Closed
Bug 97226
Opened 23 years ago
Closed 23 years ago
Browser crashes in gklayout.dll while loading URL [@ nsCSSRendering::PaintBackground]
Categories
(Core :: Layout, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla0.9.4
People
(Reporter: grey, Assigned: dbaron)
References
()
Details
(Keywords: crash, topcrash, Whiteboard: want for 0.9.4)
Crash Data
Attachments
(3 files)
108.89 KB,
text/plain
|
Details | |
1.97 KB,
patch
|
Details | Diff | Splinter Review | |
1.19 KB,
patch
|
asa
:
approval+
|
Details | Diff | Splinter Review |
While doing heavy and serious research on the origins of man, I decided to see what TV Guide had to say. Delving into their cover archive, Mozilla burped up a big ol' GPF. Happens conssitently, for me on Win98SE, and for someone else in teh #mozillazine channel. 4 talkbacks reported, one is going to be attached here as well. Just for kicks, here's Windows' error info: MOZILLA caused an invalid page fault in module GKLAYOUT.DLL at 017f:6039f89f. Registers: EAX=00000000 CS=017f EIP=6039f89f EFLGS=00010246 EBX=00000000 SS=0187 ESP=0068f498 EBP=0068f560 ECX=0068f568 DS=0187 ESI=01e47308 FS=44b7 EDX=0068f53c ES=0187 EDI=00003d86 GS=0000 Bytes at CS:EIP: 8b 08 ff 51 54 8b 45 08 8d 55 10 52 6a 12 8b 08 Stack dump: 00000000 0068f53c 00000000 01e47308 026c8e20 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Reporter | ||
Comment 1•23 years ago
|
||
crash also on mac nightly build id 2001082708 mac os error code 2 LAYOUT_DLL nsCSSRendering::PaintBackground(nsIPresContext*, nsIRenderingContext&, nsIFrame*, const nsRect&, const nsRect&, const nsStyleBackground&, const nsStyleBorder&, int, int)+009AC
Comment 3•23 years ago
|
||
With a debug build (from CVS, just finished building) I get this on the console: ###!!! ASSERTION: not a percent value: 'mUnit == eStyleUnit_Percent', file ../../../../dist/include/nsStyleCoord.h, line 159 ###!!! Break: at file ../../../../dist/include/nsStyleCoord.h, line 159 ###!!! ASSERTION: not a percent value: 'mUnit == eStyleUnit_Percent', file ../../../../dist/include/nsStyleCoord.h, line 159 ###!!! Break: at file ../../../../dist/include/nsStyleCoord.h, line 159 Document http://www.tvguide.com/magazine/covers loaded successfully ###!!! ASSERTION: A canvas with a background image had no child frame, which is impossible according to CSS. Make sure there isn't a background image specified on the |:viewport| pseudo-element in |html.css|.: 'firstRootElementFrame', file nsCSSRendering.cpp, line 2416 ###!!! Break: at file nsCSSRendering.cpp, line 2416 and then a segfault.
Keywords: crash
OS: Windows 98 → All
Comment 4•23 years ago
|
||
Moving to layout. Here's a stack trace from the debugger: #0 0x42001d8c in nsCSSRendering::PaintBackground (aPresContext=0x8728e00, aRenderingContext=@0x8895450, aForFrame=0x8756944, aDirtyRect=@0xbffff100, aBorderArea=@0xbfffef10, aColor=@0x876fe84, aBorder=@0x876545c, aDX=0, aDY=0) at nsCSSRendering.cpp:2420 #1 0x41f3968b in nsHTMLContainerFrame::Paint (this=0x8756944, aPresContext=0x8728e00, aRenderingContext=@0x8895450, aDirtyRect=@0xbffff100, aWhichLayer=eFramePaintLayer_Underlay) at nsHTMLContainerFrame.cpp:83 #2 0x41f3b3d1 in CanvasFrame::Paint (this=0x8756944, aPresContext=0x8728e00, aRenderingContext=@0x8895450, aDirtyRect=@0xbffff100, aWhichLayer=eFramePaintLayer_Underlay) at nsHTMLFrame.cpp:397 #3 0x41f708fe in PresShell::Paint (this=0x84b8da0, aView=0x8765738, aRenderingContext=@0x8895450, aDirtyRect=@0xbffff100) at nsPresShell.cpp:5380 #4 0x42171a86 in nsView::Paint (this=0x8765738, rc=@0x8895450, rect=@0xbffff100, aPaintFlags=128, aResult=@0xbffff118) at nsView.cpp:273 #5 0x4217c46d in nsViewManager::RenderDisplayListElement (this=0x8656c98, element=0x87b4d40, aRC=@0x8895450) at nsViewManager.cpp:1439 #6 0x4217c1ad in nsViewManager::RenderViews (this=0x8656c98, aRootView=0x854c820, aRC=@0x8895450, aRect=@0xbffff230, aResult=@0xbffff22c) at nsViewManager.cpp:1363 #7 0x4217accb in nsViewManager::Refresh (this=0x8656c98, aView=0x854c820, aContext=0x8895450, rect=0xbffff2e0, aUpdateFlags=1) at nsViewManager.cpp:899 #8 0x4217d9f5 in nsViewManager::DispatchEvent (this=0x8656c98, aEvent=0xbffff450, aStatus=0xbffff330) at nsViewManager.cpp:1958 #9 0x42171324 in HandleEvent (aEvent=0xbffff450) at nsView.cpp:67 #10 0x41093745 in nsWidget::DispatchEvent (this=0x8724ea0, aEvent=0xbffff450, aStatus=@0xbffff3fc) at nsWidget.cpp:1387 #11 0x41093366 in nsWidget::DispatchWindowEvent (this=0x8724ea0, event=0xbffff450) at nsWidget.cpp:1278 #12 0x41098db7 in nsWindow::DoPaint (this=0x8724ea0, aX=0, aY=0, aWidth=1273, aHeight=866, aClipRegion=0x8766468) at nsWindow.cpp:778 #13 0x41099021 in nsWindow::Update (this=0x8724ea0) at nsWindow.cpp:824 #14 0x41098aec in nsWindow::UpdateIdle (data=0x0) at nsWindow.cpp:692 #15 0x4045d9ad in g_idle_dispatch () from /usr/lib/libglib-1.2.so.0 #16 0x4045c8f3 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #17 0x4045cf38 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #18 0x4045d0fc in g_main_run () from /usr/lib/libglib-1.2.so.0 #19 0x40372933 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #20 0x4107f5b9 in nsAppShell::Run (this=0x810b528) at nsAppShell.cpp:349 #21 0x408612dd in nsAppShellService::Run (this=0x811fe20) at nsAppShellService.cpp:427 #22 0x0805aadc in main1 (argc=1, argv=0xbffff8c4, nativeApp=0x0) at nsAppRunner.cpp:1387 #23 0x0805b77f in main (argc=1, argv=0xbffff8c4) at nsAppRunner.cpp:1709
Component: Browser-General → Layout
Updated•23 years ago
|
Assignee: asa → karnaze
QA Contact: doronr → petersen
Comment 5•23 years ago
|
||
really moving
Assignee | ||
Comment 6•23 years ago
|
||
This is due to the changes for bug 46446. firstRootElementFrame seems to be null (judging by the registers in the talkback info). Ian - you stuck in an assertion, but we seem to be hitting that case some of the time. What should happen here?
Keywords: topcrash
Summary: Browser crashes in gklayout.dll while loading URL → Browser crashes in gklayout.dll while loading URL [@ nsCSSRendering::PaintBackground]
Whiteboard: want for 0.9.4
Comment 7•23 years ago
|
||
I would guess (and this is only a guess) that the code is being called when the page hasn't finished loading. I don't have access to a debugging environment right now, but poking around in a debugger when that assertion is hit should explain what is going on. As a stopgap solution, until we work out what is actually happening, replacing the code around the assertion with something akin to: } else { nsCOMPtr<nsIAtom> frameType; aForFrame->GetFrameType(getter_AddRefs(frameType)); if (frameType.get() == nsLayoutAtoms::canvasFrame) { // If the frame is the canvas, the image is placed relative to // the root element's (first) frame (see bug 46446) nsRect firstRootElementFrameArea; nsIFrame* firstRootElementFrame; aForFrame->FirstChild(aPresContext, nsnull, &firstRootElementFrame); if (firstRootElementFrame) { // temporary null check -- see bug 97226 firstRootElementFrame->GetRect(firstRootElementFrameArea); if (firstRootElementFrameArea) { // also temporary -- see bug 97226 // Take the border out of the frame's rect const nsStyleBorder* borderStyle; [...] // Get the anchor point ComputeBackgroundAnchorPoint(aColor, [...]); } else { ComputeBackgroundAnchorPoint(aColor, paddingArea, paddingArea, tileWidth, tileHeight, anchor); } } else { ComputeBackgroundAnchorPoint(aColor, paddingArea, paddingArea, tileWidth, tileHeight, anchor); } } else { // Otherwise, it is the normal case, and the background is // simply placed relative to the frame's padding area ComputeBackgroundAnchorPoint(aColor, paddingArea, paddingArea, tileWidth, tileHeight, anchor); } } ...should stop the crash. Reassigning to dbaron. dbaron: If you are ok with it, could you make a patch for the proposed change above? We can check that (or something similar) in now, and then when I'm set up to compile again I'll try to understand what the real problem is. Grey Hodge: Does http://www.tvguide.com/magazine/covers reliably crash for you with both JavaScript turned on and JavaScript turned off, or does it only crash if it shows the popup window?
Assignee: karnaze → dbaron
Reporter | ||
Comment 8•23 years ago
|
||
Good question. It crashes WHILE loading, as opposed to after it's loaded, but yes, only with Javascript enabled. Turning it off allows the page to loud without bombing out.
Comment 9•23 years ago
|
||
I've reduced it down to this javascript file: http://serve.m-ave.net/jscript/MerchandisingAvenue.js
Assignee | ||
Updated•23 years ago
|
Severity: major → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.4
Assignee | ||
Comment 10•23 years ago
|
||
The URLs reported in talkback report comments are: http://www.kissasylum.com/ http://tvguide.com/magazine/covers http://tvguide.com/
Assignee | ||
Comment 11•23 years ago
|
||
Is this still happening in current builds? I can't reproduce it.
Reporter | ||
Comment 12•23 years ago
|
||
Seems to be WFM now here as well...
Comment 13•23 years ago
|
||
Talkback data shows this last crashed with MozillaTrunk build 2001083109. Should this be marked wfm if no one is able to reproduce and we don't know of any recent checkin that could have fixed this?
Reporter | ||
Comment 14•23 years ago
|
||
Agreed. I can't reproduce it for anything, now. Opening up a slightly older build I can, but not on current builds. Marking WFM. But if anyone has an idea what fixed it, post it.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 15•23 years ago
|
||
Reopening this. There have still been a few talkback reports in recent builds.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Assignee | ||
Updated•23 years ago
|
Status: REOPENED → ASSIGNED
Assignee | ||
Comment 16•23 years ago
|
||
Assignee | ||
Comment 17•23 years ago
|
||
Assignee | ||
Updated•23 years ago
|
Attachment #48847 -
Attachment description: proposed patch → proposed patch (diff -u)
Comment 18•23 years ago
|
||
r=hixie
Comment 19•23 years ago
|
||
Any explanation as to why the frame is null at this point? sr=waterson
Assignee | ||
Comment 20•23 years ago
|
||
I really don't know why it's null. Could it be because the frame tree is partially constructed (in which case we really need the null-check)?
Comment 21•23 years ago
|
||
Comment on attachment 48848 [details] [diff] [review] proposed patch (diff -uw) a=asa for checkin to 0.9.4
Attachment #48848 -
Flags: approval+
Assignee | ||
Comment 22•23 years ago
|
||
Checked in to trunk 2001-09-10 12:37 PDT and 0.9.4 branch 2001-09-10 14:43 PDT. Filed bug 99176 to figure out the real cause of the problem. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Comment 23•23 years ago
|
||
Verified in the Sept 28th branch build. Mac OS X (2001-09-28-04) and Windows ME (2001-09-28-05).
Keywords: vtrunk
Updated•13 years ago
|
Crash Signature: [@ nsCSSRendering::PaintBackground]
You need to log in
before you can comment on or make changes to this bug.
Description
•