Closed
Bug 85206
Opened 23 years ago
Closed 23 years ago
M091 Linux crash [@ nsTextFrame::Reflow]
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.3
People
(Reporter: greer, Assigned: jbetak)
References
Details
(Keywords: crash, topcrash, Whiteboard: only crashed with GNULibC 2.2.3/GCC 2.95.3)
Crash Data
This one is showing up on the talkback reports with lots of comments that may help reporduce (cf bug 77939 bug 77945). Stack Trace: nsTextFrame::Reflow() nsLineLayout::ReflowFrame() nsInlineFrame::ReflowInlineFrame() nsInlineFrame::ReflowFrames() nsInlineFrame::Reflow() nsLineLayout::ReflowFrame() nsInlineFrame::ReflowInlineFrame() nsInlineFrame::ReflowFrames() nsInlineFrame::Reflow() nsLineLayout::ReflowFrame() nsBlockFrame::ReflowInlineFrame() nsBlockFrame::DoReflowInlineFrames() nsBlockFrame::DoReflowInlineFramesAuto() nsBlockFrame::ReflowInlineFrames() nsBlockFrame::ReflowLine() nsBlockFrame::ReflowDirtyLines() nsBlockFrame::Reflow() nsBlockReflowContext::DoReflowBlock() nsBlockReflowContext::ReflowBlock() nsBlockFrame::ReflowBlockFrame() nsBlockFrame::ReflowLine() nsBlockFrame::ReflowDirtyLines() nsBlockFrame::Reflow() nsContainerFrame::ReflowChild() CanvasFrame::Reflow() nsBoxToBlockAdaptor::Reflow() nsBoxToBlockAdaptor::DoLayout() nsBox::Layout() nsScrollBoxFrame::DoLayout() nsBox::Layout() nsContainerBox::LayoutChildAt() nsGfxScrollFrameInner::LayoutBox() nsGfxScrollFrameInner::Layout() nsGfxScrollFrame::DoLayout() nsBox::Layout() nsBoxFrame::Reflow() nsGfxScrollFrame::Reflow() nsContainerFrame::ReflowChild() ViewportFrame::Reflow() nsHTMLReflowCommand::Dispatch() PresShell::ProcessReflowCommand() PresShell::ProcessReflowCommands() HandlePLEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() event_processor_callback() our_gdk_io_invoke() libglib-1.2.so.0 + 0xec80 (0x40358c80) libglib-1.2.so.0 + 0x10348 (0x4035a348) libglib-1.2.so.0 + 0x10953 (0x4035a953) libglib-1.2.so.0 + 0x10aec (0x4035aaec) libgtk-1.2.so.0 + 0x8d667 (0x4027b667) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x1d2db (0x404962db) (31560342) Comments: I click on the following link then BOOM! http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/ (31549848) URL: winex.org (31535898) URL: http://www.sourceforge.net (31535898) Comments: Wanted to download a file on www.sourceforge.net. There is a overview of the releases for every project and you can click on "Download" for the desired version. It should lead to another page (31535805) URL: http://www.sourceforge.net (31535805) Comments: Searching for a project (31527259) URL: www.sourceforge.net (somewhere in there) (31527259) Comments: Clicked on a link (31514964) URL: http://sourceforge.net/projects/ (31514964) Comments: a php script for download gnomemm ! (31510662) URL: http://sourceforge.net/project/showfiles.php (31510655) URL: http://sourceforge.net/project/showfiles.php (31510648) URL: http://sourceforge.net/project/showfiles.php (31510648) Comments: I was just about to download Galeon from sourceforge when Mozilladied on me. (31507174) URL: http://www.ew.com/ew (31507174) Comments: Go here....BOOM!!!!! (31507095) URL: http://www.netscape.com (31507095) Comments: Tried it again....The link is to Entertainment Weekly's web site from Netscape's siteSeems to crash on this site. I'm going to try to go directly to eweek.....I may be back!!! (31507027) URL: http://www.netscape.com (31507027) Comments: Today (31507027) Comments: "Weirdly Uneven...."which I think goes to TVWeek or something...not sure. But clicking on thislink caused Mozilla to BOMB!!!! (31476920) Comments: cant remember URL (31476019) URL: sourceforge.net (31476019) Comments: Downloading files (31474674) URL: www.google.com (31474674) Comments: Clicked on a link on google (31474545) URL: http://mesa3d.sourceforge.net (31474545) Comments: I first pointed Mozilla to http://mesa3d.sourceforge.net (31474545) Comments: in Mozilla 0.9 too.. (31465625) URL: http://sourceforge.net/project/showfile.php?group_id=954 (31465617) URL: http://sourceforge.net/project/showfile.php?group_id=954 (31465617) Comments: Clicked on link to open that url from www.bibletime.de. A second window opened and as the page was loading it crashed.
Comment 3•23 years ago
|
||
mark as moz0.9.2 shanjian- can you take a look at this one ?
Assignee: ftang → shanjian
Target Milestone: --- → mozilla0.9.2
Comment 4•23 years ago
|
||
My Linux system is offline. (I did not plan to bring it back online before my ISDN is up.) So please help to fix this one.
Comment 5•23 years ago
|
||
shanjian, can you try to reproduce this under window first?
Priority: -- → P1
Comment 6•23 years ago
|
||
pdt+ base on 6/11 pdt meeting.
Updated•23 years ago
|
Whiteboard: [PDT+]
Comment 7•23 years ago
|
||
Can't reproduce on Windows. I tried with 20010611 debug build on Windows 98CT, W2K
Comment 8•23 years ago
|
||
add katakai san.
Comment 9•23 years ago
|
||
shanjian need to take care his new baby now. Reassign to ftang.
Assignee: shanjian → ftang
Comment 10•23 years ago
|
||
I cannot reproduce this on my up-to-date Linux build
Comment 11•23 years ago
|
||
I can't reproduce the crash with 2001-06-13-08 linux build by clicking the links in this report. Today's linux build (06/14) is not stable. It crashes at a lot of web sites.
Updated•23 years ago
|
Whiteboard: [PDT+] → [PDT+] block-because-cannot-reproduce
Comment 12•23 years ago
|
||
with a current build on my system it crashed on "winex.org" with this message: ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../../dist/ include/nsCOMPtr.h, line 649 ###!!! Break: at file ../../../../dist/include/nsCOMPtr.h, line 649
Comment 13•23 years ago
|
||
here is the stack trace: (gdb) bt #0 0x40c1cf4a in nsHttpConnection::OnTransactionComplete (this=0x87af038, status=2152398850) at nsHttpConnection.cpp:223 #1 0x40c20bdc in nsHttpTransaction::Cancel (this=0x87d05c8, status=2152398850) at nsHttpTransaction.cpp:646 #2 0x40c28a35 in nsHttpChannel::Cancel (this=0x87c3a18, status=2152398850) at nsHttpChannel.cpp:1589 #3 0x41df6ee9 in imgRequest::Cancel (this=0x87cf8a8, status=2152398850) at imgRequest.cpp:269 #4 0x41df6b39 in imgRequest::RemoveProxy (this=0x87cf8a8, proxy=0x87d09a8, aStatus=2147500037) at imgRequest.cpp:195 #5 0x41df9c61 in imgRequestProxy::Cancel (this=0x87d09a8, status=2147500037) at imgRequestProxy.cpp:167 #6 0x417cdb2b in nsImageFrame::Destroy (this=0x87cb514, aPresContext=0x867db50) at nsImageFrame.cpp:191 #7 0x41935619 in nsFrameList::DestroyFrames (this=0x87cb458, aPresContext=0x867db50) at nsFrameList.cpp:115 #8 0x417a8711 in nsContainerFrame::Destroy (this=0x87cb424, aPresContext=0x867db50) at nsContainerFrame.cpp:116 #9 0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50, aLine=0x87ca9f4) at nsLineBox.cpp:251 #10 0x41795033 in nsBlockFrame::Destroy (this=0x87ca770, aPresContext=0x867db50) at nsBlockFrame.cpp:313 #11 0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50, aLine=0x87caa1c) at nsLineBox.cpp:251 #12 0x41795033 in nsBlockFrame::Destroy (this=0x87ca670, aPresContext=0x867db50) at nsBlockFrame.cpp:313 #13 0x4179e48d in nsBlockFrame::DoRemoveFrame (this=0x87c9cf0, aPresContext=0x867db50, aDeletedFrame=0x87ca670) at nsBlockFrame.cpp:4668 #14 0x4179e0d1 in nsBlockFrame::RemoveFrame (this=0x87c9cf0, aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0, aOldFrame=0x87ca670) at nsBlockFrame.cpp:4564 #15 0x41844a66 in nsFormFrame::RemoveFrame (this=0x87c9cf0, aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0, aOldFrame=0x87ca670) at nsFormFrame.cpp:379 #16 0x417bd217 in FrameManager::RemoveFrame (this=0x8641158, aPresContext=0x867db50, aPresShell=@0x86335b8, aParentFrame=0x87c9cf0, aListName=0x0, aOldFrame=0x87ca670) at nsFrameManager.cpp:904 #17 0x4188fbd1 in nsCSSFrameConstructor::ContentRemoved (this=0x8641000, aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at nsCSSFrameConstructor.cpp:9242 #18 0x4143a32e in StyleSetImpl::ContentRemoved (this=0x8640f90, aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at nsStyleSet.cpp:1124 #19 0x417fe6b3 in PresShell::ContentRemoved (this=0x86335b8, aDocument=0x867cf58, aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at nsPresShell.cpp:4907 #20 0x413c2ed9 in nsDocument::ContentRemoved (this=0x867cf58, aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at nsDocument.cpp:1645 #21 0x4126c922 in nsHTMLDocument::ContentRemoved (this=0x867cf58, aContainer=0x863ee50, aContent=0x87f2058, aIndexInContainer=0) at nsHTMLDocument.cpp:1216 #22 0x411d508e in nsGenericHTMLContainerElement::RemoveChildAt (this=0x863ee50, aIndex=0, aNotify=1) at nsGenericHTMLElement.cpp:3703 #23 0x41257fed in SinkContext::DemoteContainer (this=0x846c878, aNode=@0xbfffe9c8) at nsHTMLContentSink.cpp:1631 #24 0x4125cf3d in HTMLContentSink::CloseForm (this=0x8678380, aNode=@0xbfffe9c8) at nsHTMLContentSink.cpp:2997 #25 0x40ee3a31 in CNavDTD::CloseForm (this=0x8678968, aNode=0xbfffe9c8) at CNavDTD.cpp:3210 #26 0x40ee4354 in CNavDTD::CloseContainer (this=0x8678968, aNode=0xbfffe9c8, aTarget=eHTMLTag_form, aClosedByStartTag=0) at CNavDTD.cpp:3503 #27 0x40ee10e5 in CNavDTD::HandleEndToken (this=0x8678968, aToken=0x87dc0d8) at CNavDTD.cpp:1918 #28 0x40edea5d in CNavDTD::HandleToken (this=0x8678968, aToken=0x87dc0d8, aParser=0x8609d88) at CNavDTD.cpp:890 #29 0x40edda70 in CNavDTD::BuildModel (this=0x8678968, aParser=0x8609d88, aTokenizer=0x8794430, anObserver=0x0, aSink=0x8678380) at CNavDTD.cpp:539 #30 0x40ef5132 in nsParser::BuildModel (this=0x8609d88) at nsParser.cpp:1990 #31 0x40ef4eb4 in nsParser::ResumeParse (this=0x8609d88, allowIteration=1, aIsFinalChunk=1) at nsParser.cpp:1871 #32 0x40ef43a8 in nsParser::ContinueParsing (this=0x8609d88) at nsParser.cpp:1539 #33 0x41262e1a in HTMLContentSink::ScriptEvaluated (this=0x8678380, aResult=0, aElement=0x87f2228, aIsInline=0, aWasPending=1) at nsHTMLContentSink.cpp:4541 #34 0x4144d086 in nsScriptLoader::FireScriptEvaluated (this=0x86784c0, aResult=0, aRequest=0x87f2340) at nsScriptLoader.cpp:519 #35 0x4144cd7d in nsScriptLoader::ProcessRequest (this=0x86784c0, aRequest=0x87f2340) at nsScriptLoader.cpp:478 #36 0x4144e918 in nsScriptLoader::OnStreamComplete (this=0x86784c0, aLoader=0x87f27e0, aContext=0x87f2340, aStatus=0, stringLen=329, string=0x87bea18 "document.write ('<A HREF=\"http://rmfe3.register.com/RealMedia/ads/click_lx.ads/futuresite.register.com/testoas.shtml/307679842/Bottom/iWon-RON-Banner/iWon-RON-BannerRed/6430306332343338336232393166333"...) at nsScriptLoader.cpp:753 #37 0x40bea249 in nsStreamLoader::OnStopRequest (this=0x87f27e0, request=0x87f25e8, ctxt=0x0, aStatus=0) at nsStreamLoader.cpp:120 #38 0x40bf24d9 in nsStreamListenerTee::OnStopRequest (this=0x87adf50, request=0x87f25e8, context=0x0, status=0) at nsStreamListenerTee.cpp:24 #39 0x40c2a724 in nsHttpChannel::OnStopRequest (this=0x87f25e8, request=0x87f2b08, ctxt=0x0, status=0) at nsHttpChannel.cpp:2100 #40 0x40c54f1c in nsOnStopRequestEvent::HandleEvent (this=0x87f4758) at nsRequestObserverProxy.cpp:160 #41 0x40bd6d20 in nsARequestObserverEvent::HandlePLEvent (plev=0x87f4758) at nsRequestObserverProxy.cpp:63 #42 0x40145a33 in PL_HandleEvent (self=0x87f4758) at plevent.c:590 #43 0x40145810 in PL_ProcessPendingEvents (self=0x80b6738) at plevent.c:520 #44 0x40147ddc in nsEventQueueImpl::ProcessPendingEvents (this=0x80b6710) at nsEventQueue.cpp:374 #45 0x409707e2 in event_processor_callback (data=0x80b6710, source=8, condition=GDK_INPUT_READ) at nsAppShell.cpp:168 #46 0x40970368 in our_gdk_io_invoke (source=0x832d428, condition=G_IO_IN, data=0x83536b8) at nsAppShell.cpp:61 #47 0x404a0089 in g_io_unix_dispatch (source_data=0x82aa590, current_time=0xbffff500, user_data=0x83536b8) at giounix.c:135 #48 0x404a1846 in g_main_dispatch (dispatch_time=0xbffff500) at gmain.c:656 #49 0x404a1e73 in g_main_iterate (block=1, dispatch=1) at gmain.c:877 #50 0x404a202c in g_main_run (loop=0x828f120) at gmain.c:935 #51 0x403c1a4b in gtk_main () at gtkmain.c:476 #52 0x40970f7d in nsAppShell::Run (this=0x8100818) at nsAppShell.cpp:360 #53 0x408ffa95 in nsAppShellService::Run (this=0x80fd858) at nsAppShellService.cpp:417 #54 0x0805b239 in main1 (argc=1, argv=0xbffff834, nativeApp=0x0) at nsAppRunner.cpp:1110 #55 0x0805c061 in main (argc=1, argv=0xbffff834) at nsAppRunner.cpp:1408 #56 0x4059b9cb in __libc_start_main (main=0x805be4c <main>, argc=1, argv=0xbffff834, init=0x8054d08 <_init>, fini=0x8069e50 <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff82c) at ../sysdeps/generic/libc-start.c:92 (gdb)
Comment 14•23 years ago
|
||
the crash is at nsHttpConnection.cpp line 223 the mRawPtr of mSocketTransport is null 196 // called from any thread 197 nsresult 198 nsHttpConnection::OnTransactionComplete(nsresult status) - 199 { - 200 LOG(("nsHttpConnection::OnTransactionComplete [this=%x status=%x]\n", - 201 this, status)); 202 - 203 NS_ENSURE_TRUE(mSocketTransport, NS_ERROR_UNEXPECTED); 204 205 // be warned: trans may not be mTransaction 206 207 // cancel the requests... this will cause OnStopRequest to be fired - 208 if (mWriteRequest) { - 209 mWriteRequest->Cancel(status); - 210 mWriteRequest = 0; 211 } - 212 if (mReadRequest) { - 213 mReadRequest->Cancel(status); - 214 mReadRequest = 0; 215 } 216 217 // break the cycle between the socket transport and this - 218 if (mSocketTransport) - 219 mSocketTransport->SetNotificationCallbacks(nsnull, 0); 220 - 221 if (!mKeepAlive || NS_FAILED(status)) { 222 // if we're not going to be keeping this connection alive... - 223 mSocketTransport->SetReuseConnection(PR_FALSE); - 224 mSocketTransport = 0; 225 } 226 - 227 return NS_OK; - 228 }
Comment 15•23 years ago
|
||
This is darin's code.
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Comment 16•23 years ago
|
||
*** This bug has been marked as a duplicate of 85822 ***
Comment 17•23 years ago
|
||
the stack trace I entered was from a different issue that does not address the reflow crash
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 18•23 years ago
|
||
reopen since the origional stack trace are different
Status: REOPENED → ASSIGNED
Comment 19•23 years ago
|
||
Darin has checked in a fix for the http prob. I will rebuild and see if I can reproduce this crash.
Comment 20•23 years ago
|
||
jbetak- can you also try to reproduce this one?
Assignee: ftang → jbetak
Status: ASSIGNED → NEW
Comment 21•23 years ago
|
||
I went thru every link on my 2001-06-14 14:10 PDT debug linux build and no crashes
Assignee | ||
Comment 22•23 years ago
|
||
Out of frustration with this bug, I spent some time sifting through the talkback reports. Found this comment from ryan@cardweb.com (http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31585395) to be quite interesting: "Clicked http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593 and it died while loading it. It does this every time with this url, but only with Glibc 2.2.3. I have tried the binaries and compiled it myself with the same result. FYI, the sourceforge download pages are the only pages I have been" Tentatively updating OS to Linux. There is a singular MacOS 9 incident (http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31467149). Even though this change might not be entirely appropriate, we might fare better by focusing on Linux first.
OS: other → Linux
Comment 23•23 years ago
|
||
I have been able to reproduce this bug on two similar machines. They are both heavily modified Slackware 7.0 GNU Libc 2.2.3 (built with GCC 2.95.3, binutils 2.11/2.10.1) Kernel 2.4.5 and 2.4.4 GTK/GLIB 1.2.10 This crash happens with mozilla nightly binaries and when I build it myself. http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593 It also happens on other sourceforge download pages. I have not been able to reproduce this crash on any other pages. On the second box, I tried running mozilla before and after installing GNU Libc 2.2.3 and it only crashed with 2.2.3. Ryan McGuigan (ryan@cardweb.com)
Comment 24•23 years ago
|
||
remove pdt+ . change to moz0.9.3 Change status line to "only crashed with GNULibC 2.2.3/GCC 2.95.3"
Whiteboard: [PDT+] block-because-cannot-reproduce → only crashed with GNULibC 2.2.3/GCC 2.95.3
Target Milestone: mozilla0.9.2 → mozilla0.9.3
Assignee | ||
Comment 25•23 years ago
|
||
adding Ryan McGuigan to the cc list. Ryan, thanks for taking the time to update this bug...
Status: NEW → ASSIGNED
Assignee | ||
Comment 26•23 years ago
|
||
Ryan, I'm taking the liberty to include your email in the bug description: "I just tried today's build and it no longer crashes at that sourceforge download page. http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593 I have not changed anything on my machine, and the page hasn't changed either. Yesterday's build still crashes on that page."
Assignee | ||
Comment 27•23 years ago
|
||
per Ryan's comments: it seems that my or somone else's checkin to nsTextFrame.cpp might have affected this crasher as well. From the stack trace below one could infer that fixing the incorrect memcpy buffer size in nsTextFrame::ComputeTotalWordWidth would have some effect on the nsLineLayout::ReflowFrame. I'm marking dependency on bug 85487, it looks like this crasher is the Linux complement of the same buffer overrun. nsTextFrame::ComputeTotalWordWidth(nsIPresContext * 0x04a79740, nsILineBreaker * 0x0451f4f0, nsLineLayout & {...}, const nsHTMLReflowState & {...}, nsIFrame * 0x02c42b50, int 540, unsigned short * 0x00121768, unsigned int 5, unsigned int 124) line 5272 nsTextFrame::MeasureText(nsIPresContext * 0x04a79740, const nsHTMLReflowState & {...}, nsTextTransformer & {...}, nsILineBreaker * 0x0451f4f0, nsTextFrame::TextStyle & {...}, nsTextFrame::TextReflowData & {...}) line 4810 + 65 bytes nsTextFrame::Reflow(nsTextFrame * const 0x02c42ad0, nsIPresContext * 0x04a79740, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 5048 + 43 bytes nsLineLayout::ReflowFrame(nsIFrame * 0x02c42ad0, nsIFrame * * 0x00121c14, unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 955 + 43 bytes
Depends on: 85487
Assignee | ||
Comment 28•23 years ago
|
||
I'm tentatively closing this bug. Based on Ryan's comments it seems reasonable to assume that the changes to nsTextFrame.cpp from 06/19/2001 addressed this issue as well. http://bonsai.mozilla.org/cvslog.cgi? file=mozilla/layout/html/base/src/nsTextFrame.cpp Thanks everyone!
Status: ASSIGNED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Comment 29•23 years ago
|
||
Since I 'm not exactly sure how to test this, I'm marking verified based on the last comments.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsTextFrame::Reflow]
You need to log in
before you can comment on or make changes to this bug.
Description
•