Closed Bug 85206 Opened 23 years ago Closed 23 years ago

M091 Linux crash [@ nsTextFrame::Reflow]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.3

People

(Reporter: greer, Assigned: jbetak)

References

Details

(Keywords: crash, topcrash, Whiteboard: only crashed with GNULibC 2.2.3/GCC 2.95.3)

Crash Data

 
This one is showing up on the talkback reports with lots of comments that may 
help reporduce (cf bug 77939 bug 77945).

Stack Trace: 

         nsTextFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsInlineFrame::ReflowInlineFrame()
         nsInlineFrame::ReflowFrames()
         nsInlineFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsInlineFrame::ReflowInlineFrame()
         nsInlineFrame::ReflowFrames()
         nsInlineFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsBlockFrame::ReflowInlineFrame()
         nsBlockFrame::DoReflowInlineFrames()
         nsBlockFrame::DoReflowInlineFramesAuto()
         nsBlockFrame::ReflowInlineFrames()
         nsBlockFrame::ReflowLine()
         nsBlockFrame::ReflowDirtyLines()
         nsBlockFrame::Reflow()
         nsBlockReflowContext::DoReflowBlock()
         nsBlockReflowContext::ReflowBlock()
         nsBlockFrame::ReflowBlockFrame()
         nsBlockFrame::ReflowLine()
         nsBlockFrame::ReflowDirtyLines()
         nsBlockFrame::Reflow()
         nsContainerFrame::ReflowChild()
         CanvasFrame::Reflow()
         nsBoxToBlockAdaptor::Reflow()
         nsBoxToBlockAdaptor::DoLayout()
         nsBox::Layout()
         nsScrollBoxFrame::DoLayout()
         nsBox::Layout()
         nsContainerBox::LayoutChildAt()
         nsGfxScrollFrameInner::LayoutBox()
         nsGfxScrollFrameInner::Layout()
         nsGfxScrollFrame::DoLayout()
         nsBox::Layout()
         nsBoxFrame::Reflow()
         nsGfxScrollFrame::Reflow()
         nsContainerFrame::ReflowChild()
         ViewportFrame::Reflow()
         nsHTMLReflowCommand::Dispatch()
         PresShell::ProcessReflowCommand()
         PresShell::ProcessReflowCommands()
         HandlePLEvent()
         PL_HandleEvent()
         PL_ProcessPendingEvents()
         nsEventQueueImpl::ProcessPendingEvents()
         event_processor_callback()
         our_gdk_io_invoke()
         libglib-1.2.so.0 + 0xec80 (0x40358c80)
         libglib-1.2.so.0 + 0x10348 (0x4035a348)
         libglib-1.2.so.0 + 0x10953 (0x4035a953)
         libglib-1.2.so.0 + 0x10aec (0x4035aaec)
         libgtk-1.2.so.0 + 0x8d667 (0x4027b667)
         nsAppShell::Run()
         nsAppShellService::Run()
         main1()
         main()
         libc.so.6 + 0x1d2db (0x404962db)     (31560342)        Comments: I 
click on the
following link then
BOOM!
http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/
     (31549848) URL: winex.org
     (31535898) URL: http://www.sourceforge.net
     (31535898) Comments: Wanted to download a file on www.sourceforge.net.
There is a overview of the releases for every project and you can click on
"Download" for the desired version. It should lead to another page
     (31535805) URL: http://www.sourceforge.net
     (31535805) Comments: Searching for a project
     (31527259) URL: www.sourceforge.net (somewhere in there)
     (31527259) Comments: Clicked on a link
     (31514964) URL: http://sourceforge.net/projects/
     (31514964) Comments: a php script for download gnomemm !
     (31510662) URL: http://sourceforge.net/project/showfiles.php
     (31510655) URL: http://sourceforge.net/project/showfiles.php
     (31510648) URL: http://sourceforge.net/project/showfiles.php
     (31510648) Comments: I was just about to download Galeon from sourceforge
when Mozilladied on me.
     (31507174) URL: http://www.ew.com/ew
     (31507174) Comments: Go here....BOOM!!!!!
     (31507095) URL: http://www.netscape.com
     (31507095) Comments: Tried it again....The link is to Entertainment
Weekly's web site from Netscape's siteSeems to crash on this site.  I'm going to
try to go directly to eweek.....I may be back!!!
     (31507027) URL: http://www.netscape.com
     (31507027) Comments: Today
     (31507027) Comments:  "Weirdly Uneven...."which I think goes to TVWeek or
something...not sure.  But clicking on thislink caused Mozilla to BOMB!!!!
     (31476920) Comments: cant remember URL
     (31476019) URL: sourceforge.net
     (31476019) Comments: Downloading files
     (31474674) URL: www.google.com
     (31474674) Comments: Clicked on a link on google
     (31474545) URL: http://mesa3d.sourceforge.net
     (31474545) Comments: I first pointed Mozilla to
http://mesa3d.sourceforge.net
     (31474545) Comments:  in Mozilla 0.9 too..
     (31465625) URL: http://sourceforge.net/project/showfile.php?group_id=954
     (31465617) URL: http://sourceforge.net/project/showfile.php?group_id=954
     (31465617) Comments: Clicked on link to open that url from
www.bibletime.de.  A second window opened and as the page was loading it
crashed.
Keywords: crash, topcrash
Reassigning to ftang.
Assignee: karnaze → ftang
Keywords: qawanted
mark as moz0.9.2 
shanjian- can you take a look at this one ?
Assignee: ftang → shanjian
Target Milestone: --- → mozilla0.9.2
My Linux system is offline. (I did not plan to bring it back online before my ISDN is up.)
So please help to fix this one. 
shanjian, can you try to reproduce this under window first?
Priority: -- → P1
pdt+ base on 6/11 pdt meeting.
Whiteboard: [PDT+]
Can't reproduce on Windows.
I tried with 20010611 debug build on Windows 98CT, W2K
add katakai san.
shanjian need to take care his new baby now. Reassign to ftang.
Assignee: shanjian → ftang
I cannot reproduce this on my up-to-date Linux build
I can't reproduce the crash with 2001-06-13-08 linux build by clicking the links 
in this report. Today's linux build (06/14) is not stable. It crashes at a lot 
of web sites.
Whiteboard: [PDT+] → [PDT+] block-because-cannot-reproduce
with a current build on my system it crashed on "winex.org" with this message:

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 
'mRawPtr != 0', file ../../../../dist/
include/nsCOMPtr.h, line 649
###!!! Break: at file ../../../../dist/include/nsCOMPtr.h, line 649

here is the stack trace:

(gdb) bt
#0  0x40c1cf4a in nsHttpConnection::OnTransactionComplete (this=0x87af038,
status=2152398850) at nsHttpConnection.cpp:223
#1  0x40c20bdc in nsHttpTransaction::Cancel (this=0x87d05c8, status=2152398850)
at nsHttpTransaction.cpp:646
#2  0x40c28a35 in nsHttpChannel::Cancel (this=0x87c3a18, status=2152398850) at
nsHttpChannel.cpp:1589
#3  0x41df6ee9 in imgRequest::Cancel (this=0x87cf8a8, status=2152398850) at
imgRequest.cpp:269
#4  0x41df6b39 in imgRequest::RemoveProxy (this=0x87cf8a8, proxy=0x87d09a8,
aStatus=2147500037) at imgRequest.cpp:195
#5  0x41df9c61 in imgRequestProxy::Cancel (this=0x87d09a8, status=2147500037) at
imgRequestProxy.cpp:167
#6  0x417cdb2b in nsImageFrame::Destroy (this=0x87cb514, aPresContext=0x867db50)
at nsImageFrame.cpp:191
#7  0x41935619 in nsFrameList::DestroyFrames (this=0x87cb458,
aPresContext=0x867db50) at nsFrameList.cpp:115
#8  0x417a8711 in nsContainerFrame::Destroy (this=0x87cb424,
aPresContext=0x867db50) at nsContainerFrame.cpp:116
#9  0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50,
aLine=0x87ca9f4) at nsLineBox.cpp:251
#10 0x41795033 in nsBlockFrame::Destroy (this=0x87ca770, aPresContext=0x867db50)
at nsBlockFrame.cpp:313
#11 0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50,
aLine=0x87caa1c) at nsLineBox.cpp:251
#12 0x41795033 in nsBlockFrame::Destroy (this=0x87ca670, aPresContext=0x867db50)
at nsBlockFrame.cpp:313
#13 0x4179e48d in nsBlockFrame::DoRemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aDeletedFrame=0x87ca670) at nsBlockFrame.cpp:4668
#14 0x4179e0d1 in nsBlockFrame::RemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0,
aOldFrame=0x87ca670) at nsBlockFrame.cpp:4564
#15 0x41844a66 in nsFormFrame::RemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0,
aOldFrame=0x87ca670) at nsFormFrame.cpp:379
#16 0x417bd217 in FrameManager::RemoveFrame (this=0x8641158,
aPresContext=0x867db50, aPresShell=@0x86335b8, aParentFrame=0x87c9cf0,
aListName=0x0, aOldFrame=0x87ca670) at nsFrameManager.cpp:904
#17 0x4188fbd1 in nsCSSFrameConstructor::ContentRemoved (this=0x8641000,
aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsCSSFrameConstructor.cpp:9242
#18 0x4143a32e in StyleSetImpl::ContentRemoved (this=0x8640f90,
aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsStyleSet.cpp:1124
#19 0x417fe6b3 in PresShell::ContentRemoved (this=0x86335b8,
aDocument=0x867cf58, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsPresShell.cpp:4907
#20 0x413c2ed9 in nsDocument::ContentRemoved (this=0x867cf58,
aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at
nsDocument.cpp:1645
#21 0x4126c922 in nsHTMLDocument::ContentRemoved (this=0x867cf58,
aContainer=0x863ee50, aContent=0x87f2058, aIndexInContainer=0) at
nsHTMLDocument.cpp:1216
#22 0x411d508e in nsGenericHTMLContainerElement::RemoveChildAt (this=0x863ee50,
aIndex=0, aNotify=1) at nsGenericHTMLElement.cpp:3703
#23 0x41257fed in SinkContext::DemoteContainer (this=0x846c878,
aNode=@0xbfffe9c8) at nsHTMLContentSink.cpp:1631
#24 0x4125cf3d in HTMLContentSink::CloseForm (this=0x8678380, aNode=@0xbfffe9c8)
at nsHTMLContentSink.cpp:2997
#25 0x40ee3a31 in CNavDTD::CloseForm (this=0x8678968, aNode=0xbfffe9c8) at
CNavDTD.cpp:3210
#26 0x40ee4354 in CNavDTD::CloseContainer (this=0x8678968, aNode=0xbfffe9c8,
aTarget=eHTMLTag_form, aClosedByStartTag=0) at CNavDTD.cpp:3503
#27 0x40ee10e5 in CNavDTD::HandleEndToken (this=0x8678968, aToken=0x87dc0d8) at
CNavDTD.cpp:1918
#28 0x40edea5d in CNavDTD::HandleToken (this=0x8678968, aToken=0x87dc0d8,
aParser=0x8609d88) at CNavDTD.cpp:890
#29 0x40edda70 in CNavDTD::BuildModel (this=0x8678968, aParser=0x8609d88,
aTokenizer=0x8794430, anObserver=0x0, aSink=0x8678380) at CNavDTD.cpp:539
#30 0x40ef5132 in nsParser::BuildModel (this=0x8609d88) at nsParser.cpp:1990
#31 0x40ef4eb4 in nsParser::ResumeParse (this=0x8609d88, allowIteration=1,
aIsFinalChunk=1) at nsParser.cpp:1871
#32 0x40ef43a8 in nsParser::ContinueParsing (this=0x8609d88) at
nsParser.cpp:1539
#33 0x41262e1a in HTMLContentSink::ScriptEvaluated (this=0x8678380, aResult=0,
aElement=0x87f2228, aIsInline=0, aWasPending=1) at nsHTMLContentSink.cpp:4541
#34 0x4144d086 in nsScriptLoader::FireScriptEvaluated (this=0x86784c0,
aResult=0, aRequest=0x87f2340) at nsScriptLoader.cpp:519
#35 0x4144cd7d in nsScriptLoader::ProcessRequest (this=0x86784c0,
aRequest=0x87f2340) at nsScriptLoader.cpp:478
#36 0x4144e918 in nsScriptLoader::OnStreamComplete (this=0x86784c0,
aLoader=0x87f27e0, aContext=0x87f2340, aStatus=0, stringLen=329,
string=0x87bea18 "document.write ('<A
HREF=\"http://rmfe3.register.com/RealMedia/ads/click_lx.ads/futuresite.register.com/testoas.shtml/307679842/Bottom/iWon-RON-Banner/iWon-RON-BannerRed/6430306332343338336232393166333"...)
at nsScriptLoader.cpp:753
#37 0x40bea249 in nsStreamLoader::OnStopRequest (this=0x87f27e0,
request=0x87f25e8, ctxt=0x0, aStatus=0) at nsStreamLoader.cpp:120
#38 0x40bf24d9 in nsStreamListenerTee::OnStopRequest (this=0x87adf50,
request=0x87f25e8, context=0x0, status=0) at nsStreamListenerTee.cpp:24
#39 0x40c2a724 in nsHttpChannel::OnStopRequest (this=0x87f25e8,
request=0x87f2b08, ctxt=0x0, status=0) at nsHttpChannel.cpp:2100
#40 0x40c54f1c in nsOnStopRequestEvent::HandleEvent (this=0x87f4758) at
nsRequestObserverProxy.cpp:160
#41 0x40bd6d20 in nsARequestObserverEvent::HandlePLEvent (plev=0x87f4758) at
nsRequestObserverProxy.cpp:63
#42 0x40145a33 in PL_HandleEvent (self=0x87f4758) at plevent.c:590
#43 0x40145810 in PL_ProcessPendingEvents (self=0x80b6738) at plevent.c:520
#44 0x40147ddc in nsEventQueueImpl::ProcessPendingEvents (this=0x80b6710) at
nsEventQueue.cpp:374
#45 0x409707e2 in event_processor_callback (data=0x80b6710, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:168
#46 0x40970368 in our_gdk_io_invoke (source=0x832d428, condition=G_IO_IN,
data=0x83536b8) at nsAppShell.cpp:61
#47 0x404a0089 in g_io_unix_dispatch (source_data=0x82aa590,
current_time=0xbffff500, user_data=0x83536b8) at giounix.c:135
#48 0x404a1846 in g_main_dispatch (dispatch_time=0xbffff500) at gmain.c:656
#49 0x404a1e73 in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#50 0x404a202c in g_main_run (loop=0x828f120) at gmain.c:935
#51 0x403c1a4b in gtk_main () at gtkmain.c:476
#52 0x40970f7d in nsAppShell::Run (this=0x8100818) at nsAppShell.cpp:360
#53 0x408ffa95 in nsAppShellService::Run (this=0x80fd858) at
nsAppShellService.cpp:417
#54 0x0805b239 in main1 (argc=1, argv=0xbffff834, nativeApp=0x0) at
nsAppRunner.cpp:1110
#55 0x0805c061 in main (argc=1, argv=0xbffff834) at nsAppRunner.cpp:1408
#56 0x4059b9cb in __libc_start_main (main=0x805be4c <main>, argc=1,
argv=0xbffff834, init=0x8054d08 <_init>, fini=0x8069e50 <_fini>,
rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff82c) at
../sysdeps/generic/libc-start.c:92

(gdb) 
the crash is at nsHttpConnection.cpp line 223
the mRawPtr of mSocketTransport is null

 	196	// called from any thread
 	197	nsresult
 	198	nsHttpConnection::OnTransactionComplete(nsresult status)
-	199	{
-	200	    LOG(("nsHttpConnection::OnTransactionComplete [this=%x status=%x]\n",
-	201	        this, status));
 	202	
-	203	    NS_ENSURE_TRUE(mSocketTransport, NS_ERROR_UNEXPECTED);
 	204	
 	205	    // be warned: trans may not be mTransaction
 	206	
 	207	    // cancel the requests... this will cause OnStopRequest to be fired
-	208	    if (mWriteRequest) {
-	209	        mWriteRequest->Cancel(status);
-	210	        mWriteRequest = 0;
 	211	    }
-	212	    if (mReadRequest) {
-	213	        mReadRequest->Cancel(status);
-	214	        mReadRequest = 0;
 	215	    }
 	216	
 	217	    // break the cycle between the socket transport and this
-	218	    if (mSocketTransport)
-	219	        mSocketTransport->SetNotificationCallbacks(nsnull, 0);
 	220	
-	221	    if (!mKeepAlive || NS_FAILED(status)) {
 	222	        // if we're not going to be keeping this connection alive...
-	223	        mSocketTransport->SetReuseConnection(PR_FALSE);
-	224	        mSocketTransport = 0;
 	225	    }
 	226	
-	227	    return NS_OK;
-	228	}

This is darin's code.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE

*** This bug has been marked as a duplicate of 85822 ***
the stack trace I entered was from a different issue
that does not address the reflow crash
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
reopen since the origional stack trace are different
Status: REOPENED → ASSIGNED
Darin has checked in a fix for the http prob.
I will rebuild and see if I can reproduce this crash.
jbetak- can you also try to reproduce this one?
Assignee: ftang → jbetak
Status: ASSIGNED → NEW
I went thru every link on my 2001-06-14 14:10 PDT debug linux build and
no crashes

Out of frustration with this bug, I spent some time sifting through the talkback
reports. Found this comment from ryan@cardweb.com
(http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31585395) to be quite
interesting:

"Clicked
http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593 and
it died while loading it. It does this every time with this url, but only with
Glibc 2.2.3. I have tried the binaries and compiled it myself with the same
result. FYI, the sourceforge download pages are the only pages I have been"

Tentatively updating OS to Linux. There is a singular MacOS 9 incident
(http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31467149). Even
though this change might not be entirely appropriate, we might fare better by
focusing on Linux first.
OS: other → Linux
I have been able to reproduce this bug on two similar machines.

They are both heavily modified Slackware 7.0
GNU Libc 2.2.3 (built with GCC 2.95.3, binutils 2.11/2.10.1)
Kernel 2.4.5 and 2.4.4
GTK/GLIB 1.2.10

This crash happens with mozilla nightly binaries and when I build it myself.

http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593

It also happens on other sourceforge download pages.  I have not been able to
reproduce this crash on any other pages.

On the second box, I tried running mozilla before and after installing GNU Libc
2.2.3 and it only crashed with 2.2.3.

Ryan McGuigan (ryan@cardweb.com)
remove pdt+ . change to moz0.9.3 
Change status line to "only crashed with GNULibC 2.2.3/GCC 2.95.3"
Whiteboard: [PDT+] block-because-cannot-reproduce → only crashed with GNULibC 2.2.3/GCC 2.95.3
Target Milestone: mozilla0.9.2 → mozilla0.9.3
adding Ryan McGuigan to the cc list. Ryan, thanks for taking the time to update 
this bug...
Status: NEW → ASSIGNED
Ryan,

I'm taking the liberty to include your email in the bug description:

"I just tried today's build and it no longer crashes at that
sourceforge download page.

http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593

I have not changed anything on my machine, and the page hasn't changed
either.  Yesterday's build still crashes on that page."
per Ryan's comments:  it seems that my or somone else's checkin to 
nsTextFrame.cpp might have affected this crasher as well. From the stack trace 
below one could infer that fixing the incorrect memcpy buffer size in 
nsTextFrame::ComputeTotalWordWidth would have some effect on the 
nsLineLayout::ReflowFrame.

I'm marking dependency on bug 85487, it looks like this crasher is the Linux 
complement of the same buffer overrun.

nsTextFrame::ComputeTotalWordWidth(nsIPresContext * 0x04a79740, nsILineBreaker 
* 0x0451f4f0, nsLineLayout & {...}, const nsHTMLReflowState & {...}, nsIFrame * 
0x02c42b50, int 540, unsigned short * 0x00121768, unsigned int 5, unsigned int 
124) line 5272
nsTextFrame::MeasureText(nsIPresContext * 0x04a79740, const nsHTMLReflowState & 
{...}, nsTextTransformer & {...}, nsILineBreaker * 0x0451f4f0, 
nsTextFrame::TextStyle & {...}, nsTextFrame::TextReflowData & {...}) line 4810 
+ 65 bytes
nsTextFrame::Reflow(nsTextFrame * const 0x02c42ad0, nsIPresContext * 
0x04a79740, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 5048 + 43 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x02c42ad0, nsIFrame * * 0x00121c14, 
unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 955 + 43 bytes
Depends on: 85487
I'm tentatively closing this bug. Based on Ryan's comments it seems reasonable 
to assume that the changes to nsTextFrame.cpp from 06/19/2001 addressed this 
issue as well. 

http://bonsai.mozilla.org/cvslog.cgi?
file=mozilla/layout/html/base/src/nsTextFrame.cpp

Thanks everyone!
Status: ASSIGNED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Since I 'm not exactly sure how to test this, I'm marking verified based on the
last comments.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsTextFrame::Reflow]
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.