M091 Linux crash [@ nsTextFrame::Reflow]

VERIFIED FIXED in mozilla0.9.3

Status

()

Core
Layout
P1
normal
VERIFIED FIXED
17 years ago
3 years ago

People

(Reporter: greer, Assigned: jbetak@netscape.com (away - not reading bugmail))

Tracking

({crash, topcrash})

Trunk
mozilla0.9.3
x86
Linux
crash, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: only crashed with GNULibC 2.2.3/GCC 2.95.3, crash signature)

(Reporter)

Description

17 years ago
 
(Reporter)

Comment 1

17 years ago
This one is showing up on the talkback reports with lots of comments that may 
help reporduce (cf bug 77939 bug 77945).

Stack Trace: 

         nsTextFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsInlineFrame::ReflowInlineFrame()
         nsInlineFrame::ReflowFrames()
         nsInlineFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsInlineFrame::ReflowInlineFrame()
         nsInlineFrame::ReflowFrames()
         nsInlineFrame::Reflow()
         nsLineLayout::ReflowFrame()
         nsBlockFrame::ReflowInlineFrame()
         nsBlockFrame::DoReflowInlineFrames()
         nsBlockFrame::DoReflowInlineFramesAuto()
         nsBlockFrame::ReflowInlineFrames()
         nsBlockFrame::ReflowLine()
         nsBlockFrame::ReflowDirtyLines()
         nsBlockFrame::Reflow()
         nsBlockReflowContext::DoReflowBlock()
         nsBlockReflowContext::ReflowBlock()
         nsBlockFrame::ReflowBlockFrame()
         nsBlockFrame::ReflowLine()
         nsBlockFrame::ReflowDirtyLines()
         nsBlockFrame::Reflow()
         nsContainerFrame::ReflowChild()
         CanvasFrame::Reflow()
         nsBoxToBlockAdaptor::Reflow()
         nsBoxToBlockAdaptor::DoLayout()
         nsBox::Layout()
         nsScrollBoxFrame::DoLayout()
         nsBox::Layout()
         nsContainerBox::LayoutChildAt()
         nsGfxScrollFrameInner::LayoutBox()
         nsGfxScrollFrameInner::Layout()
         nsGfxScrollFrame::DoLayout()
         nsBox::Layout()
         nsBoxFrame::Reflow()
         nsGfxScrollFrame::Reflow()
         nsContainerFrame::ReflowChild()
         ViewportFrame::Reflow()
         nsHTMLReflowCommand::Dispatch()
         PresShell::ProcessReflowCommand()
         PresShell::ProcessReflowCommands()
         HandlePLEvent()
         PL_HandleEvent()
         PL_ProcessPendingEvents()
         nsEventQueueImpl::ProcessPendingEvents()
         event_processor_callback()
         our_gdk_io_invoke()
         libglib-1.2.so.0 + 0xec80 (0x40358c80)
         libglib-1.2.so.0 + 0x10348 (0x4035a348)
         libglib-1.2.so.0 + 0x10953 (0x4035a953)
         libglib-1.2.so.0 + 0x10aec (0x4035aaec)
         libgtk-1.2.so.0 + 0x8d667 (0x4027b667)
         nsAppShell::Run()
         nsAppShellService::Run()
         main1()
         main()
         libc.so.6 + 0x1d2db (0x404962db)     (31560342)        Comments: I 
click on the
following link then
BOOM!
http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/
     (31549848) URL: winex.org
     (31535898) URL: http://www.sourceforge.net
     (31535898) Comments: Wanted to download a file on www.sourceforge.net.
There is a overview of the releases for every project and you can click on
"Download" for the desired version. It should lead to another page
     (31535805) URL: http://www.sourceforge.net
     (31535805) Comments: Searching for a project
     (31527259) URL: www.sourceforge.net (somewhere in there)
     (31527259) Comments: Clicked on a link
     (31514964) URL: http://sourceforge.net/projects/
     (31514964) Comments: a php script for download gnomemm !
     (31510662) URL: http://sourceforge.net/project/showfiles.php
     (31510655) URL: http://sourceforge.net/project/showfiles.php
     (31510648) URL: http://sourceforge.net/project/showfiles.php
     (31510648) Comments: I was just about to download Galeon from sourceforge
when Mozilladied on me.
     (31507174) URL: http://www.ew.com/ew
     (31507174) Comments: Go here....BOOM!!!!!
     (31507095) URL: http://www.netscape.com
     (31507095) Comments: Tried it again....The link is to Entertainment
Weekly's web site from Netscape's siteSeems to crash on this site.  I'm going to
try to go directly to eweek.....I may be back!!!
     (31507027) URL: http://www.netscape.com
     (31507027) Comments: Today
     (31507027) Comments:  "Weirdly Uneven...."which I think goes to TVWeek or
something...not sure.  But clicking on thislink caused Mozilla to BOMB!!!!
     (31476920) Comments: cant remember URL
     (31476019) URL: sourceforge.net
     (31476019) Comments: Downloading files
     (31474674) URL: www.google.com
     (31474674) Comments: Clicked on a link on google
     (31474545) URL: http://mesa3d.sourceforge.net
     (31474545) Comments: I first pointed Mozilla to
http://mesa3d.sourceforge.net
     (31474545) Comments:  in Mozilla 0.9 too..
     (31465625) URL: http://sourceforge.net/project/showfile.php?group_id=954
     (31465617) URL: http://sourceforge.net/project/showfile.php?group_id=954
     (31465617) Comments: Clicked on link to open that url from
www.bibletime.de.  A second window opened and as the page was loading it
crashed.
Keywords: crash, topcrash

Comment 2

17 years ago
Reassigning to ftang.
Assignee: karnaze → ftang

Updated

17 years ago
Keywords: qawanted

Comment 3

17 years ago
mark as moz0.9.2 
shanjian- can you take a look at this one ?
Assignee: ftang → shanjian
Target Milestone: --- → mozilla0.9.2

Comment 4

17 years ago
My Linux system is offline. (I did not plan to bring it back online before my ISDN is up.)
So please help to fix this one. 

Comment 5

17 years ago
shanjian, can you try to reproduce this under window first?
Priority: -- → P1

Comment 6

17 years ago
pdt+ base on 6/11 pdt meeting.

Updated

17 years ago
Whiteboard: [PDT+]

Comment 7

17 years ago
Can't reproduce on Windows.
I tried with 20010611 debug build on Windows 98CT, W2K

Comment 8

17 years ago
add katakai san.

Comment 9

17 years ago
shanjian need to take care his new baby now. Reassign to ftang.
Assignee: shanjian → ftang

Comment 10

17 years ago
I cannot reproduce this on my up-to-date Linux build

Comment 11

17 years ago
I can't reproduce the crash with 2001-06-13-08 linux build by clicking the links 
in this report. Today's linux build (06/14) is not stable. It crashes at a lot 
of web sites.

Updated

17 years ago
Whiteboard: [PDT+] → [PDT+] block-because-cannot-reproduce

Comment 12

17 years ago
with a current build on my system it crashed on "winex.org" with this message:

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 
'mRawPtr != 0', file ../../../../dist/
include/nsCOMPtr.h, line 649
###!!! Break: at file ../../../../dist/include/nsCOMPtr.h, line 649

Comment 13

17 years ago
here is the stack trace:

(gdb) bt
#0  0x40c1cf4a in nsHttpConnection::OnTransactionComplete (this=0x87af038,
status=2152398850) at nsHttpConnection.cpp:223
#1  0x40c20bdc in nsHttpTransaction::Cancel (this=0x87d05c8, status=2152398850)
at nsHttpTransaction.cpp:646
#2  0x40c28a35 in nsHttpChannel::Cancel (this=0x87c3a18, status=2152398850) at
nsHttpChannel.cpp:1589
#3  0x41df6ee9 in imgRequest::Cancel (this=0x87cf8a8, status=2152398850) at
imgRequest.cpp:269
#4  0x41df6b39 in imgRequest::RemoveProxy (this=0x87cf8a8, proxy=0x87d09a8,
aStatus=2147500037) at imgRequest.cpp:195
#5  0x41df9c61 in imgRequestProxy::Cancel (this=0x87d09a8, status=2147500037) at
imgRequestProxy.cpp:167
#6  0x417cdb2b in nsImageFrame::Destroy (this=0x87cb514, aPresContext=0x867db50)
at nsImageFrame.cpp:191
#7  0x41935619 in nsFrameList::DestroyFrames (this=0x87cb458,
aPresContext=0x867db50) at nsFrameList.cpp:115
#8  0x417a8711 in nsContainerFrame::Destroy (this=0x87cb424,
aPresContext=0x867db50) at nsContainerFrame.cpp:116
#9  0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50,
aLine=0x87ca9f4) at nsLineBox.cpp:251
#10 0x41795033 in nsBlockFrame::Destroy (this=0x87ca770, aPresContext=0x867db50)
at nsBlockFrame.cpp:313
#11 0x417da3a9 in nsLineBox::DeleteLineList (aPresContext=0x867db50,
aLine=0x87caa1c) at nsLineBox.cpp:251
#12 0x41795033 in nsBlockFrame::Destroy (this=0x87ca670, aPresContext=0x867db50)
at nsBlockFrame.cpp:313
#13 0x4179e48d in nsBlockFrame::DoRemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aDeletedFrame=0x87ca670) at nsBlockFrame.cpp:4668
#14 0x4179e0d1 in nsBlockFrame::RemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0,
aOldFrame=0x87ca670) at nsBlockFrame.cpp:4564
#15 0x41844a66 in nsFormFrame::RemoveFrame (this=0x87c9cf0,
aPresContext=0x867db50, aPresShell=@0x86335b8, aListName=0x0,
aOldFrame=0x87ca670) at nsFormFrame.cpp:379
#16 0x417bd217 in FrameManager::RemoveFrame (this=0x8641158,
aPresContext=0x867db50, aPresShell=@0x86335b8, aParentFrame=0x87c9cf0,
aListName=0x0, aOldFrame=0x87ca670) at nsFrameManager.cpp:904
#17 0x4188fbd1 in nsCSSFrameConstructor::ContentRemoved (this=0x8641000,
aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsCSSFrameConstructor.cpp:9242
#18 0x4143a32e in StyleSetImpl::ContentRemoved (this=0x8640f90,
aPresContext=0x867db50, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsStyleSet.cpp:1124
#19 0x417fe6b3 in PresShell::ContentRemoved (this=0x86335b8,
aDocument=0x867cf58, aContainer=0x863ee50, aChild=0x87f2058,
aIndexInContainer=0) at nsPresShell.cpp:4907
#20 0x413c2ed9 in nsDocument::ContentRemoved (this=0x867cf58,
aContainer=0x863ee50, aChild=0x87f2058, aIndexInContainer=0) at
nsDocument.cpp:1645
#21 0x4126c922 in nsHTMLDocument::ContentRemoved (this=0x867cf58,
aContainer=0x863ee50, aContent=0x87f2058, aIndexInContainer=0) at
nsHTMLDocument.cpp:1216
#22 0x411d508e in nsGenericHTMLContainerElement::RemoveChildAt (this=0x863ee50,
aIndex=0, aNotify=1) at nsGenericHTMLElement.cpp:3703
#23 0x41257fed in SinkContext::DemoteContainer (this=0x846c878,
aNode=@0xbfffe9c8) at nsHTMLContentSink.cpp:1631
#24 0x4125cf3d in HTMLContentSink::CloseForm (this=0x8678380, aNode=@0xbfffe9c8)
at nsHTMLContentSink.cpp:2997
#25 0x40ee3a31 in CNavDTD::CloseForm (this=0x8678968, aNode=0xbfffe9c8) at
CNavDTD.cpp:3210
#26 0x40ee4354 in CNavDTD::CloseContainer (this=0x8678968, aNode=0xbfffe9c8,
aTarget=eHTMLTag_form, aClosedByStartTag=0) at CNavDTD.cpp:3503
#27 0x40ee10e5 in CNavDTD::HandleEndToken (this=0x8678968, aToken=0x87dc0d8) at
CNavDTD.cpp:1918
#28 0x40edea5d in CNavDTD::HandleToken (this=0x8678968, aToken=0x87dc0d8,
aParser=0x8609d88) at CNavDTD.cpp:890
#29 0x40edda70 in CNavDTD::BuildModel (this=0x8678968, aParser=0x8609d88,
aTokenizer=0x8794430, anObserver=0x0, aSink=0x8678380) at CNavDTD.cpp:539
#30 0x40ef5132 in nsParser::BuildModel (this=0x8609d88) at nsParser.cpp:1990
#31 0x40ef4eb4 in nsParser::ResumeParse (this=0x8609d88, allowIteration=1,
aIsFinalChunk=1) at nsParser.cpp:1871
#32 0x40ef43a8 in nsParser::ContinueParsing (this=0x8609d88) at
nsParser.cpp:1539
#33 0x41262e1a in HTMLContentSink::ScriptEvaluated (this=0x8678380, aResult=0,
aElement=0x87f2228, aIsInline=0, aWasPending=1) at nsHTMLContentSink.cpp:4541
#34 0x4144d086 in nsScriptLoader::FireScriptEvaluated (this=0x86784c0,
aResult=0, aRequest=0x87f2340) at nsScriptLoader.cpp:519
#35 0x4144cd7d in nsScriptLoader::ProcessRequest (this=0x86784c0,
aRequest=0x87f2340) at nsScriptLoader.cpp:478
#36 0x4144e918 in nsScriptLoader::OnStreamComplete (this=0x86784c0,
aLoader=0x87f27e0, aContext=0x87f2340, aStatus=0, stringLen=329,
string=0x87bea18 "document.write ('<A
HREF=\"http://rmfe3.register.com/RealMedia/ads/click_lx.ads/futuresite.register.com/testoas.shtml/307679842/Bottom/iWon-RON-Banner/iWon-RON-BannerRed/6430306332343338336232393166333"...)
at nsScriptLoader.cpp:753
#37 0x40bea249 in nsStreamLoader::OnStopRequest (this=0x87f27e0,
request=0x87f25e8, ctxt=0x0, aStatus=0) at nsStreamLoader.cpp:120
#38 0x40bf24d9 in nsStreamListenerTee::OnStopRequest (this=0x87adf50,
request=0x87f25e8, context=0x0, status=0) at nsStreamListenerTee.cpp:24
#39 0x40c2a724 in nsHttpChannel::OnStopRequest (this=0x87f25e8,
request=0x87f2b08, ctxt=0x0, status=0) at nsHttpChannel.cpp:2100
#40 0x40c54f1c in nsOnStopRequestEvent::HandleEvent (this=0x87f4758) at
nsRequestObserverProxy.cpp:160
#41 0x40bd6d20 in nsARequestObserverEvent::HandlePLEvent (plev=0x87f4758) at
nsRequestObserverProxy.cpp:63
#42 0x40145a33 in PL_HandleEvent (self=0x87f4758) at plevent.c:590
#43 0x40145810 in PL_ProcessPendingEvents (self=0x80b6738) at plevent.c:520
#44 0x40147ddc in nsEventQueueImpl::ProcessPendingEvents (this=0x80b6710) at
nsEventQueue.cpp:374
#45 0x409707e2 in event_processor_callback (data=0x80b6710, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:168
#46 0x40970368 in our_gdk_io_invoke (source=0x832d428, condition=G_IO_IN,
data=0x83536b8) at nsAppShell.cpp:61
#47 0x404a0089 in g_io_unix_dispatch (source_data=0x82aa590,
current_time=0xbffff500, user_data=0x83536b8) at giounix.c:135
#48 0x404a1846 in g_main_dispatch (dispatch_time=0xbffff500) at gmain.c:656
#49 0x404a1e73 in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#50 0x404a202c in g_main_run (loop=0x828f120) at gmain.c:935
#51 0x403c1a4b in gtk_main () at gtkmain.c:476
#52 0x40970f7d in nsAppShell::Run (this=0x8100818) at nsAppShell.cpp:360
#53 0x408ffa95 in nsAppShellService::Run (this=0x80fd858) at
nsAppShellService.cpp:417
#54 0x0805b239 in main1 (argc=1, argv=0xbffff834, nativeApp=0x0) at
nsAppRunner.cpp:1110
#55 0x0805c061 in main (argc=1, argv=0xbffff834) at nsAppRunner.cpp:1408
#56 0x4059b9cb in __libc_start_main (main=0x805be4c <main>, argc=1,
argv=0xbffff834, init=0x8054d08 <_init>, fini=0x8069e50 <_fini>,
rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff82c) at
../sysdeps/generic/libc-start.c:92

(gdb) 

Comment 14

17 years ago
the crash is at nsHttpConnection.cpp line 223
the mRawPtr of mSocketTransport is null

 	196	// called from any thread
 	197	nsresult
 	198	nsHttpConnection::OnTransactionComplete(nsresult status)
-	199	{
-	200	    LOG(("nsHttpConnection::OnTransactionComplete [this=%x status=%x]\n",
-	201	        this, status));
 	202	
-	203	    NS_ENSURE_TRUE(mSocketTransport, NS_ERROR_UNEXPECTED);
 	204	
 	205	    // be warned: trans may not be mTransaction
 	206	
 	207	    // cancel the requests... this will cause OnStopRequest to be fired
-	208	    if (mWriteRequest) {
-	209	        mWriteRequest->Cancel(status);
-	210	        mWriteRequest = 0;
 	211	    }
-	212	    if (mReadRequest) {
-	213	        mReadRequest->Cancel(status);
-	214	        mReadRequest = 0;
 	215	    }
 	216	
 	217	    // break the cycle between the socket transport and this
-	218	    if (mSocketTransport)
-	219	        mSocketTransport->SetNotificationCallbacks(nsnull, 0);
 	220	
-	221	    if (!mKeepAlive || NS_FAILED(status)) {
 	222	        // if we're not going to be keeping this connection alive...
-	223	        mSocketTransport->SetReuseConnection(PR_FALSE);
-	224	        mSocketTransport = 0;
 	225	    }
 	226	
-	227	    return NS_OK;
-	228	}

Comment 15

17 years ago
This is darin's code.

Updated

17 years ago
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE

Comment 16

17 years ago

*** This bug has been marked as a duplicate of 85822 ***

Comment 17

17 years ago
the stack trace I entered was from a different issue
that does not address the reflow crash
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Comment 18

17 years ago
reopen since the origional stack trace are different
Status: REOPENED → ASSIGNED

Comment 19

17 years ago
Darin has checked in a fix for the http prob.
I will rebuild and see if I can reproduce this crash.

Comment 20

17 years ago
jbetak- can you also try to reproduce this one?
Assignee: ftang → jbetak
Status: ASSIGNED → NEW

Comment 21

17 years ago
I went thru every link on my 2001-06-14 14:10 PDT debug linux build and
no crashes
Out of frustration with this bug, I spent some time sifting through the talkback
reports. Found this comment from ryan@cardweb.com
(http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31585395) to be quite
interesting:

"Clicked
http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593 and
it died while loading it. It does this every time with this url, but only with
Glibc 2.2.3. I have tried the binaries and compiled it myself with the same
result. FYI, the sourceforge download pages are the only pages I have been"

Tentatively updating OS to Linux. There is a singular MacOS 9 incident
(http://cyclone.mcom.com/reports/incidenttemplate.cfm?bbid=31467149). Even
though this change might not be entirely appropriate, we might fare better by
focusing on Linux first.
OS: other → Linux

Comment 23

17 years ago
I have been able to reproduce this bug on two similar machines.

They are both heavily modified Slackware 7.0
GNU Libc 2.2.3 (built with GCC 2.95.3, binutils 2.11/2.10.1)
Kernel 2.4.5 and 2.4.4
GTK/GLIB 1.2.10

This crash happens with mozilla nightly binaries and when I build it myself.

http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593

It also happens on other sourceforge download pages.  I have not been able to
reproduce this crash on any other pages.

On the second box, I tried running mozilla before and after installing GNU Libc
2.2.3 and it only crashed with 2.2.3.

Ryan McGuigan (ryan@cardweb.com)

Comment 24

17 years ago
remove pdt+ . change to moz0.9.3 
Change status line to "only crashed with GNULibC 2.2.3/GCC 2.95.3"
Whiteboard: [PDT+] block-because-cannot-reproduce → only crashed with GNULibC 2.2.3/GCC 2.95.3
Target Milestone: mozilla0.9.2 → mozilla0.9.3
adding Ryan McGuigan to the cc list. Ryan, thanks for taking the time to update 
this bug...
Status: NEW → ASSIGNED
Ryan,

I'm taking the liberty to include your email in the bug description:

"I just tried today's build and it no longer crashes at that
sourceforge download page.

http://sourceforge.net/project/showfiles.php?group_id=6999&release_id=38593

I have not changed anything on my machine, and the page hasn't changed
either.  Yesterday's build still crashes on that page."
per Ryan's comments:  it seems that my or somone else's checkin to 
nsTextFrame.cpp might have affected this crasher as well. From the stack trace 
below one could infer that fixing the incorrect memcpy buffer size in 
nsTextFrame::ComputeTotalWordWidth would have some effect on the 
nsLineLayout::ReflowFrame.

I'm marking dependency on bug 85487, it looks like this crasher is the Linux 
complement of the same buffer overrun.

nsTextFrame::ComputeTotalWordWidth(nsIPresContext * 0x04a79740, nsILineBreaker 
* 0x0451f4f0, nsLineLayout & {...}, const nsHTMLReflowState & {...}, nsIFrame * 
0x02c42b50, int 540, unsigned short * 0x00121768, unsigned int 5, unsigned int 
124) line 5272
nsTextFrame::MeasureText(nsIPresContext * 0x04a79740, const nsHTMLReflowState & 
{...}, nsTextTransformer & {...}, nsILineBreaker * 0x0451f4f0, 
nsTextFrame::TextStyle & {...}, nsTextFrame::TextReflowData & {...}) line 4810 
+ 65 bytes
nsTextFrame::Reflow(nsTextFrame * const 0x02c42ad0, nsIPresContext * 
0x04a79740, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 5048 + 43 bytes
nsLineLayout::ReflowFrame(nsIFrame * 0x02c42ad0, nsIFrame * * 0x00121c14, 
unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 955 + 43 bytes
Depends on: 85487
I'm tentatively closing this bug. Based on Ryan's comments it seems reasonable 
to assume that the changes to nsTextFrame.cpp from 06/19/2001 addressed this 
issue as well. 

http://bonsai.mozilla.org/cvslog.cgi?
file=mozilla/layout/html/base/src/nsTextFrame.cpp

Thanks everyone!
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED

Comment 29

17 years ago
Since I 'm not exactly sure how to test this, I'm marking verified based on the
last comments.

Status: RESOLVED → VERIFIED
Crash Signature: [@ nsTextFrame::Reflow]
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.