The PlaceFrameView signature shows up in talkback for all of the recent releases and Trunk, but in small enough numbers that it hasn't been seen. (Currently N620 has 4 incidents, M095, 36 incidents, Trunk ,6) The top frames of the stack look similar to that of bug 81905, but comments don't point distinctly to the password manager. Here's the stack from N620 data: PlaceFrameView [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2554] nsBlockFrame::PostPlaceLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 4101] nsBlockFrame::PlaceLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3972] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3433] nsBlockFrame::DoReflowInlineFramesMalloc [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3263] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 3224] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2375] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2045] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 800] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableCellFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp line 759] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 887] nsTableRowFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 1246] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowGroupFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 396] nsTableRowGroupFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 1056] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 3046] nsTableFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 1854] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableOuterFrame::OuterReflowChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 976] nsTableOuterFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 1541] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp line 574] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp line 345] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2973] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2261] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2045] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 800] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableCellFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp line 759] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 887] nsTableRowFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 1246] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowGroupFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 396] nsTableRowGroupFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 1056] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 3046] nsTableFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 1854] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableOuterFrame::OuterReflowChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 976] nsTableOuterFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 1541] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp line 574] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp line 345] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2973] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2261] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 2045] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp line 800] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableCellFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp line 759] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 887] nsTableRowFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp line 1246] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableRowGroupFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 396] nsTableRowGroupFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp line 1056] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableFrame::ReflowChildren [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 3046] nsTableFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp line 1854] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp line 723] nsTableOuterFrame::OuterReflowChild [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 976] nsTableOuterFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp line 1541] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp line 574] Here are the comments across all releases: N610 : 10 37268259 http://topcat.switchinc.org.8080/proxy.pac waiting for full text article 37269006 www.eco-furniture.com clicked on one of the products in the lawn and garden section 37318937 I was opening mail when program failed. 37320432 Reloading web page 37371824 www.douglascollege.bc.ca Click on link 37375266 http://www.ishaah.com/Smile.htm reading my e-mail 37379707 www.webtrendslive.com checking html tracking reports on the websites homepage M094 : 11 37066956 http://webcompare.internet.com/webbasics/webbasics_2.html mozilla tried to read memory location 0x000000... was runni ng VERY slowly prior to this error. Last page was a link from cbs.sportsline.com to the fantasy section. 37052016 www.cbssportsline.com M095 : 36 37376526 fantasy.sportsline.com just clicked on my fantasy team link might have clicked twice... 37018266 http://football221.fantasy.sportsline.com/mp/ when looking at all the picke in my league in cbs fantasy football.I ha ve crashed many times on theis site since mozilla 0.9.4 37114953 http://members4.fantasy.sportsline.com/home? trying to enter the site. Everytime I try on my laptop it crashes. Ho me PC is fine just the laptop. 37325324 Using tabbed layout. Went to cbs.sportsline.com (my second tab) and clicked fantasy. Crash! error in gkslayout...o r something 37181660 football258.fantasy.sportsline.com Was pulling up a draft list of free agents for my fantasy football pool. As an as ide the 'Back' button does not work on cnn.com. 37063743 http://ici.planet-multiplayer.de/phpBB Just loaded the page.

I don't understand why you think this is password manager. But it indeed looks like the same stack trace as in bug 81905 (which I'm not cc'd on) and that one too is marked password manager. And Chris Waterson has that bug. So reassigning this one to Waterson.

This one has become a major crasher on M095 (28 incidents) and N620 (481 incidents). I will attach the comments below to help find a reproducible case. Adding qawanted keyword.

Adding [@ .__ptr_glue - nsBlockFrame::PostPlaceLine] to summary, since that is the stack signature for this crash on MacOS. The stack looks similar and the websites are the same as in bug 109996 (which I am about to mark a dup of this bug). Here is the info from that bug for Mac crashes with Netscape 6.20: Count Offset Real Signature [ 13 .__ptr_glue ed499dd6 - nsBlockFrame::PostPlaceLine() ] Crash date range: 2001-11-06 to 2001-11-12 Min/Max Seconds since last crash: 61 - 18381 Min/Max Runtime: 9513 - 72520 Keyword List : Count Platform List 10 MacOS version 9.2.1 2 MacOS version 9.1 1 MacOS version 9.0 Count Build Id List 13 2001102217 No of Unique Users 6 Stack trace(Frame) .__ptr_glue nsBlockFrame::PostPlaceLine() [nsBlockFrame.cpp line 4100] nsBlockFrame::PlaceLine() [nsBlockFrame.cpp line 3968] nsBlockFrame::DoReflowInlineFrames() [nsBlockFrame.cpp line 3430] nsBlockFrame::DoReflowInlineFramesMalloc() [nsBlockFrame.cpp line 3260] nsBlockFrame::ReflowInlineFrames() [nsBlockFrame.cpp line 3220] nsBlockFrame::ReflowLine() [nsBlockFrame.cpp line 2374] nsBlockFrame::ReflowDirtyLines() [nsBlockFrame.cpp line 2044] nsBlockFrame::Reflow() [nsBlockFrame.cpp line 798] COMMENTS/URLs: (37873973) URL: cbs.sportline.com (37629077) URL: www.cbs.sportsline.com (37629077) Comments: Picking up a Free Agent on my fantesy football team

*** Bug 109996 has been marked as a duplicate of this bug. ***

This crash still shows in the latest releases and milestones. Changing summary. current problem links: www.cbssportsline.com and www.wheresgeorge.com.

Is this a Mac-only crash? Stacks make it look that way...

This attachment is a rough breakdown of platforms that are returning crashes at the PlaceFrameView signature (from a snapshot of Talkback data 12/26). It is almost entirely Windows.

This is not showing up in recent builds (according to <http://ftp.mozilla.org/pub/data/crash-data>); marking WORKSFORME.

Since Chris isn't seeing this in the crash reports anymore and I tried all the links on this page with Win XP build 2002012903, marking Verified

I convinced a friend to start using Mozilla and he loves it, however he is definitely seeing this crash at www.wheresgeorge.com . He says it crashes after he's entered in a few bills, so you'd possibly need to have a WG account and log in to reproduce this. Build: Mozilla 0.9.8 (2002020406), also seen routinely on 0.9.7 OS : Windows 2000 He has submitted many talkbacks on it, most recently TB2686276K . I brought this up in #mozillazine, and endico took a look at the TB report, and reported that the first two lines were: PlaceFrameView [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2813] nsBlockFrame::PostPlaceLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 4360] Not sure if that's relevant. The consensus was that I should report it here in this bug. I've now told you everything I know :) Reopen?

The stack from the incident listed in the previous comment looks the same as the original stack, I'm attaching it for reference to the new line numbers.

So far five unique users have crashed on M098 with this signature. However, all of the comments point to the wheresgeorge site (all unique users). Which makes me wonder if the site has the problem. (2710709) - 2002020409: Windows NT 5.0 build 2195 Had just selected the site from my bookmark list URL: http://www.wheresgeorge.com (2693842) - 2002020409: Windows NT 5.0 build 2195 clicking on to another section of the site URL: www.wheresgeorge.com (2686276) - 2002020409: Windows NT 5.0 build 2195 Just trying to access the page. It bombed immediately after I hit return on typing the URL. None of the page rendered. URL:http://www.wheresgeorge.com Updating to M098 and reopening (tentatively) to see if this one begins to show up in large numbers with this release. There are currently only 2 incidents reported against the trunk.

It seems I am able to reproduce this one at will (currently). Using Trunk build 2002020610, I went to www.wheresgeorge.com, entered 10 bills. clicked around. Finally clicked on "This site is owned by www.wheresgeorge.com" (at the bottom of a page) and got the PlaceFramView crash. Following that, I restarted the browser and clicked on the history bar's down arrow, selected the wheresgeorge site and I crash every time (3 times so far), before the page even begins to load.

nominating topcrash bugs for nsbeta1.

Reassigning to Alex.

CANNOT REPRODUCE ON W2000. ANYONE PLEASE POST EXACT STEPS TO REPRODUCE, OHTERWISE CANNOT FIX

*** Bug 128937 has been marked as a duplicate of this bug. ***

Alex: try http://mozilla.statesoftware.com/ This URL crashes in PlaceFrameView in bug 128937

Someone is still crashing at www.wheresgeorge.com...I see a couple of incidents from 3/2. And why is the component still password mananger? Is that correct? I would think this was some sort of layout bug. Here are just a few urls I found from recent incidents: www.rediff.com http://www.wheresgeorge.com wannabe.gathering.org/tg - looks like you need an account for this page. bmwe30.net - customize link is mentioned in the comment. I tried to reproduce at the first 2 sites, but wasn't able to.

I went back to wheresgeorge.com with M098 on W2K and simply clicked on the www.wheresgeorge.com link at the bottom. It opened a new window, so I clicked on the same link in the new window. After 4-5 times I got the crash @ PlaceFrameView. Incident #3738786

Trunk also crashes with these steps.

That previous comment was a bit laconic. I was able to crash with the steps I listed in comment #21 using the Trunk build 2002030606. This crash ended at nsBlockFrame::GetTopBlockChild but with a similar stack. Interesting behavior, as I reproduced this crash the number of windows that I opened before crashing became fewer. The first crash took 4-5 times of clicking on the link, the next crash occurred after clicking only two times, the third came after simply submitting the URL (I never got to the page).

After a talk with REPORTER (greer@netscape.com) we discovered that the bug is reproductible only if using a profile that was generated with a previous NS or MOZ build. On the machine where the crash was reproductible with an old profile, with a new profile the crash was not reproductible. Switching back to the old profile, causes mozilla to crash during the test again. However, I was unable to reproduce the crash even using old profiles created with NS61, NS62 and NS621. I will have to download and try the 096, 097, 098 builds too. If not reproductible, I suggest removing the keyword nsbeta1+.

replacing nsbeta1+ with nsbeta1 this crash is hardly reproductible. there are two incidents reported by greer@netscape.com (3750819 and 4016427) that are produced reliably with build 2002030306 with an old profile that has been generated with an older version of mozilla (greer thinks that it was a netscape distribution). since we spoke last week there were no incidents with similar stack signatures reported (except the two reported by greer)

nsbeata1-. Remove the minus to renominate if this can be reproduced. Since the crash seems to occur when using old profiles, it really doesn't sound like a layout bug.

This shouldn't be qawanted. Looks like Tom Greer has reproducible steps and the investigation led to having this bug be seen only on older profiles. That could be an issue if a lot of folks are running into this since I'm sure folks will have profiles created by older builds. Is there a way to get a debug build onto Greer's system and run it through his profile?

Lisa, It's my machine at home that is crashing and I need to get some tools for it from the office. Working on that.

Lisa, recently I have seen this crash happen almost at will using these steps: 1. Goto www.realgm.com 2. click on Player Profiles 3. click on a team 4. click on a player 5. If you haven't crashed yet, try using the "back" button a few times and repeat the process. I have crashed at least once at each of steps 1-3 and got the steps from a user who got to step 4. Could you please have some of your QA folks take a stab at reproducing this one in house?

Looking at one of my crashes in Talkback the value of aFrame is NULL at the time of the crash. A null check before dereferencing should fix this one. >snip< 2783 static void 2784 PlaceFrameView(nsIPresContext* aPresContext, 2785 nsIFrame* aFrame) 2786 { 2787 nsIView* view; ** Check aFrame Here ** 2788 aFrame->GetView(aPresContext, &view); 2789 if (view) 2790 nsContainerFrame::SyncFrameViewAfterReflow(aPresContext, aFrame, view, nsnull); I haven't been successful at building the code at home, but I would gladly test this one if I could get a build with the patch.

added null check in the loop condition

Comment on attachment 78460 [details] [diff] [review] nullcheck patch sr=attinasi - but please put in an ASSERTION so that we can see if the child count gets out of whack (which is what is happening if |frame| is null).

Comment on attachment 78464 [details] [diff] [review] added assertion to the previous nullcheck patch transfered sr=

nsbeta1+

Comment on attachment 78464 [details] [diff] [review] added assertion to the previous nullcheck patch r=kmcclusk@netscape.com

Since it is always the case that i < aLine->GetChildCount(), change the assertion to: NS_ASSERTION(frame, "Child count bigger than the number of linked frames!!!");

chris: marc ment to have the assertion beeing self-explanatory that's why it has that complicated form, but yes, you're right so is simpler.

Isn't that assertion going to fire all the time since you've gotten the next sibling but haven't incremented i yet? Shouldn't it be: NS_ASSERTION(line->GetChildCount() == i + 1 || frame, "..."); which would also be simpler. Have you investigated why the child count is being set incorrectly?

Comment on attachment 78464 [details] [diff] [review] added assertion to the previous nullcheck patch I didn't mean "all the time" literally. It should only fire every time the line is the last line of a block.

right, it has to be i+1 == blah blah i cannot reproduce this bug so i cannot say what the hack is happening there. all this is based on talkback and the reporters observations on a machine that he has and where the bug is reproductible. so far there were all kinds of URL's involved and we cannot localize the bug.

Could you put a newline before the text of the assertion so that it all wraps before 80 characters?

tpreston - pls try greer's comments in comment 29 to see if you can reproduce this. Will help once the patch gets checked in for verifications.

adding adt1.0.0 nomination

adt1.0.0+

I have tested two optimized builds from Alexandru on my machine at home (which crashes on this bug). One build w/o the patched crashed at step 2 in comment #29. The build with the patch has repeadtedly handled all the steps in #21 and #29 without crashing.

Comment on attachment 78480 [details] [diff] [review] revised patch a=rjesup@wgate.com for drivers. Please check into both trunk and branch.

Using Step 29: Win XP build 2002040903 (crashes when just trying to reach www.realgm.com URL Talkback incident: 5048123 Using Step 29: Win 2k build 2002041003 (crashes when I get to player and click on Kobe Bryant) Talkback incident: 5048365 Will check other platforms

I wasn't able to reproduce a crash, but I did manage to see an assertion which is probably related: #2 0x40267955 in nsDebug::Assertion (aStr=0x42a01ed8 "running past end", aExpr=0x42a01ec2 "mCurrent != mListLink", aFile=0x42a01da0 "/builds/trunk/mozilla/layout/html/base/src/nsLineBox.h", aLine=537) at /builds/trunk/mozilla/xpcom/glue/nsDebug.cpp:291 #3 0x4299c0df in nsLineList_iterator::operator-> (this=0xbfffa848) at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.h:537 #4 0x4277f604 in nsBlockFrame::ReflowLine (this=0x41ecd04c, aState=@0xbfffac00, aLine={mCurrent = 0x41ee0954, mListLink = 0x41ecd088}, aKeepReflowGoing=0xbfffa9e8, aDamageDirtyArea=1) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2553 #5 0x4277e7d4 in nsBlockFrame::ReflowDirtyLines (this=0x41ecd04c, aState=@0xbfffac00) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2250 #6 0x4277b5ea in nsBlockFrame::Reflow (this=0x41ecd04c, aPresContext=0x42bb2c70, aMetrics=@0xbfffb0e0, aReflowState=@0xbfffb020, aStatus=@0xbfffc354) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844 The cause of the assertion was that ReflowDirtyLines had passed a line to ReflowLine that was no longer in the line list, but had prev and next pointers indicating that it thought it was the only line in the line list (same list link, but that link didn't point back to it). The line list thought it had 5 lines, and aState.mLineNumber was 3.

Of those 5 lines (I actually missed the first), the first, third, and fifth were blocks. The second had a single child, and the fourth had 2, and all the sibling linkage seemed to be correct. The line being reflowed, which was not in the list, had a child count of 2 and its first child had 5 siblings after (so there were four siblings following not on the line), but none of these frames were the same. In fact, their block parent (which should have been the |this| block) was in fact a (great-)*5-grandchild of the |this| block, and the chain went through the first child of the |this| block (the child of the first line).

Recording which lines have already been reflown makes it look like the mLines list was somehow entirely replaced in the middle of reflowing the children.

fixed on trunk and 1.0.0 branch in order to verify you must check the change in the source file /cvsroot/mozilla/layout/html/base/src/nsBlockFrame.cpp in the method nsBlockFrame::PostPlaceLine(...

The real problem here is that frames are being destroyed while they're in the middle of being reflowed. While we may be lucky enough to be able to work around it with a single null check in this case, that's unlikely to work in general. We shouldn't have to protect against this. Here's the stack showing the real problem: #3 0x40ca7adb in nsObjectFrame::Destroy (this=0x435c984c, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:633 #4 0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, aLines=@0x435c9764) at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311 #5 0x40c53177 in nsBlockFrame::Destroy (this=0x435c9728, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328 #6 0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, aLines=@0x435c95f8) at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311 #7 0x40c53177 in nsBlockFrame::Destroy (this=0x435c95bc, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328 #8 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9590, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #9 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c955c, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #10 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9478, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #11 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9444, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #12 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d49e4, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #13 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d49b0, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #14 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c9324, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #15 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c92f0, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #16 0x40d694f6 in nsTableFrame::Destroy (this=0x435c92f0, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/table/src/nsTableFrame.cpp:318 #17 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435c914c, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #18 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435c9118, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #19 0x40d7e8bc in nsTableOuterFrame::Destroy (this=0x435c9118, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:83 #20 0x40c9dd27 in nsLineBox::DeleteLineList (aPresContext=0x4307b6f0, aLines=@0x435d40b8) at /builds/trunk/mozilla/layout/html/base/src/nsLineBox.cpp:311 #21 0x40c53177 in nsBlockFrame::Destroy (this=0x435d407c, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:328 #22 0x40de72f3 in nsFrameList::DestroyFrames (this=0x435d4050, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:130 #23 0x40c69aa8 in nsContainerFrame::Destroy (this=0x435d401c, aPresContext=0x4307b6f0) at /builds/trunk/mozilla/layout/html/base/src/nsContainerFrame.cpp:138 #24 0x40de75e3 in nsFrameList::DestroyFrame (this=0x435c76a8, aPresContext=0x4307b6f0, aFrame=0x435d401c) at /builds/trunk/mozilla/layout/base/src/nsFrameList.cpp:217 #25 0x40d83c18 in nsTableRowFrame::RemoveFrame (this=0x435c7674, aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aListName=0x0, aOldFrame=0x435d401c) at /builds/trunk/mozilla/layout/html/table/src/nsTableRowFrame.cpp:334 #26 0x40c7d669 in FrameManager::RemoveFrame (this=0x435b5658, aPresContext=0x4307b6f0, aPresShell=@0x4357ff60, aParentFrame=0x435c7674, aListName=0x0, aOldFrame=0x435d401c) at /builds/trunk/mozilla/layout/html/base/src/nsFrameManager.cpp:1014 #27 0x40d3dd0b in nsCSSFrameConstructor::ContentRemoved (this=0x43093910, aPresContext=0x4307b6f0, aContainer=0x435ce310, aChild=0x435ce3e8, aIndexInContainer=1, aInContentReplaced=1) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:9587 #28 0x40d3ba42 in nsCSSFrameConstructor::ContentReplaced (this=0x43093910, aPresContext=0x4307b6f0, aContainer=0x435ce310, aOldChild=0x435ce3e8, aNewChild=0x435ce3e8, aIndexInContainer=1) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8917 #29 0x40d498d4 in nsCSSFrameConstructor::WipeContainingBlock (this=0x43093910, aPresContext=0x4307b6f0, aState=@0xbfff5e34, aBlockContent=0x435ce3e8, aFrame=0x4364fa8c, aFrameList=0x436500a4) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:13686 #30 0x40d395da in nsCSSFrameConstructor::ContentAppended (this=0x43093910, aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1) at /builds/trunk/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:8266 #31 0x42567cf1 in StyleSetImpl::ContentAppended (this=0x430937d0, aPresContext=0x4307b6f0, aContainer=0x435c7f38, aNewIndexInContainer=1) at /builds/trunk/mozilla/content/base/src/nsStyleSet.cpp:1520 #32 0x40cc6a3e in PresShell::ContentAppended (this=0x4357ff60, aDocument=0x4307b960, aContainer=0x435c7f38, aNewIndexInContainer=1) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:5160 #33 0x424e4bda in nsDocument::ContentAppended (this=0x4307b960, aContainer=0x435c7f38, aNewIndexInContainer=1) at /builds/trunk/mozilla/content/base/src/nsDocument.cpp:1893 #34 0x4238ab0d in nsHTMLDocument::ContentAppended (this=0x4307b960, aContainer=0x435c7f38, aNewIndexInContainer=1) at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1335 #35 0x42381f6c in HTMLContentSink::NotifyAppend (this=0x430b2198, aContainer=0x435c7f38, aStartIndex=1) at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:4819 #36 0x42378197 in SinkContext::FlushTags (this=0x4308add0, aNotify=1) at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2184 #37 0x423834f1 in HTMLContentSink::FlushPendingNotifications (this=0x430b2198) at /builds/trunk/mozilla/content/html/document/src/nsHTMLContentSink.cpp:5268 #38 0x4238b26a in nsHTMLDocument::FlushPendingNotifications (this=0x4307b960, aFlushReflows=0, aUpdateViews=0) at /builds/trunk/mozilla/content/html/document/src/nsHTMLDocument.cpp:1486 #39 0x424dc50b in nsContentList::GetLength (this=0x43625d48, aLength=0xbfff64c0, aDoFlush=1) at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:392 #40 0x424dc88f in nsContentList::GetLength (this=0x43625d48, aLength=0xbfff64c0) at /builds/trunk/mozilla/content/base/src/nsContentList.cpp:475 #41 0x40cb100c in nsPluginInstanceOwner::EnsureCachedAttrParamArrays ( this=0x43593cf0) at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2809 #42 0x40cada5a in nsPluginInstanceOwner::GetAttributes (this=0x43593cf0, n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c) at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:2071 #43 0x427d9641 in nsPluginInstancePeerImpl::GetAttributes (this=0x43623480, n=@0xbfff6626, names=@0xbfff6628, values=@0xbfff662c) at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginInstancePeer.cpp:345 #44 0x428a30a2 in JavaPluginInstance5::Initialize () from /usr/java/jdk1.3.1/jre/plugin/i386/ns600/libjavaplugin_oji.so #45 0x427cf7b4 in nsPluginHostImpl::SetUpPluginInstance (this=0x840fff0, aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, aOwner=0x43593cf0) at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3932 #46 0x427ce2f5 in nsPluginHostImpl::InstantiateEmbededPlugin (this=0x840fff0, aMimeType=0x40ee4090 "application/x-java-vm", aURL=0x435be698, aOwner=0x43593cf0) at /builds/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3447 #47 0x40caa3a9 in nsObjectFrame::InstantiatePlugin (this=0x435c984c, aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, aPluginHost=0x840fff4, aMimetype=0x40ee4090 "application/x-java-vm", aURI=0x435be698) at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1242 #48 0x40ca95f9 in nsObjectFrame::Reflow (this=0x435c984c, aPresContext=0x4307b6f0, aMetrics=@0xbfff6ed0, aReflowState=@0xbfff6f20, aStatus=@0xbfff70b0) at /builds/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp:1048 #49 0x40ca1cc8 in nsLineLayout::ReflowFrame (this=0xbfff7190, aFrame=0x435c984c, aNextRCFrame=0xbfff7b1c, aReflowStatus=@0xbfff70b0, aMetrics=0x0, aPushedFrame=@0xbfff70ac) at /builds/trunk/mozilla/layout/html/base/src/nsLineLayout.cpp:1088 #50 0x40c5b03c in nsBlockFrame::ReflowInlineFrame (this=0x435c9728, aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine= {mCurrent = 0x435c9920, mListLink = 0x435c9764}, aFrame=0x435c984c, aLineReflowStatus=0xbfff711f "") at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3700 #51 0x40c5ac6c in nsBlockFrame::DoReflowInlineFrames (this=0x435c9728, aState=@0xbfff7aa0, aLineLayout=@0xbfff7190, aLine= {mCurrent = 0x435c9920, mListLink = 0x435c9764}, aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", aUpdateMaximumWidth=0, aDamageDirtyArea=0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3582 #52 0x40c5a9dc in nsBlockFrame::DoReflowInlineFramesAuto (this=0x435c9728, aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, aKeepReflowGoing=0xbfff7888, aLineReflowStatus=0xbfff765f "\002", aUpdateMaximumWidth=0, aDamageDirtyArea=0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3505 #53 0x40c5a7b8 in nsBlockFrame::ReflowInlineFrames (this=0x435c9728, aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0, aUpdateMaximumWidth=0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:3451 #54 0x40c588a2 in nsBlockFrame::ReflowLine (this=0x435c9728, aState=@0xbfff7aa0, aLine={mCurrent = 0x435c9920, mListLink = 0x435c9764}, aKeepReflowGoing=0xbfff7888, aDamageDirtyArea=0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2614 #55 0x40c57804 in nsBlockFrame::ReflowDirtyLines (this=0x435c9728, aState=@0xbfff7aa0) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:2253 #56 0x40c545ea in nsBlockFrame::Reflow (this=0x435c9728, aPresContext=0x4307b6f0, aMetrics=@0xbfff8168, aReflowState=@0xbfff7eb0, aStatus=@0xbfff8024) at /builds/trunk/mozilla/layout/html/base/src/nsBlockFrame.cpp:844 ... (through tons of block, table, gfxscroll, etc. reflow) #137 0x40ce9023 in ViewportFrame::Reflow (this=0x43646424, aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, aReflowState=@0xbfffe580, aStatus=@0xbfffe648) at /builds/trunk/mozilla/layout/html/base/src/nsViewportFrame.cpp:587 #138 0x40c89806 in nsHTMLReflowCommand::Dispatch (this=0x435a9758, aPresContext=0x4307b6f0, aDesiredSize=@0xbfffe750, aMaxSize=@0xbfffe730, aRendContext=@0x435ce058) at /builds/trunk/mozilla/layout/html/base/src/nsHTMLReflowCommand.cpp:216 #139 0x40cc9814 in PresShell::ProcessReflowCommand (this=0x4357ff60, aQueue=@0x4357ffb0, aAccumulateTime=1, aDesiredSize=@0xbfffe750, aMaxSize=@0xbfffe730, aRenderingContext=@0x435ce058) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6287 #140 0x40cc9a98 in PresShell::ProcessReflowCommands (this=0x4357ff60, aInterruptible=1) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6342 #141 0x40e99e80 in ReflowEvent::HandleEvent (this=0x435aa158) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6196 #142 0x40cc9556 in HandlePLEvent (aEvent=0x435aa158) at /builds/trunk/mozilla/layout/html/base/src/nsPresShell.cpp:6212 #143 0x402222e0 in PL_HandleEvent (self=0x435aa158) at /builds/trunk/mozilla/xpcom/threads/plevent.c:596 #144 0x40222a51 in PL_ProcessEventsBeforeID (aSelf=0x811a1b8, aID=7389) at /builds/trunk/mozilla/xpcom/threads/plevent.c:1270 ... (main event loop, main, etc.) Reopening because the fact that this doesn't crash with your null check is merely at the mercy of what the allocator decides to recycle, and thus this bug could come back any time, or could easily still be present on other machines. With my patches in bug 114219 and bug 114221 to fill pres-shell-freed memory with 0xdd, we crash quite hard in other places. (This is quite easy to reproduce with those patches in my tree, by loading the URL http://www.realgm.com/src_roster.php?team=Philadelphia and clicking on one of the players.)

I appreciate the fact that we're trying to track down a bug that nobody can reproduce (and so spackle is appropriate), but I agree with dbaron: we should be looking more deeply for causes.

remarking as fixed. for David Baron's proposal to fix the real issue that caused the crash I opened bug 136927.

Verified fix checked into lxr.mozilla.org and no crash Mac OS X build 2002041105 and linux build 2002041105 (windows build hosed, will check that tomorrow.) Marking verified though