Closed Bug 125404 Opened 23 years ago Closed 23 years ago

mozilla hangs on certain mathml pages

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: endico, Assigned: rbs)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file)

patch to bullet-proof the code against this type of crash
(deleted), patch
karnaze
: review+
attinasi
: superreview+
Details | Diff | Splinter Review
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8+) Gecko/20020213 Mozilla hang for me when i follow several of the links on this page <http://pear.math.pitt.edu/Calculus/week3/3_1.mhtml> in particular, these http://pear.math.pitt.edu/Calculus/week3/3_1li9.xml#QQ1-10-9 http://pear.math.pitt.edu/Calculus/week3/3_1li10.xml#QQ1-11-10 I'm using today's nightly build on linux. I don't have the mathml fonts installed. I was trying to find a good example page that had lots of mathml but which look ok for people without math fonts. I'd like to link from such a page from the "what's new" section of the 0.9.9 release notes. I'm not able to get a trace yet.
The crash site: void nsTableFrame::InsertCol(nsIPresContext& aPresContext, nsTableColFrame& aColFrame, PRInt32 aColIndex) { >>mColFrames.InsertElementAt(&aColFrame, aColIndex); <============ crash [...] } The debugger showed that the vptr of mColFrames is null (i.e., the whole thing is invalid). Tracing, I noted that the problem is originating from the fact that the table frame construction code wasn't considering <mtr> as a table-row, and was instead creating a foreign foreign frame for it. Looking up in the style context of that <mtr>, I noted indeed that it was been resolved as an inline frame rather than as a table-row frame... Paul, do you have CSS rules in your stylesheet that apply and/or override <mtr>? Here is a stack trace from visiting: http://pear.math.pitt.edu/Calculus/week3/3_1li10.xml#QQ1-11-10 nsVoidArray::InsertElementAt(void * 0x035286f8, int 0) line 408 + 10 bytes nsTableFrame::InsertCol(nsIPresContext & {...}, nsTableColFrame & {...}, int 0) line 804 nsTableColGroupFrame::AddColsToTable(nsTableColGroupFrame * const 0x03528684, nsIPresContext & {...}, int 0, int 1, nsIFrame * 0x035286f8, nsIFrame * 0x035286f8) line 131 nsTableFrame::CreateAnonymousColFrames(nsIPresContext & {...}, nsTableColGroupFrame & {...}, int 1, nsTableColType eColAnonymousCell, int 1, nsIFrame * 0x00000000, nsIFrame * * 0x0012e130) line 1076 nsTableFrame::CreateAnonymousColFrames(nsIPresContext & {...}, int 1, nsTableColType eColAnonymousCell, int 1, nsIFrame * 0x00000000) line 984 nsTableFrame::InsertRows(nsIPresContext & {...}, nsTableRowGroupFrame & {...}, nsVoidArray & {...}, int 0, int 1) line 1231 nsTableFrame::InsertRowGroups(nsIPresContext & {...}, nsIFrame * 0x0350b944, nsIFrame * 0x0350b944) line 1407 nsTableFrame::AppendRowGroups(nsIPresContext & {...}, nsIFrame * 0x0350b944) line 1304 nsTableFrame::SetInitialChildList(nsTableFrame * const 0x034e10e4, nsIPresContext * 0x041a6730, nsIAtom * 0x00000000 {???}, nsIFrame * 0x0350b944) line 482 nsCSSFrameConstructor::ConstructTableFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04551f20, nsIFrame * 0x034e0d38, nsIStyleContext * 0x034e0e48, nsTableCreator & {...}, int 0, nsFrameItems & {...}, nsIFrame * & 0x034e0e7c, nsIFrame * & 0x034e10e4, int & 0) line 2327 nsCSSFrameConstructor::ConstructMathMLFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04551f20, nsIFrame * 0x034e0bac, nsIAtom * 0x02362ee0 {"mtable"}, int 9, nsIStyleContext * 0x034e00dc, nsFrameItems & {...}) line 6630 + 62 bytes nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04551f20, nsIFrame * 0x034e0bac, nsIAtom * 0x02362ee0 {"mtable"}, int 9, nsIStyleContext * 0x034e00dc, nsFrameItems & {...}, int 0) line 7039 + 49 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04551f20, nsIFrame * 0x034e0bac, nsFrameItems & {...}) line 6916 + 56 bytes nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04557b80, nsIFrame * 0x034e0bac, int 1, nsFrameItems & {...}, int 0, nsTableCreator * 0x00000000) line 11997 + 66 bytes nsCSSFrameConstructor::ConstructMathMLFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04557b80, nsIFrame * 0x034b106c, nsIAtom * 0x02361bc0 {"math"}, int 9, nsIStyleContext * 0x034e00a8, nsFrameItems & {...}) line 6696 + 41 bytes nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04557b80, nsIFrame * 0x034b106c, nsIAtom * 0x02361bc0 {"math"}, int 9, nsIStyleContext * 0x034e00a8, nsFrameItems & {...}, int 0) line 7039 + 49 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x04557b80, nsIFrame * 0x034b106c, nsFrameItems & {...}) line 6916 + 56 bytes nsCSSFrameConstructor::ProcessBlockChildren(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x041cf3b0, nsIFrame * 0x034b106c, int 1, nsFrameItems & {...}, int 1) line 13277 + 57 bytes nsCSSFrameConstructor::ConstructBlock(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, const nsStyleDisplay * 0x034b0fd0, nsIContent * 0x041cf3b0, nsIFrame * 0x034b0e04, nsIStyleContext * 0x034b0f9c, nsIFrame * 0x034b106c) line 13225 + 36 bytes nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, const nsStyleDisplay * 0x034b0fd0, nsIContent * 0x041cf3b0, nsIFrame * 0x034b0e04, nsIStyleContext * 0x034b0f9c, nsFrameItems & {...}) line 6212 + 43 bytes nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x041cf3b0, nsIFrame * 0x034b0e04, nsIAtom * 0x022d75c0 {"body"}, int 3, nsIStyleContext * 0x034b0f9c, nsFrameItems & {...}, int 0) line 7060 + 45 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x041cf3b0, nsIFrame * 0x034b0e04, nsFrameItems & {...}) line 6916 + 56 bytes nsCSSFrameConstructor::ProcessChildren(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x041cf460, nsIFrame * 0x034b0e04, int 1, nsFrameItems & {...}, int 1, nsTableCreator * 0x00000000) line 11997 + 66 bytes nsCSSFrameConstructor::ConstructDocElementFrame(nsIPresShell * 0x041aec70, nsIPresContext * 0x041a6730, nsFrameConstructorState & {...}, nsIContent * 0x041cf460, nsIFrame * 0x0350b134, nsIStyleContext * 0x03397f44, nsIFrame * & 0x034b0e04) line 3243 nsCSSFrameConstructor::ContentInserted(nsCSSFrameConstructor * const 0x041ac0a0, nsIPresContext * 0x041a6730, nsIContent * 0x00000000, nsIContent * 0x041cf460, int 0, nsILayoutHistoryState * 0x00000000, int 0) line 8554 StyleSetImpl::ContentInserted(StyleSetImpl * const 0x041ac170, nsIPresContext * 0x041a6730, nsIContent * 0x00000000, nsIContent * 0x041cf460, int 0) line 1446 PresShell::InitialReflow(PresShell * const 0x041aec70, int 12735, int 7605) line 2631 nsXMLContentSink::StartLayout() line 963 nsXMLContentSink::DidBuildModel(nsXMLContentSink * const 0x0419a170, int 0) line 396 nsExpatDriver::DidBuildModel(nsExpatDriver * const 0x041a9f20, unsigned int 0, int 1, nsIParser * 0x0419a2a0, nsIContentSink * 0x0419a170) line 842 + 23 bytes nsParser::DidBuildModel(unsigned int 0) line 1385 + 41 bytes nsParser::ResumeParse(int 1, int 1, int 1) line 1906 nsParser::ContinueParsing() line 1495 + 19 bytes CSSLoaderImpl::Cleanup(URLKey & {...}, SheetLoadData * 0x041bf600) line 813 CSSLoaderImpl::SheetComplete(nsICSSStyleSheet * 0x00000000, SheetLoadData * 0x041bf600) line 920 CSSLoaderImpl::ParseSheet(nsIUnicharInputStream * 0x041b9d60, SheetLoadData * 0x041bf600, int & 1, nsICSSStyleSheet * & 0x041bbec0) line 955 CSSLoaderImpl::DidLoadStyle(nsIStreamLoader * 0x041bf470, nsString * 0x041be820 {" /* start css.sty */ .cmr-8{font-size:66%;} .cmr-6{font-size:50%;} .cmmi-12{font-style: italic;} .cmmi-8{font-size:66%;font-s"}, SheetLoadData * 0x041bf600, unsigned int 0) line 990 + 27 bytes SheetLoadData::OnStreamComplete(SheetLoadData * const 0x041bf600, nsIStreamLoader * 0x041bf470, nsISupports * 0x00000000, unsigned int 0, unsigned int 2303, const char * 0x03502658) line 747 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x041bf474, nsIRequest * 0x041bf170, nsISupports * 0x00000000, unsigned int 0) line 163 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x041ba640, nsIRequest * 0x041bf170, nsISupports * 0x00000000, unsigned int 0) line 25 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x041bf174, nsIRequest * 0x041be1e4, nsISupports * 0x00000000, unsigned int 0) line 2454 nsOnStopRequestEvent::HandleEvent() line 213 nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x041bc064) line 116 PL_HandleEvent(PLEvent * 0x041bc064) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x004a0aa0) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00380916, unsigned int 49496, unsigned int 0, long 4852384) line 1071 + 9 bytes USER32! 77e148dc() USER32! 77e14aa7() USER32! 77e266fd() nsAppShellService::Run(nsAppShellService * const 0x004b5d40) line 308 main1(int 1, char * * 0x00444ea0, nsISupports * 0x00000000) line 1285 + 32 bytes main(int 1, char * * 0x00444ea0) line 1625 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e992a6()
Works for me locally when I replace <?xml-stylesheet type="text/css" href="../mathml.css"> with a more recent mathml.css. (The document is using the old way before the DOCTYPE standardization.)
...also fixed an incorrect calling sequence of SetInitialChildList() on the frames that wrap the table code to emulate the inline mtable. (The calling sequence has to be made in a bottom-up manner to honor the nsIFrame API.)
r=karnaze? sr=attinasi?
Severity: normal → critical
Status: NEW → ASSIGNED
Keywords: crash
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → mozilla0.9.9
Comment on attachment 69487 [details] [diff] [review] patch to bullet-proof the code against this type of crash r=karnaze. rbs, Viewer's regression testing capability had been broken for about 2 months and was fixed this morning after realizing that (bug 125426).
Attachment #69487 - Flags: review+
Comment on attachment 69487 [details] [diff] [review] patch to bullet-proof the code against this type of crash sr=attinasi
Attachment #69487 - Flags: superreview+
Patch checked in. Now if mathml.css isn't being applied, <mtable> and its related tags will just be treated as inline frames, and the table code won't kick off.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: