=0x45eebce0, aDesiredSize=@0xbfffeb10, aReflowState=@0xbfffe940, aStatus=@0xbfffea08) at nsViewportFrame.cpp:537 #27 0x41df4500 in nsHTMLReflowCommand::Dispatch (this=0x46608778, aPresContext=0x45eebce0, aDesiredSize=@0xbfffeb10, aMaxSize=@0xbfffeaf0, aRendContext=@0x45ea90d8) at nsHTMLReflowCommand.cpp:144 #28 0x41e272e8 in PresShell::ProcessReflowCommand (this=0x45ee89d0, aQueue=@0x45ee8a24, aAccumulateTime=0, aDesiredSize=@0xbfffeb10, aMaxSize=@0xbfffeaf0, aRenderingContext=@0x45ea90d8) at nsPresShell.cpp:5711 #29 0x41e27578 in PresShell::ProcessReflowCommands (this=0x45ee89d0, aInterruptible=0) at nsPresShell.cpp:5766 #30 0x41e24e25 in PresShell::FlushPendingNotifications (this=0x45ee89d0) at nsPresShell.cpp:4740 #31 0x418bd870 in nsDocument::FlushPendingNotifications (this=0x429b1470, aFlushReflows=1) at nsDocument.cpp:3194 #32 0x41793ec4 in nsHTMLDocument::FlushPendingNotifications (this=0x429b1470, aFlushReflows=1) at nsHTMLDocument.cpp:1352 #33 0x4189dfb8 in nsXBLStreamListener::Load (this=0x450e4790, aEvent=0x43758a9c) at nsXBLService.cpp:356 #34 0x41710f02 in nsEventListenerManager::HandleEvent (this=0x450e47d0, aPresContext=0x0, aEvent=0xbfffefa0, aDOMEvent=0xbfffef64, aCurrentTarget=0x450bc5a0, aFlags=7, aEventStatus=0xbfffefdc) at nsEventListenerManager.cpp:1783 #35 0x418bc892 in nsDocument::HandleDOMEvent (this=0x450bc570, aPresContext=0x0, aEvent=0xbfffefa0, aDOMEvent=0xbfffef64, aFlags=1, aEventStatus=0xbfffefdc) at nsDocument.cpp:2843 #36 0x4180a631 in nsXMLDocument::EndLoad (this=0x450bc570) at nsXMLDocument.cpp:664 #37 0x41800046 in nsXMLContentSink::DidBuildModel (this=0x45edd540, aQualityLevel=1) at nsXMLContentSink.cpp:300 #38 0x410c7249 in CWellFormedDTD::DidBuildModel (this=0x450d78a0, anErrorCode=0, aNotifySink=1, aParser=0x450c9170, aSink=0x45edd540) at nsWellFormedDTD.cpp:296 #39 0x410be2a1 in nsParser::DidBuildModel (this=0x450c9170, anErrorCode=0) at nsParser.cpp:1438 #40 0x410bf0e3 in nsParser::ResumeParse (this=0x450c9170, allowIteration=1, aIsFinalChunk=1) at nsParser.cpp:1907 #41 0x410bff21 in nsParser::OnStopRequest (this=0x450c9170, request=0x450c93a0, aContext=0x0, status=0) at nsParser.cpp:2362 #42 0x4189db87 in nsXBLStreamListener::OnStopRequest (this=0x450e4790, request=0x450c93a0, aCtxt=0x0, aStatus=0) at nsXBLService.cpp:289 #43 0x40baf517 in nsJARChannel::OnStopRequest (this=0x450c93a0, jarExtractionTransport=0x45e41f7c, context=0x0, aStatus=0) at nsJARChannel.cpp:584 #44 0x40bca1a6 in nsOnStopRequestEvent::HandleEvent (this=0x461cb878) at nsRequestObserverProxy.cpp:158 #45 0x40b5bf80 in nsARequestObserverEvent::HandlePLEvent (plev=0x461cb878) at nsRequestObserverProxy.cpp:63 #46 0x4011700c in PL_HandleEvent (self=0x461cb878) at plevent.c:590 #47 0x4011777d in PL_ProcessEventsBeforeID (aSelf=0x80aea00, aID=35608) at plevent.c:1256 #48 0x40967f21 in processQueue (aElement=0x80aea00, aData=0x8b18) at nsAppShell.cpp:475 #49 0x400e3458 in nsVoidArray::EnumerateForwards (this=0x80fb6d8, aFunc=0x40967ef4 <processQueue(void *, void *)>, aData=0x8b18) at nsVoidArray.cpp:313 #50 0x40967f64 in nsAppShell::ProcessBeforeID (aID=35608) at nsAppShell.cpp:483 #51 0x40973562 in handle_gdk_event (event=0x81e9890, data=0x0) at nsGtkEventHandler.cpp:987 #52 0x4041ce4f in gdk_event_dispatch () at ../../../dist/include/nsCOMPtr.h:409 #53 0x4044f7f3 in g_main_dispatch () at ../../../dist/include/nsCOMPtr.h:409 #54 0x4044fdd9 in g_main_iterate () at ../../../dist/include/nsCOMPtr.h:409 #55 0x4044ff8c in g_main_run () at ../../../dist/include/nsCOMPtr.h:409 #56 0x40364803 in gtk_main () at ../../../dist/include/nsCOMPtr.h:409 #57 0x40967bd5 in nsAppShell::Run (this=0x80fb6c0) at nsAppShell.cpp:360 #58 0x4090871d in nsAppShellService::Run (this=0x80f7eb0) at nsAppShellService.cpp:417 #59 0x08059557 in main1 (argc=1, argv=0xbffff86c, nativeApp=0x0) at nsAppRunner.cpp:1093 #60 0x0805a1cb in main (argc=1, argv=0xbffff86c) at nsAppRunner.cpp:1391 #61 0x4059a177 in __libc_start_main (main=0x8059fc8 <main>, argc=1, ubp_av=0xbffff86c, init=0x8053d6c <_init>, fini=0x8063e1c <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff85c) at ../sysdeps/generic/libc-start.c:129 (gdb) print this $1 = (nsSliderFrame *) 0x4509734c (gdb) print *this $2 = {<nsBoxFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsIFrame> = {<nsISupports> = { _vptr. = 0x41ff42c0}, <No data fields>}, <nsIFrameDebug> = {<nsISupports> = {_vptr. = 0x41ff45e0}, <No data fields>}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0x45084f38, mStyleContext = 0x4424d158, mParent = 0x45096fb4, mNextSibling = 0x4509740c, mState = 8396836}, mPrevInFlow = 0x0, mNextInFlow = 0x0}, mFrames = { mFirstChild = 0x0}}, <nsContainerBox> = {<nsBox> = {<nsIBox> = {<nsISupports> = {_vptr. = 0x41ff4480}, <No data fields>}, mMouseThrough = unset, mNextChild = 0x45097444, mParentBox = 0x45096fec}, mFirstChild = 0x0, mLastChild = 0x0, mChildCount = 0, mLayoutManager = {mRawPtr = 0x82314a8}}, mPrefSize = {width = -1, height = -1}, mMinSize = {width = -1, height = -1}, mMaxSize = {width = -1, height = -1}, mFlex = -1, mAscent = -1, mInner = 0x450973f8}, mRatio = 0, mDragStartPx = 0, mThumbStart = 0, mCurPos = 0, mMiddlePref = 1, mScrollbarListener = 0x0, mPresContext = 0x45eebce0, mChange = 0, mClickPoint = {x = 0, y = 0}, mRedrawImmediate = 0, mMediator = 0x45eeb260}
Seems like bug 82194.
Severity: normal → critical
Keywords: crash
hmm... could be related... the difference here is that it's mFrames.FirstChild() that's comming back null (assuming it's just returning the field). One additional observation is that I'm on an SMP machine when I see it the most, and that I'm using a wheel mouse to scroll through the page (not that that should matter). It's also showing up in bugzilla pages alot. three times just trying to compare this and the one you mentioned. Also I just noticed that the line: WARNING: not supported for views, file nsScrollPortView.cpp, line 98 shows up just before it dies every time.
->evaughan, probable dup
Assignee: trudelle → evaughan
Status: UNCONFIRMED → NEW
Component: XP Toolkit/Widgets → History: Session
Ever confirmed: true
It is a duplicate, because both crashes are when we're dereferencing a null pointer (thumbFrame). *** This bug has been marked as a duplicate of 82194 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
verified dup
Status: RESOLVED → VERIFIED
Component: History: Session → Document Navigation
QA Contact: aegis → docshell
You need to log in before you can comment on or make changes to this bug.