From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1a) Gecko/20020611 BuildID: 2002061104 Go to http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0 Browser crashes in GKLAYOUT.DLL at 0167:6072a62f Talkback ID TB 7485489M Reproducible: Always Steps to Reproduce: 1. Goto http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0 2. 3. Actual Results: Browser crash. Expected Results: Not crash. Talkback ID 7485489M. Happens on Win98 and Win 95.

nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 935] nsFirstLetterFrame::Reflow [nsFirstLetterFrame.cpp, line 255] nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] nsInlineFrame::ReflowInlineFrame [nsInlineFrame.cpp, line 717] nsInlineFrame::ReflowFrames [nsInlineFrame.cpp, line 552] nsInlineFrame::Reflow [nsInlineFrame.cpp, line 436] nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] nsInlineFrame::ReflowInlineFrame [nsInlineFrame.cpp, line 717] nsInlineFrame::ReflowFrames [nsInlineFrame.cpp, line 522] nsFirstLineFrame::Reflow [nsInlineFrame.cpp, line 1066] nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104] nsBlockFrame::ReflowInlineFrame [nsBlockFrame.cpp, line 3780] nsBlockFrame::DoReflowInlineFrames [nsBlockFrame.cpp, line 3606] nsBlockFrame::DoReflowInlineFramesAuto [nsBlockFrame.cpp, line 3496] nsBlockFrame::ReflowInlineFrames [nsBlockFrame.cpp, line 3441] nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2594] nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460] nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableCellFrame::Reflow [nsTableCellFrame.cpp, line 946] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableRowFrame::ReflowChildren [nsTableRowFrame.cpp, line 1040] nsTableRowFrame::Reflow [nsTableRowFrame.cpp, line 1458] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableRowGroupFrame::ReflowChildren [nsTableRowGroupFrame.cpp, line 447] nsTableRowGroupFrame::Reflow [nsTableRowGroupFrame.cpp, line 1211] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableFrame::ReflowChildren [nsTableFrame.cpp, line 3313] nsTableFrame::ReflowTable [nsTableFrame.cpp, line 2207] nsTableFrame::Reflow [nsTableFrame.cpp, line 2073] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableOuterFrame::OuterReflowChild [nsTableOuterFrame.cpp, line 1027] nsTableOuterFrame::Reflow [nsTableOuterFrame.cpp, line 1612] nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460] nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238] nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableCellFrame::Reflow [nsTableCellFrame.cpp, line 946] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableRowFrame::ReflowChildren [nsTableRowFrame.cpp, line 1040] nsTableRowFrame::Reflow [nsTableRowFrame.cpp, line 1458] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableRowGroupFrame::ReflowChildren [nsTableRowGroupFrame.cpp, line 447] nsTableRowGroupFrame::Reflow [nsTableRowGroupFrame.cpp, line 1211] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableFrame::ReflowChildren [nsTableFrame.cpp, line 3313] nsTableFrame::ReflowTable [nsTableFrame.cpp, line 2207] nsTableFrame::Reflow [nsTableFrame.cpp, line 2073] nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 799] nsTableOuterFrame::OuterReflowChild [nsTableOuterFrame.cpp, line 1027] nsTableOuterFrame::Reflow [nsTableOuterFrame.cpp, line 1612] nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3202] nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460]

The problem is: nsLineLayout::ReflowFrame this = Register variable - data not available aFrame = 0x00000000 (*aFrame) = Data not available That |aFrame = 0| is no good... It looks like nsFirstLetterFrame::Reflow never checks that the mFrames.FirstChild() is non-null...

I was about to configm too. submitted talkback number: TB7488408G

yep, same stack.

I've got the same problem with tabbed surfing. 3 browser windows are okay, opening a 4th will crash in GKLAYOUT.DLL Moz 2002061908 Talkback ID: TB7510448Z

That stack is different; please file a separate bug on Image: layout and cc me....

I have the same problem after I empty the "Junk Mail" folder of my Hotmail account.

I get the same problem when visiting http://www.hostsearch.com/ MOZILLA caused an invalid page fault in module GKLAYOUT.DLL at 017f:6072fdb7. Registers: EAX=00649f34 CS=017f EIP=6072fdb7 EFLGS=00010206 EBX=0201832c SS=0187 ESP=00649c7c EBP=00649c88 ECX=020183d4 DS=0187 ESI=00000000 FS=12a7 EDX=021721d4 ES=0187 EDI=00649cac GS=0000 Bytes at CS:EIP: 83 26 00 51 ff 70 04 e8 02 67 ff ff 83 c4 10 85 Stack dump: 0201832c 00649c9c 020183e8 00649d1c 6075dd52 00649f34 00649e70 0201832c 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 Hope that's what you wanted . . .

Original test case is no longer crashing in build 2002070310 on Win95 and Win 98. Huh.

Jay Patel: Could you look if there are incidents with nsLineLayout::ReflowFrame signature for trunk builds? Original page is no longer crashing, but maybe was HTML code changed.

From looking at Talkback data, a few people have been crashing with Mozilla 1.1 Alpha (MozillaTrunk build 2002061108). Here are some user comments and urls from that data: (8067095) URL: www.songworm.com (8067095) Comments: Click on "Three planets" and crash (8038838) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (8023406) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (8023362) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (8006852) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (7997908) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=2&view=collapsed&sb=5&o=0 (7957883) URL: http://66.154.81.226/ubbthreads/showflat.php?Cat=&Board=UBB1&Number=82107&page=0&view=collapsed&sb=5&o=21&fpart= (7957859) Comments: b0rn bages with lots of jpgs banners three tabs (7941042) URL: http://www.velvetrope.com/ (7941042) Comments: looks like mozilla dies when you try to show "all" of a thread. (7940489) URL: http://www.velvetrope.com/ (7940489) Comments: just loading the page for one of the threads. (7940401) URL: http://www.velvetrope.com/ (7940401) Comments: The above URL was reloading and I clicked on the "chatzilla" icon in the status bar. (7931752) URL: http://empeg.comms.net (7926261) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (7905952) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (7905952) Comments: %((( (7905930) URL: http://jesuschrist.ru/forum/showflat.php?Cat=&Board=main&Number=26497&page=0&view=collapsed&sb=5&part= (7905930) Comments: Mozilla crashed %( (7897634) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0 (7889839) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0 (7811040) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0 (7806299) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0 (7776791) URL: http://potassium.synclogic.net/ubbthreads/showthreaded.php?Cat=&Board=UBB1&Number=58299&page=1&view=collapsed&sb=5&o=0 It looks like only a couple of people are really haveing problems with this crash. There has only been 1 crash submitted on the MozillaTrunk since Mozilla 1.1 Alpha went out: Incident ID 7963625 Stack Signature nsLineLayout::ReflowFrame ed4e58a9 Email Address craigbel@apex.net Product ID MozillaTrunk Build ID 2002070204 Trigger Time 2002-07-03 03:55:43 Platform Win32 Operating System Windows 98 4.90 build 73010104 Module GKLAYOUT.DLL URL visited User Comments Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp Trigger Line No. 973 Stack Trace nsLineLayout::ReflowFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 973] nsInlineFrame::ReflowInlineFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 719] nsInlineFrame::ReflowFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 524] nsInlineFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsInlineFrame.cpp, line 438] nsLineLayout::ReflowFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1082] nsBlockFrame::ReflowInlineFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3806] nsBlockFrame::DoReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3632] nsBlockFrame::DoReflowInlineFramesAuto [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3522] nsBlockFrame::ReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3467] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2616] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951] nsBlockReflowContext::DoReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951] nsBlockReflowContext::DoReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951] nsBlockReflowContext::DoReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 570] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 348] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3228] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2482] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2260] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 951] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 825] CanvasFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLFrame.cpp, line 566] nsBoxToBlockAdaptor::Reflow [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 886] nsBoxToBlockAdaptor::DoLayout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 627] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062] nsScrollBoxFrame::DoLayout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp, line 394] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062] nsContainerBox::LayoutChildAt [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 649] nsGfxScrollFrameInner::LayoutBox [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1082] nsGfxScrollFrameInner::Layout [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1241] nsGfxScrollFrame::DoLayout [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1090] nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1062] nsBoxFrame::Reflow [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1002] nsGfxScrollFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 779] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 825] ViewportFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 577] PresShell::ResizeReflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 3001] PresShell::ResizeReflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6268] nsViewManager::SetWindowDimensions [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 589] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1697] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1037] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1054] nsWindow::OnResize [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4818] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 4034] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1299] KERNEL32.DLL + 0x3613 (0xbff63613) KERNEL32.DLL + 0x248f7 (0xbff848f7) This is a crash still, but definitely not a topcrasher. Adding topcrash- to keep it on our radar, and qawanted to see if anyone can reproduce this. If not, this one might be worth marking worksforme.

I've been getting a couple crashes in gklayout.dll a day minimum both at work and at home with win98se. Most recent one on 2002070904, GKLAYOUT.DLL at 0167:60797d76 See TB8140527W, TB8138888W Sure would be nice if we could cut/paste TB ids out of talkback.exe ;-)

Those are both already known (other) crash bugs -- the crash in nsImageListener::FrameChanged and the one in nsImageBoxListener::OnStopDecode

I assume comment 13 is refering to the TBs in comment 12.... Unfortunately, for those of us who havn't done any programming, it's hard to find some of these crash bugs. This bug is the ONLY one that shows up on a search for gklayout, which is why I posted my comments here. Should gklayout be added to the summary of the two other crash bugs mentioned in comment 13?

There are tons of crashes that are in gklayout.dll.

This bug has gone stale. It needs a new owner and a milestone. The crash is still happening on the branch is large numbers. (not on Trunk) Reassigning to Kevin for help.

There are almost 300 unique N7.0 users who have reported crashes with this stack. Most of them point to crashes on the nfl.com site. That would be the place to start to look for a testcase.

-> Alex

from talkback i can see that this is both trunk and branch. is this correct?

Alex: Yes, there are incidents in M1.20a and M1.1 (MozillaTrunk) as well as incidents on branch releases. However, there are no incidents with this signature in the last ten days of data on the Trunk.

zipped test case! got lucky with this one. it doesn't happen always. the first time i tested couple of weeks ago, everything worked fine. now it crashed and i captured this with IE :-( (yes, that one does not crash). i see the crash on the trunk so is real.

i get a slightly diferent stack than in comment 1. i paste here the difference only. underneath nsFirstLineFrame::Reflow everything is the same (afaict). VerifyStyleTree(nsIPresContext * 0x0398dc20, nsIFrame * 0x03a78470, nsIStyleContext * 0x00000000) line 1459 VerifyStyleTree(nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8, nsIStyleContext * 0x03afba68) line 1473 + 15 bytes FrameManager::DebugVerifyStyleTree(FrameManager * const 0x03a4b830, nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8) line 1508 + 22 bytes FrameManager::ReParentStyleContext(FrameManager * const 0x03a4b830, nsIPresContext * 0x0398dc20, nsIFrame * 0x03a784e8, nsIStyleContext * 0x03a7bd50) line 1527 nsPresContext::ReParentStyleContext(nsPresContext * const 0x0398dc20, nsIFrame * 0x03a784e8, nsIStyleContext * 0x03a7bd50) line 1028 + 35 bytes ReParentChildListStyle(nsIPresContext * 0x0398dc20, nsIStyleContext * 0x03a7bd50, nsFrameList & {...}) line 930 nsFirstLineFrame::Reflow(nsFirstLineFrame * const 0x03a7c0e0, nsIPresContext * 0x0398dc20, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 270) line 1011 + 20 bytes nsLineLayout::ReflowFrame(nsIFrame * 0x03a7c0e0, unsigned int & 270, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1047 + 43 bytes . . . there is a style context resolution problem, i get this warning in the debug window a lot of times: frame: Text(**) (03AFB488) style: 03A782D8 :-moz-non-element {} Wrong parent style context: style: 03A7BD50 :-moz-line-frame {} should be using: style: 03AFBA68 :first-line {} and this one is there too: ###!!! ASSERTION: bad geometric parent: 'mFrames.ContainsFrame(aNextInFlow)', file s:/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 1063 ###!!! ASSERTION: failed to remove frame: 'result', file s:/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 1095 in my stack i can see ReParentChildListStyle(.... this might have causes the troubles i guess.

Don't assume that the frame is the parent of its child's nextInFlow.

Comment on attachment 103895 [details] [diff] [review] Patch yep, that's it. good catch. r= alexsavulov

anyone sr= this please. thanks a lot guys!

Comment on attachment 103895 [details] [diff] [review] Patch sr=dbaron. However, this is fixing a regression from bug 163614, so is obviously not the original reason that this bug was filed.

yeah, dbaron is right. i fetched the source code of 2002-10-07 and it does not crash with this testcase. hmm, opening a new bug would be the right thing to do since it looks like we have 2 different issues here. however MOntagu's patch will be checked in no matter where the old issue will be placed.

I hate to do this after getting r/sr without even asking, but after reading comment 26 I thought a more solid approach would be to fix DeleteNextInFlowChild rather than the caller. alex and dbaron: please transfer your reviews if you agree. If not, let me know and I'll request a= for the original patch. Does anyone have a reproducable crash on a branch build for further investigation?

Comment on attachment 103986 [details] [diff] [review] Alternative patch r= alexsavulov yeah, it looks more secure to me to go with this one. i'm wondering if we should have an assertion there in the debug version just to point to the fact that the wrong frame was assumed to be the parent of the aNextInFlow. BTW: i think that we should move the the testcase and patch to another bug (i can do that) and let this bug point to the previous issue since Greer tracks it. let's wait for dbaron first.

Comment on attachment 103986 [details] [diff] [review] Alternative patch This approach seems fine, but there are some callsites that are doing unnecessary work given this patch, and that should be cleaned up. See the patch that I mentioned above caused this (second) bug.

attachment 103895 [details] [diff] [review] fixes a place that I forgot to change in the patch in bug 163614 (there aren't too many places where DeleteNextInFlowChild is called). Maybe attachment 103986 [details] [diff] [review] should be put inside #ifdef DEBUG and and assertion added.

I have no problems with the alternative patch as long as DeleteNextInFlowChild() is called consistently ... along the lines of what dbaron mentions. Also, if you go the alternative route, nsBlockFrame has it's own version of DeleteNextInFlowChild() so it might need the same check that was added to the nsContainerFrame version. Note that also "correcting" the problem inside DeleteNextInFlowChild() means that any class that wants to override the current versions needs to have the same correction code.

Is it really necessary to put non debug code in that makes sure that callers are calling methods correctly. If we are going to start doing this, then where does it stop.

So, I favor the patch over the alternative patch.

What karnaze said, plus another assertion to investigate comment 2

Maybe it would be better to not correct the problem in debug mode (but just assert), because then we get different behavior than from an optimized build.

In that case, do we even need the assertion? We already have NS_PRECONDITION(mFrames.ContainsFrame(aNextInFlow), "bad geometric parent");

I guess not, if when you originally found the problem, the assertion failed.

Yes, that assertion failed for me and Alex (see comment 22). It looks like we have a consensus forming round attachment 103895 [details] [diff] [review], so I am going to request a= for it and move on.

Simon, if attachment 103895 [details] [diff] [review] is the one we have chosen, then let's move it to another bug (including the testcase) and let it open for the initial issue. do you agree with that?

I assume you mean "leave this one open for the initial issue", in which case I agree :-)

yes, that is what i meant (it was the phone that bothered me :-) ok, i will move that.

ok, i opened bug 176595 for the second issue, moved the patch and the testcase there so that issue can be handled separately. i will copy the cc's too.

WFM in 12/16/02 and 1/03/03 Trunk builds, but did crash with 6/11 Trunk.

David, can you still reproduce the bug on a recent build? If not, I propose we mark this as WFM.

Making topcrash+ since we have a testcase. Adding M130A and N701 to summary for future reference. This has been a topcrasher for Mozilla 1.3 Alpha and Netscape 7.01. I'm digging through Talkback data to see if this is still a problem with the latest MozillaTrunk builds.

Well, although there are quite a few crashes with Mozilla 1.3 Alpha...I only see a few incidents with recent MozillaTrunk builds. Here is a recent crash on the Trunk: Incident ID 16485223 Stack Signature nsLineLayout::ReflowFrame 8581dc79 Email Address mscott@netscape.com Product ID MozillaTrunk Build ID 2003011308 Trigger Time 2003-01-22 11:59:16 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll URL visited User Comments Trigger Reason Access violation Source File Name c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp Trigger Line No. 1097 Stack Trace nsLineLayout::ReflowFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineLayout.cpp, line 1097] nsBlockFrame::ReflowInlineFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3899] nsBlockFrame::DoReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3727] nsBlockFrame::DoReflowInlineFramesAuto [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3629] nsBlockFrame::ReflowInlineFrames [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3574] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2665] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsTableCellFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 947] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsTableRowFrame::ReflowChildren [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1054] nsTableRowFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1478] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsTableRowGroupFrame::ReflowChildren [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 447] nsTableRowGroupFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1336] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsTableFrame::ReflowChildren [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3311] nsTableFrame::ReflowTable [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2213] nsTableFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2074] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsTableOuterFrame::OuterReflowChild [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1343] nsTableOuterFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1989] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 547] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3332] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2533] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954] nsBlockReflowContext::ReflowBlock [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line 547] nsBlockFrame::ReflowBlockFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3332] nsBlockFrame::ReflowLine [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2533] nsBlockFrame::ReflowDirtyLines [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2311] nsBlockFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 954] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsPageContentFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageContentFrame.cpp, line 109] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsPageFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageFrame.cpp, line 222] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] nsSimplePageSequenceFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsSimplePageSequence.cpp, line 447] nsContainerFrame::ReflowChild [c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 941] ViewportFrame::Reflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 581] PresShell::InitialReflow [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2795] nsPrintEngine::ReflowPrintObject [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2825] nsPrintEngine::ReflowDocList [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2574] nsPrintEngine::SetupToPrintContent [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2396] nsPrintEngine::DocumentReadyForPrinting [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2222] nsPrintEngine::Observe [c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 4631] nsPrintProgress::DoneIniting [c:/builds/seamonkey/mozilla/embedding/components/printingui/src/win/nsPrintProgress.cpp, line 228] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025] XPC_WN_CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1293] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 841] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2804] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 857] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 932] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1043] GlobalWindowImpl::RunTimeout [c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 4749] GlobalWindowImpl::TimerCallback [c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 5105] nsTimerImpl::Fire [c:/builds/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp, line 383] nsAppShell::Run [c:/builds/seamonkey/mozilla/widget/src/windows/nsAppShell.cpp, line 176] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 471] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1559] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1907 If noone is able to reproduce this, we should probably mark this worksforme.

The testcase in question worksforme. That said, there might be other bugs with this stack.

Alrighty...it looks like enough people are seeing a worksforme here using the attached testcase...so marking it so. If we see any new crashes with this stack signature/trace...we should just log a new bug.