Closed
Bug 185357
Opened 22 years ago
Closed 21 years ago
crash printing / print previewing ign.com due to view tree mangling
Categories
(Core :: Printing: Output, defect, P1)
Core
Printing: Output
Tracking
()
VERIFIED
FIXED
Future
People
(Reporter: mozilla, Assigned: roc)
References
Details
(Keywords: regression, testcase, topcrash+, Whiteboard: [patch] partly fixed, but still some crashes -dbaron one last look)
Attachments
(11 files, 3 obsolete files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
image/png
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/plain
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
screenshot of James' print preview of minimized IGN.com testcase
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 6.02 [en]
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.2.1) Gecko/20021130
When print previewing an iframe that will not fit on one page after scaling, moz crashes.
See test case (based on http://www.pcmag.com/article2/0,4149,715464,00.asp).
Reproducible: Always
Steps to Reproduce:
1. Print preview the test case.
Actual Results:
Crash.
See TB15027476Z
May be linked to other iframe print layout bugs e.g. 113217, tho they do not crash.
|
Reporter | |
Comment 1•22 years ago
|
||
Does need the first table row and iframe align="right".
|
||
Comment 2•22 years ago
|
||
confirming using build 2002121404 on Win2k.
Loaded testcase, Print Preview, Close Print Preview, crash.
Whiteboard: TB15027476Z
Really confirming as per comment #2
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 4•22 years ago
|
||
Works fine when not in a table
Null pointer in table reflow:
nsIFrame::GetNextSibling(nsIFrame * * 0x0012a0f4) line 697 + 6 bytes
nsLineBox::LastChild() line 255
nsBlockFrame::PushLines(nsBlockReflowState & {...}, nsLineList_iterator {...})
line 4690 + 17 bytes
nsBlockFrame::PushTruncatedPlaceholderLine(nsBlockReflowState & {...},
nsLineList_iterator {...}, nsIFrame * 0x00000000, int & 1) line 3694
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineList_iterator {...}, int * 0x0012a8f0, unsigned char * 0x0012a6b0,
int 0, int 0) line 3797
nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...},
nsLineList_iterator {...}, int * 0x0012a8f0, unsigned char * 0x0012a6b0, int 0,
int 0) line 3675 + 46 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012a8f0, int 0, int 0) line 3619 + 36 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012a8f0, int 0) line 2711 + 33 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2355 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x045b5838, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 944 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x045b5838, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int
15, int 15, unsigned int 0, unsigned int & 0) line 928 + 31 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x045b57d8, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 950
nsContainerFrame::ReflowChild(nsIFrame * 0x045b57d8, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int
30, int 0, unsigned int 0, unsigned int & 0) line 928 + 31 bytes
nsTableRowFrame::ReflowChildren(nsTableRowFrame * const 0x045b5788,
nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const
nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0, int 0) line
1054 + 45 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x045b5788, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1468 + 37 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x045b5788, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 3, unsigned int & 0) line 928 + 31 bytes
nsTableRowGroupFrame::SplitRowGroup(nsIPresContext * 0x045866d8,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame *
0x045d6d1c, unsigned int & 0) line 1130 + 43 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x045b5154,
nsIPresContext * 0x045866d8, nsHTMLReflowMetrics & {...}, const
nsHTMLReflowState & {...}, unsigned int & 0) line 1368
nsContainerFrame::ReflowChild(nsIFrame * 0x045b5154, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 30, unsigned int 0, unsigned int & 0) line 928 + 31 bytes
nsTableFrame::ReflowChildren(nsTableFrame * const 0x045d6d1c, nsIPresContext *
0x045866d8, nsTableReflowState & {...}, int 1, int 0, unsigned int & 0, nsIFrame
* & 0x00000000, int * 0x00000000) line 3310 + 50 bytes
nsTableFrame::ReflowTable(nsIPresContext * 0x045866d8, nsHTMLReflowMetrics &
{...}, const nsHTMLReflowState & {...}, int 13770, nsReflowReason
eReflowReason_Resize, nsIFrame * & 0x00000000, int & 0, int & 1, unsigned int &
0) line 2214
nsTableFrame::Reflow(nsTableFrame * const 0x045d6d1c, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 2072
nsContainerFrame::ReflowChild(nsIFrame * 0x045d6d1c, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0,
int 0, unsigned int 3, unsigned int & 0) line 928 + 31 bytes
nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x045d6ba8,
nsIPresContext * 0x045866d8, nsIFrame * 0x045d6d1c, const nsHTMLReflowState &
{...}, nsHTMLReflowMetrics & {...}, int 10099, nsSize & {width=73231580
height=1228880}, nsMargin & {top=0 right=0 bottom=0 left=0}, nsMargin &
{top=1228772 right=30175530 bottom=6 left=73227976}, nsMargin & ...) line 1344 +
47 byte
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x045d6ba8, nsIPresContext *
0x045866d8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0) line 1989 + 74 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {x=0 y=0 width=10099
height=13781}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {top=0
right=0 bottom=0 left=0}, nsHTMLReflowState & {...}, unsigned int & 0) line 548
+ 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator
{...}, int * 0x0012c69c) line 3377 + 56 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...},
int * 0x0012c69c, int 0) line 2573 + 27 bytes
Assignee: rods → karnaze
Summary: iframe can crash printing if will not fit on one page → iframe (in a table) can crash printing if will not fit on one page
|
|
||
Comment 5•22 years ago
|
||
asserts and stack on Linux debug build 20021203:
Trying to position a sizeless window; caller should have called sizeToContent()
or sizeTo(). See bug 75649.
###!!! ASSERTION: bad push: 'overBegin != begin_lines()', file nsBlockFrame.cpp,
line 4664
Break: at file nsBlockFrame.cpp, line 4664
###!!! ASSERTION: running past end: 'mCurrent != mListLink', file nsLineBox.h,
line 539
Break: at file nsLineBox.h, line 539
###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480
Break: at file nsContainerFrame.cpp, line 480
###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480
Break: at file nsContainerFrame.cpp, line 480
###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480
Break: at file nsContainerFrame.cpp, line 480
###!!! ASSERTION: translation failed: 'ok', file nsContainerFrame.cpp, line 480
Break: at file nsContainerFrame.cpp, line 480
WARNING: data loss - complete row needed more height than available, on top of
page, file nsTableRowGroupFrame.cpp, line 1174
WEBSHELL- = 4
[New Thread 11276 (LWP 2539)]
GTK theme failed for widget type 1, error was 3, state was
[active=1,focused=2,inHover=4,disabled=0]
WARNING: GTK theme failed; disabling unsafe widget, file nsNativeThemeGTK.cpp,
line 368
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 2525)]
0x00000061 in ?? ()
Current language: auto; currently c
(gdb) bt
#0 0x00000061 in ?? ()
#1 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777f28,
aPresContext=0x875e768) at nsFrameList.cpp:130
#2 0x41a84e26 in nsBlockFrame::Destroy (this=0x8777ee4,
aPresContext=0x875e768) at nsBlockFrame.cpp:421
#3 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777eb8,
aPresContext=0x875e768) at nsFrameList.cpp:130
#4 0x41a9a04d in nsContainerFrame::Destroy (this=0x8777e84,
aPresContext=0x875e768) at nsContainerFrame.cpp:142
#5 0x41be2a59 in nsFrameList::DestroyFrames (this=0x8777e68,
aPresContext=0x875e768) at nsFrameList.cpp:130
dupe of bug 178781 ?
No longer blocks: 185584
Keywords: stackwanted → clean-report
OS: Windows 98 → All
Hardware: PC → All
Summary: iframe (in a table) can crash printing if will not fit on one page → iframe (in a table) can crash printing if will not fit on one page [@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ]
Whiteboard: TB15027476Z
|
||
Comment 6•22 years ago
|
||
*** Bug 185705 has been marked as a duplicate of this bug. ***
|
|
||
Comment 7•22 years ago
|
||
*** Bug 186839 has been marked as a duplicate of this bug. ***
*** Bug 186027 has been marked as a duplicate of this bug. ***
|
||
Comment 9•22 years ago
|
||
-> jkeiser
Assignee: karnaze → jkeiser
Priority: -- → P1
Target Milestone: --- → Future
|
||
Updated•22 years ago
|
Keywords: mozilla1.3
|
||
Comment 10•22 years ago
|
||
*** Bug 191379 has been marked as a duplicate of this bug. ***
|
|
||
Comment 11•22 years ago
|
||
the testcase regressed between linux trunk builds 2002052808 and 2002052908,
indicating the culprit is bug 145305
Keywords: regression
|
|
||
Comment 12•22 years ago
|
||
*** Bug 194365 has been marked as a duplicate of this bug. ***
|
|
||
Comment 13•22 years ago
|
||
*** Bug 194871 has been marked as a duplicate of this bug. ***
|
||
Comment 14•22 years ago
|
||
gisburn noted that this smells like a topcrash; it sure looks like it from the
reports on climate (a whole lot of ::LastChild, with all comments related to
printing, maybe 4 a day average).
|
|
||
Updated•22 years ago
|
|
|
||
Comment 15•22 years ago
|
||
As shown in duplicate bug 185705, this crash is occurring in phpBB forums, among
other places.
|
||
Comment 16•22 years ago
|
||
Making this topcrash+ since we have a testcase that make this easily
reproducible. Here is my incident:
Incident ID 17700244
Stack Signature nsLineBox::LastChild e5906a94
Email Address jpatel@netscape.com
Product ID MozillaTrunk
Build ID 2003022610
Trigger Time 2003-03-03 15:33:55
Platform Win32
Operating System Windows NT 5.1 build 2600
Module gklayout.dll
URL visited http://bugzilla.mozilla.org/attachment.cgi?id=109295&action=view
User Comments Just opend up testcase for bug 185357 and did a print preview.
Trigger Reason Access violation
Source File Name c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineBox.cpp
Trigger Line No. 249
Stack Trace
nsLineBox::LastChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsLineBox.cpp, line 249]
nsBlockFrame::PushLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 4538]
nsBlockFrame::PushTruncatedPlaceholderLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3644]
nsBlockFrame::DoReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3752]
nsBlockFrame::DoReflowInlineFramesAuto
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3626]
nsBlockFrame::ReflowInlineFrames
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3571]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2669]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsTableCellFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableCellFrame.cpp, line 947]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsTableRowFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1054]
nsTableRowFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowFrame.cpp, line 1478]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsTableRowGroupFrame::SplitRowGroup
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1132]
nsTableRowGroupFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp,
line 1370]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsTableFrame::ReflowChildren
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 3310]
nsTableFrame::ReflowTable
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2212]
nsTableFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableFrame.cpp, line 2073]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsTableOuterFrame::OuterReflowChild
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1342]
nsTableOuterFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1987]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
547]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3336]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2537]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952]
nsBlockReflowContext::ReflowBlock
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockReflowContext.cpp, line
547]
nsBlockFrame::ReflowBlockFrame
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3336]
nsBlockFrame::ReflowLine
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2537]
nsBlockFrame::ReflowDirtyLines
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2315]
nsBlockFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 952]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsPageContentFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageContentFrame.cpp, line 108]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsPageFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPageFrame.cpp, line 223]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
nsSimplePageSequenceFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsSimplePageSequence.cpp, line
447]
nsBoxToBlockAdaptor::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 905]
nsBoxToBlockAdaptor::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 647]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073]
nsScrollBoxFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp, line 360]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073]
nsContainerBox::LayoutChildAt
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 647]
nsGfxScrollFrameInner::LayoutBox
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1154]
nsGfxScrollFrameInner::Layout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1313]
nsGfxScrollFrame::DoLayout
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 1162]
nsBox::Layout [c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBox.cpp, line 1073]
nsBoxFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 902]
nsGfxScrollFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsGfxScrollFrame.cpp, line 848]
nsContainerFrame::ReflowChild
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 944]
ViewportFrame::Reflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 263]
PresShell::InitialReflow
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 2806]
nsPrintEngine::ReflowPrintObject
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2823]
nsPrintEngine::ReflowDocList
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2575]
nsPrintEngine::SetupToPrintContent
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2397]
nsPrintEngine::DocumentReadyForPrinting
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 2223]
nsPrintEngine::FinishPrintPreview
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 4533]
nsPrintEngine::PrintPreview
[c:/builds/seamonkey/mozilla/content/base/src/nsPrintEngine.cpp, line 1274]
DocumentViewerImpl::PrintPreview
[c:/builds/seamonkey/mozilla/content/base/src/nsDocumentViewer.cpp, line 3091]
XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2025]
Adding [@ nsLineBox::LastChild] to summary since that is the stack signature
Talkback is reporting back for this crash.
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ] → iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ]
|
|
||
Comment 17•22 years ago
|
||
*** Bug 194771 has been marked as a duplicate of this bug. ***
|
|
||
Comment 18•22 years ago
|
||
*** Bug 188688 has been marked as a duplicate of this bug. ***
|
||
Comment 19•22 years ago
|
||
No incident reports for nsIFrame::GetNextSibling in the talkback database.
None of these stack signatures are in the topcrash reports. Marking topcrash-
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames ] → iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
||
Comment 20•22 years ago
|
||
I'm getting crash-on-print as well on this page with 2003041609 on Win2k:
http://www.thecounter.com/stats/2003/March/browser.php
Talkback IDs: TB19242224M and TB19242190X. Would that be a dupe of this bug?
|
||
Comment 21•22 years ago
|
||
janc, by we are still getting the crashers at nsLineBox::LastChild (not terribly
frequently but still in the top 100) It looks like one of the most reported
print crashers.
http://warp.mcom.com/u/talkback/reports/M140A/keyword/print-keyword.html
|
|
||
Updated•22 years ago
|
|
|
||
Updated•22 years ago
|
Flags: blocking1.4b? → blocking1.4b-
|
|
||
Comment 22•22 years ago
|
||
not as high as many other crashers, we'd certainly consider a fix if one happens
in the next few weeks.
Flags: blocking1.4? → blocking1.4-
|
||
Comment 23•22 years ago
|
||
is Bug 206099 a possible dupe?
|
||
Comment 24•22 years ago
|
||
*** Bug 206099 has been marked as a duplicate of this bug. ***
|
|
||
Comment 25•22 years ago
|
||
*** Bug 206232 has been marked as a duplicate of this bug. ***
|
||
Comment 26•22 years ago
|
||
adt: nsbeta1+/adt2
|
|
||
Comment 27•22 years ago
|
||
*** Bug 211069 has been marked as a duplicate of this bug. ***
|
|
||
Comment 28•22 years ago
|
||
*** Bug 208590 has been marked as a duplicate of this bug. ***
|
||
Comment 29•22 years ago
|
||
*** Bug 212548 has been marked as a duplicate of this bug. ***
|
||
Comment 30•21 years ago
|
||
*** Bug 216484 has been marked as a duplicate of this bug. ***
|
||
Comment 31•21 years ago
|
||
I did some research into this one and what I found was that in
nsLineBox::LastChild, GetChildCount is returning an outrageously large value
(seemingly random)
It appears that for some reason in this case, mFlags.mChildCount in nsLineBox is
uninitialized.
The strange part is that SetChildCount is called in the constructor for
nsLineBox, so it should never be uninitailized.
I'll do some logging and post it.
|
|
||
Updated•21 years ago
|
Flags: blocking1.5+
|
|
||
Comment 32•21 years ago
|
||
OK, here's the relevant log. Notice the last entry. That this ptr (38d5888) was
never actually constructed, but somehow it's getting a "GetChildCount" called on
it. So it returns junk. Help.
[38d5768] Setting child count to 1 in constructor for nsLineBox
[38d5768] SetChildCount is being set with 1
[38d5768] SetChildCount is set with 1
[38d5768] Child count after SetChild count is 1 in constructor for nsLineBox
[38d5b78] Setting child count to 1 in constructor for nsLineBox
[38d5b78] SetChildCount is being set with 1
[38d5b78] SetChildCount is set with 1
[38d5b78] Child count after SetChild count is 1 in constructor for nsLineBox
[38cc4d8] Setting child count to 1 in constructor for nsLineBox
[38cc4d8] SetChildCount is being set with 1
[38cc4d8] SetChildCount is set with 1
[38cc4d8] Child count after SetChild count is 1 in constructor for nsLineBox
[38cc508] Setting child count to 1 in constructor for nsLineBox
[38cc508] SetChildCount is being set with 1
[38cc508] SetChildCount is set with 1
[38cc508] Child count after SetChild count is 1 in constructor for nsLineBox
[38cc538] Setting child count to 1 in constructor for nsLineBox
[38cc538] SetChildCount is being set with 1
[38cc538] SetChildCount is set with 1
[38cc538] Child count after SetChild count is 1 in constructor for nsLineBox
[38cc568] Setting child count to 1 in constructor for nsLineBox
[38cc568] SetChildCount is being set with 1
[38cc568] SetChildCount is set with 1
[38cc568] Child count after SetChild count is 1 in constructor for nsLineBox
[38cc568] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc508] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38cc508] GetChildCount is 1
[38cc4d8] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5768] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5b78] GetChildCount is 1
[38d5888] GetChildCount is 14549
|
|
||
Comment 33•21 years ago
|
||
Another thing to note.
We hit this assertion:
###!!! ASSERTION: bad push: 'overBegin != begin_lines()', file c:/builds/current
/mozilla/layout/html/base/src/nsBlockFrame.cpp
in nsBlockFrame::PushLines
|
|
||
Comment 34•21 years ago
|
||
Who can help here?
|
|
||
Updated•21 years ago
|
Flags: blocking1.5+ → blocking1.5-
|
||
Comment 35•21 years ago
|
||
*** Bug 220638 has been marked as a duplicate of this bug. ***
|
||
Comment 36•21 years ago
|
||
*** Bug 216734 has been marked as a duplicate of this bug. ***
|
|
||
Updated•21 years ago
|
Summary: iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
||
Comment 37•21 years ago
|
||
*** Bug 225625 has been marked as a duplicate of this bug. ***
|
||
Comment 38•21 years ago
|
||
|
|
||
Comment 39•21 years ago
|
||
|
|
||
Updated•21 years ago
|
Flags: blocking1.6b?
|
|
||
Comment 41•21 years ago
|
||
We'd consider a reviewed patch for 1.6 bug we're not going to block for this.
Flags: blocking1.6b? → blocking1.6b-
|
|
||
Comment 42•21 years ago
|
||
*** Bug 228272 has been marked as a duplicate of this bug. ***
|
||
Comment 43•21 years ago
|
||
*** Bug 228821 has been marked as a duplicate of this bug. ***
|
||
Comment 44•21 years ago
|
||
My memory from debugging this a few weeks ago was that it is a regression from
bug 145305 -- and that the whole idea of PushTruncatedPlaceholderLine doesn't
make sense to me -- if a float needs to be split, that doesn't change anything
about the block containing it, or, for that matter, anything up to the root of
the block formatting context.
|
||
Comment 45•21 years ago
|
||
*** Bug 229184 has been marked as a duplicate of this bug. ***
|
|
||
Comment 46•21 years ago
|
||
*** Bug 215818 has been marked as a duplicate of this bug. ***
|
|
||
Comment 47•21 years ago
|
||
This fixes the crash described in this bug, although the first testcase still
crashes when the frame tree is destroyed.
|
|
||
Updated•21 years ago
|
Whiteboard: [adt2] → [patch]
|
|
||
Comment 48•21 years ago
|
||
*** Bug 232551 has been marked as a duplicate of this bug. ***
|
|
||
Comment 49•21 years ago
|
||
Here's what I see in the nsFrame::Destroy methods where there's a view:
nsFrame[0xa583d0c, nif=(nil)]::Destroy: view is 0xa580e28 (vptr=0x1ad16e8)
View 0xa580e28 being destroyed frame=(nil).
View 0xa580e28 destroying child 0xa581298
View 0xa581298 being destroyed frame=0xa584e9c.
View 0xa581298 destroying child 0xa581300
View 0xa581300 being destroyed frame=(nil).
nsFrame[0xa583c50, nif=(nil)]::Destroy: view is 0xa580d70 (vptr=0x1ad16e8)
View 0xa580d70 being destroyed frame=(nil).
nsFrame[0xa584e9c, nif=(nil)]::Destroy: view is 0xa581298 (vptr=0xa57c948)
View 0xa581298 being destroyed frame=(nil).
I suspect view pointers aren't being fixed up when something is pushed to the
next page.
|
|
||
Comment 50•21 years ago
|
||
Comment on attachment 140102 [details] [diff] [review]
patch for this crash
I think this patch will probably fix some crashes that are ending up on this
bug.
I'm working on the view parenting problem (the view of a floating IFRAME that's
being pushed isn't being reparented). There were a few obvious problems, some
of which had easy fixes (which didn't fix the problem), and some of which I
haven't tried yet.
Attachment #140102 -
Flags: superreview?(roc)
Attachment #140102 -
Flags: review?(roc)
|
|
||
Comment 51•21 years ago
|
||
|
Assignee | |
Updated•21 years ago
|
Attachment #140102 -
Flags: superreview?(roc)
Attachment #140102 -
Flags: superreview+
Attachment #140102 -
Flags: review?(roc)
Attachment #140102 -
Flags: review+
|
|
||
Comment 52•21 years ago
|
||
Comment on attachment 140102 [details] [diff] [review]
patch for this crash
Checked in to trunk 2004-02-03 10:19 -0800.
|
||
Comment 53•21 years ago
|
||
*** Bug 233277 has been marked as a duplicate of this bug. ***
|
|
||
Comment 54•21 years ago
|
||
Print preview on attached Testcase #2 or Testcase #3 hangs 1.7a/W2K.
|
||
Comment 55•21 years ago
|
||
Still crashing on first testcase (after closing the preview): Mozilla/5.0 (X11;
U; Linux i686; en-US; rv:1.7b) Gecko/20040316
Talkback ID is TB10888W
Captured at 04/02/04 at 05:13 PM
Hang on 2nd testcase.
Hang on 3rd testcase. Both hang while still preparing the preview.
I see most of this data (like dbaron noting that it still crashes on testcase
#1) already mentioned, but I figured it couldn't hurt to show it still happens,
and give some Talkback on it too.
|
|
||
Comment 56•21 years ago
|
||
The problems I mention in comment 50 are documented in some of the XXX comments
in attachment 144685 [details] [diff] [review].
|
|
||
Comment 57•21 years ago
|
||
Looks like the stack trace has changed a little since this bug was filed. Here
is my crash from testcase1:
Incident ID: 47784
Stack Signature 0x00000000 ed8b9339
Email Address jay@mozilla.org
Product ID Mozilla17
Build ID 2004042109
Trigger Time 2004-05-14 15:26:36.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module
URL visited http://bugzilla.mozilla.org/show_bug.cgi?id=185357
User Comments again...trying to close tab of print preview of testcase #1
Since Last Crash sec
Total Uptime sec
Trigger Reason Access violation
Source File Name
Trigger Line No.
Stack Trace
0x00000000
nsIView::Destroy
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 253]
nsFrame::Destroy
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsFrame.cpp,
line 646]
Which I'm pretty sure is the same as bug 230417 (which was fixed on 5/4/2004).
Marking this a dup since the most recent work was done in bug 230417.
*** This bug has been marked as a duplicate of 230417 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Summary: nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 [@ nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
|
||
Comment 58•21 years ago
|
||
Just adding nsLineBox::LastChild to summary for tracking and reopening. I'll
let dbaron decide whether this should remain open or if it's a dup/related to
bug 230417.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: M17rc1 [@ nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
|
||
Comment 59•21 years ago
|
||
I meant I added [@ nsIView::Destroy] since that's what my recent crash showed as
the stack signature for testcase 1.
Summary: M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsLineBox::LastChild] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
|
Assignee | |
Comment 60•21 years ago
|
||
So you're saying that this bug is NOT fixed?
|
|
||
Comment 61•21 years ago
|
||
Well, the first testcase still crashes for me, so this should probably still
stay open.
|
|
||
Comment 62•21 years ago
|
||
Updating summary: M17rc1 -> M17rc2. Testcase 1 still crashing for me with the
same stack.
Summary: M17rc1 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → M17rc2 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames]
|
|
||
Comment 63•21 years ago
|
||
*** Bug 243674 has been marked as a duplicate of this bug. ***
|
|
||
Comment 64•21 years ago
|
||
It looks like bug 230417 fixed the crash in print preview with testcase 1 from
this bug and http://www.linuxworld.com/story/32629.htm from that bug. But both
of those cases now crash when closing print preview with Mozilla 1.7 rc2.
I also get the same stack when loading print preview for www.ign.com with rc2.
|
|
Assignee | |
Comment 65•21 years ago
|
||
These tests all work for me on the trunk. Is this branch only?
Nope.
Windows XP, trunk Seamonkey build 2004-05-21.
Steps:
1. Load www.ign.com (go past the ad page)
2. Print Preview, switch from Landscape to Portrait orientation (or vice-versa)
Crash...
|
|
Assignee | |
Comment 68•21 years ago
|
||
OK, I see the ign crash. Almost certainly a bad view hierarchy.
The testcases 2 and 3 throw me into an infinite loop, hanging the browser, but
no crash, it's just stuck.
|
|
Assignee | |
Comment 69•21 years ago
|
||
I think these are two completely different bugs. The latter is presumably
something to do with the line containing the IFRAME being pushed infinitely
often because it doesn't fit on any page. We need to avoid the creation of an
empty page, and force at least *some* content to fit on it even if it overflows.
The bad view hierarchy (www.ign.com) is probably easier to fix, but for that we
really need a minimized testcase.
|
|
||
Updated•21 years ago
|
Flags: blocking1.6b-
Flags: blocking1.5-
Flags: blocking1.4b-
Flags: blocking1.4-
|
|
||
Updated•21 years ago
|
Flags: blocking1.7? → blocking1.7+
If someone else has more HTML/CSS knowledge than I do, and can reduce this even
further, that would rock. As it stands, this is a lot smaller than the
original HTML, but still contains probably too many DIVs. However, removing
even one link or div causes the testcase to NOT crash in most cases.
|
||
Updated•21 years ago
|
Whiteboard: [patch] → [patch] partly fixed, but still some crashes
|
||
Comment 71•21 years ago
|
||
I managed to reduce Stephen's testcase even further (and it could probably
still be reduced a little more). It looks like the culprit involves some
combination of nested DIV's with position:relatives's, float's, and images, all
over a page break. You can see my stacktrace for Stephen's testcase at
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=63676,
and my stacktrace for this testcase at
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=63929.
Both are basically the same, but neither involve nsIView::Destroy.
|
|
||
Comment 72•21 years ago
|
||
I managed to reduce my testcase for IGN further, to only a few lines.
<div style="height:1228px; border: none;"></div><!-- this is just a spacer-->
<div style="position: relative; float: left; width:120px; height:90px;"></div>
<br>
<div style="position: relative; width: 987px; height: 45px;"></div>
<br>
<div style="position: relative; float: right; width:57px; height: 18px"></div>
Just load it up in print preview and keep hitting Portrait and/or Landscape
(although for me I only needed to hit Portrait once). (BTW, I am using Moz
1.7rc2 on win98se.)
|
|
||
Updated•21 years ago
|
Attachment #149366 -
Attachment is obsolete: true
Attachment #149468 -
Attachment is obsolete: true
|
|
||
Updated•21 years ago
|
|
|
||
Comment 73•21 years ago
|
||
dbaron, think there is a shot a fixing this in the next couple of days?
|
|
Assignee | |
Comment 74•21 years ago
|
||
James, that testcase rocks!
I can't reproduce my crashing on any of the testcases, with build 2004-06-01 on
Windows XP.
|
|
Assignee | |
Comment 76•21 years ago
|
||
Hmm, neither can I, on Linux.
|
|
Assignee | |
Comment 77•21 years ago
|
||
I'm spinning off bug 245300 to handle the hanging print preview problem
(infinite loop in reflow) based on Mats' testcase #3. This bug here needs to
continue to focus on the crasher at ign.com and related testcases. Please keep
discussion here focused on the cases that actually crash hard! We desperately
need a small, reliable, reproducible testcase that crashes on Linux...
Odd, now, with the same exact build, I'm crashing again on attachment 149366 [details]
(testcase for IGN.com's print preview crash), however on neither of James'
attachments do I crash.
|
|
||
Comment 79•21 years ago
|
||
(In reply to comment #78)
If you can't get my last testcase to crash, try varying the height of the spacer
div (the 1228px); the key to the testcase is that the other divs are positioned
over the page break. (That's why you found that removing even one element from
your testcase made the page no longer crash). However, since my stacktrace
seems to be different from the one described in comment 64, it is possible that
I made a testcase for a different crash, perhaps something win98-specific. Can
anyone reproduce a crash with my "minized IGN.com testcase"?
|
|
Assignee | |
Comment 80•21 years ago
|
||
Yeah, I assumed the height of the spacer might need tweaking, and I tried
several different values, but I couldn't get it to crash.
Can you get it to preview one time? Can you describe exactly the configuration
of the DIVs? Or even post a screenshot of around the pagebreak?
*** Bug 245312 has been marked as a duplicate of this bug. ***
|
|
||
Comment 82•21 years ago
|
||
I'm not able to reproduce the crash with the minimized ign.com testcase either
with Mozilla 1.7 rc2.
|
||
Comment 83•21 years ago
|
||
for comment81. i use latest trunk build with "Minimzed IGN.com testcase", it's
ok. however, with "http://it.sohu.com/2004/03/23/27/article219552770.shtml",
print still causes crash. stack is
(gdb) bt
#0 0x71ce4cd6 in ?? ()
#1 0x40e9041f in nsFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#2 0x40ed9d16 in nsSubDocumentFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#3 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#4 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#5 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#6 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#7 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#8 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#9 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#10 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#11 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
---Type <return> to continue, or q <return> to quit---
#12 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#13 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#14 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#15 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#16 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#17 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#18 0x40e8103e in nsBlockFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#19 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#20 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#21 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#22 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#23 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
---Type <return> to continue, or q <return> to quit---
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#24 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#25 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#26 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#27 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#28 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#29 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#30 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#31 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#32 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#33 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#34 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
---Type <return> to continue, or q <return> to quit---
#35 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#36 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#37 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#38 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#39 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#40 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#41 0x40f28e0d in nsTableFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#42 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#43 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#44 0x40f38547 in nsTableOuterFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#45 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#46 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) ()
---Type <return> to continue, or q <return> to quit---
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#47 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#48 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#49 0x40eaac2e in nsLineBox::DeleteLineList(nsIPresContext*, nsLineList&) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#50 0x40e8104d in nsBlockFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#51 0x40e80080 in nsAreaFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#52 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#53 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#54 0x40ed85ac in ViewportFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#55 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#56 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#57 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
---Type <return> to continue, or q <return> to quit---
#58 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#59 0x40f85101 in nsFrameList::DestroyFrames(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#60 0x40e8da3d in nsContainerFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#61 0x40ed85ac in ViewportFrame::Destroy(nsIPresContext*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#62 0x40e96663 in nsFrameManager::Destroy() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#63 0x40ebe034 in PresShell::Destroy() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#64 0x40fa2d45 in nsPrintObject::DestroyPresentation() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#65 0x40f9d310 in nsPrintEngine::SetupToPrintContent(nsIDeviceContext*,
nsIDOMWindow*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#66 0x40f9c153 in nsPrintEngine::DocumentReadyForPrinting() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#67 0x40fa179d in nsPrintEngine::Observe(nsISupports*, char const*, unsigned
short const*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#68 0x40b1459a in nsPrintProgress::DoneIniting() ()
---Type <return> to continue, or q <return> to quit---
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libembedcomponents.so
#69 0x40ab3171 in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
#70 0x41297087 in XPCWrappedNative::CallMethod(XPCCallContext&,
XPCWrappedNative::CallMode) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libxpconnect.so
#71 0x4129ce99 in XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*,
long*) () from /home/neoliu/work/trunk/mozilla/dist/bin/components/libxpconnect.so
#72 0x40047bfe in js_Invoke () from ./dist/bin/libmozjs.so
#73 0x4004f529 in js_Interpret () from ./dist/bin/libmozjs.so
#74 0x40047c53 in js_Invoke () from ./dist/bin/libmozjs.so
#75 0x40047e60 in js_InternalInvoke () from ./dist/bin/libmozjs.so
#76 0x40028479 in JS_CallFunctionValue () from ./dist/bin/libmozjs.so
#77 0x41155cd4 in nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned,
long*, long*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#78 0x41164dd2 in GlobalWindowImpl::RunTimeout(nsTimeoutImpl*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#79 0x411654f2 in GlobalWindowImpl::TimerCallback(nsITimer*, void*) ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libgklayout.so
#80 0x40a9e1cc in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
---Type <return> to continue, or q <return> to quit---
#81 0x40a9e2a2 in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
#82 0x40a9a236 in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
#83 0x40a9a162 in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
#84 0x40a9bb20 in ?? ()
from /home/neoliu/work/trunk/mozilla/dist/bin/libxpcom.so
#85 0x4160b812 in event_processor_callback(_GIOChannel*, GIOCondition, void*)
()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libwidget_gtk2.so
#86 0x404d91f9 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#87 0x404b7656 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
#88 0x404b8789 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#89 0x404b8ac3 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#90 0x404b90c8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#91 0x401e747b in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#92 0x4160bc1a in nsAppShell::Run() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libwidget_gtk2.so
#93 0x4155fef6 in nsAppShellService::Run() ()
from /home/neoliu/work/trunk/mozilla/dist/bin/components/libnsappshell.so
#94 0x08054c05 in main1(int, char**, nsISupports*) ()
#95 0x0805551c in main ()
---Type <return> to continue, or q <return> to quit---
#96 0x406ff4c2 in __libc_start_main () from /lib/i686/libc.so.6
|
|
||
Comment 84•21 years ago
|
||
roc: Here is the screenshot you requested. The bottom half shows the page
break, and top half shows the top of page 1. The weird part is the bottom half
of the wide div, which be positioned over the top of page 2, is actually on the
top of page 1!
I am able to view the print preview, but after I hit 'Portrait' once, Moz
crashes reliably. (just recently, right after hitting Print Preview, I hit
Close without hitting Potrait, and then when I hit View Source, Moz crashed
also).
|
|
Assignee | |
Comment 85•21 years ago
|
||
> The weird part is the bottom half of the wide div, which be positioned over the
> top of page 2, is actually on the top of page 1!
heheh. It's a laugh a minute over here in Gecko land.
You see this right away when you first do print preview, right? (Linux doesn't
let you change portrait<->landscape in print preview, so I can't reproduce that
part of your test.)
|
|
||
Comment 86•21 years ago
|
||
(In reply to comment #85)
> You see this right away when you first do print preview, right?
Correct.
|
|
||
Updated•21 years ago
|
Whiteboard: [patch] partly fixed, but still some crashes → [patch] partly fixed, but still some crashes -dbaron one last look
|
|
||
Comment 87•21 years ago
|
||
Hmmm. I'm not seeing crashes on any of the testcases anymore (branch or trunk),
but on the branch (I haven't tried the trunk yet) testcases 2 and 3 hang.
|
|
||
Comment 88•21 years ago
|
||
Alright, I tested my IGN.com testcase on Windows 2000 with the 20040605 nightly
Firefox build (rv. 1.8a2) and got the same basic behavior as I did with Moz
1.7rc2 on Win98: could view print preview, but crash when hit Portrait.
|
|
||
Comment 89•21 years ago
|
||
The infinite loop on testcase #2 is:
page 0x91905b8 r=0 a=13008,16608 c=13008,UC pif=0x91901d0 cnt=687
PageContent(-1) 0x9190624 r=0 a=10800,14400 c=10800,UC cnt=688
area 0x9190678 r=0 a=10800,14400 c=10800,UC pif=0x9190290 cnt=689
block 0x9190534 r=0 a=10800,14400 c=10608,UC pif=0x919014c cnt=690
tblO 0x9190430 r=0 a=10608,14400 c=0,UC pif=0x9190048 cnt=691
tbl 0x919047c r=0 a=10608,14400 c=UC,UC pif=0x9190094 cnt=692
rowG 0x91903f0 r=0 a=192,14352 c=192,UC pif=0x9190008 cnt=693
row 0x91902e4 r=0 a=192,UC c=192,UC pif=0x918fefc cnt=694
cell 0x919033c r=0 a=192,UC c=168,UC pif=0x918ff54 cnt=695
block 0x919039c r=0 a=168,UC c=168,UC pif=0x918ffb4 cnt=696
###!!! ASSERTION: SetParent failed!: 'NS_SUCCEEDED(rv)', file
/builds/1.7/mozilla/view/src/nsViewManager.cpp, line 2375
Break: at file /builds/1.7/mozilla/view/src/nsViewManager.cpp, line 2375
text 0x917e4a0 r=2 a=168,UC c=UC,UC cnt=697
text 0x917e4a0 d=102,188
place 0x917e780 r=2 a=66,UC c=UC,UC cnt=698
place 0x917e780 d=0,0
subdoc 0x917e6f4 r=2 a=168,UC c=120,24000 cnt=699
subdoc 0x917e6f4 d=168,24048
block 0x919039c d=168,24252
cell 0x919033c d=192,24276
row 0x91902e4 d=192,24276
row 0x91902e4 r=2 a=192,14352 c=192,UC pif=0x918fefc cnt=700
cell 0x919033c r=2 a=192,14352 c=168,UC pif=0x918ff54 cnt=701
block 0x919039c r=2 a=168,14328 c=168,UC pif=0x918ffb4 cnt=702
text 0x917e4a0 r=2 a=168,14328 c=UC,UC cnt=703
text 0x917e4a0 d=102,188
place 0x917e780 r=2 a=66,14328 c=UC,UC cnt=704
place 0x917e780 d=0,0
subdoc 0x917e6f4 r=2 a=168,14124 c=120,24000 cnt=705
subdoc 0x917e6f4 d=168,24048
block 0x919039c d=168,24252 status=0x1
cell 0x919033c d=192,24276 status=0x1
row 0x91902e4 d=192,24276 status=0x1
###!!! ASSERTION: data loss - incomplete row needed more height than available,
on top of page: 'rowMetrics.height <= rowReflowState.availableHeight', file
/builds/1.7/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1101
Break: at file
/builds/1.7/mozilla/layout/html/table/src/nsTableRowGroupFrame.cpp, line 1101
rowG 0x91903f0 d=192,24276 status=0x1
tbl 0x919047c d=240,24324 status=0x1
tblO 0x9190430 d=240,24324 status=0x1
block 0x9190534 d=10608,24324 status=0x1
area 0x9190678 d=10800,24324 status=0x1
PageContent(-1) 0x9190624 d=10800,14400 status=0x1
page 0x91905b8 d=13008,16608 status=0x1
###!!! ASSERTION: aContent1 must not be null: 'aContent1', file
/builds/1.7/mozilla/layout/base/src/nsLayoutUtils.cpp, line 222
Break: at file /builds/1.7/mozilla/layout/base/src/nsLayoutUtils.cpp, line 222
[repeated many times]
This bug should probably be marked fixed and the two remaining issues split off
into other bugs...
|
|
||
Comment 90•21 years ago
|
||
(In reply to comment #89)
> This bug should probably be marked fixed and the two remaining issues split off
> into other bugs...
OK, I just noticed comment 77. This bug is probably too long for keeping open
for one of the issues, since I don't see that key point buried in comment 77,
but I'll morph it anyway since there are a significant number of comments on the
view mangling problem (starting either at comment 47 or at comment 66 depending
on whether those two issues are related).
However, I can't reproduce, so reassigning to default owner.
Assignee: dbaron → core.printing
Status: REOPENED → NEW
Flags: blocking1.7+ → blocking1.7-
QA Contact: sujay
Summary: M17rc2 nested tables with inner table align=right or iframe (in a table) can crash printing if will not fit on one page [@ nsIView::Destroy] [@ nsLineBox::LastChild][@ nsIFrame::GetNextSibling ][@ nsFrameList::DestroyFrames] → crash printing / print previewing ign.com due to view tree mangling
David, can you not reproduce on Windows, or just Linux?
|
|
||
Comment 92•21 years ago
|
||
Just Linux.
|
||
Comment 93•21 years ago
|
||
This testcase will crash browser print/print preview and the stack is same
comment 83
|
|
||
Comment 94•21 years ago
|
||
I looked into this problem for quite a while... Seems it's because nsView
::Destroy() of same nsView has been called twice from difference place. So, the
second call cause the crash. Attachment is the stack of two calls. Did you guys
have any idea?
|
|
||
Comment 95•21 years ago
|
||
dbaron,
please try attachment 150416 [details]. It will crash mozilla on windows and unix.
|
|
Assignee | |
Comment 96•21 years ago
|
||
Aha!! Pete, that testcase works for me. That's very helpful.
|
|
Assignee | |
Comment 97•21 years ago
|
||
I wonder if it can be minimized further...
|
|
||
Comment 98•21 years ago
|
||
attachment 150416 [details] does not crash for me on Linux. In print preview, I see one
box near the bottom of page 1 and a second (thicker-bordered) box near the
bottom of page 2.
|
|
Assignee | |
Comment 99•21 years ago
|
||
Here's a reduced version of Pete's testcase. This crashes for me on Linux as
soon as I hit "print preview". You may need to tweak constants, especially the
px height, to get it to crash on another system.
|
|
||
Updated•21 years ago
|
Flags: blocking1.8a2?
Flags: blocking1.7.1?
|
|
Assignee | |
Comment 100•21 years ago
|
||
The problem is simple: we need to search the descendant inlines of overflowing
lines for placeholders. This code does that.
|
|
Assignee | |
Updated•21 years ago
|
Assignee: core.printing → roc
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•21 years ago
|
Attachment #151662 -
Flags: superreview?(dbaron)
Attachment #151662 -
Flags: review?(dbaron)
|
|
||
Comment 101•21 years ago
|
||
Comment on attachment 151662 [details] [diff] [review]
fix
Rather than adding the |aBlockParent| check, why not just check whether the
line |IsBlock()|? I'm also not crazy about "overflow placeholders" in the
comment you added -- that term might be used for something else (cases where
the float itself is split, rather than just pushed to the next page). Also --
in the same first comment -- you're not considering all in-flow children --
only those within inlines.
With those comments, r+sr=dbaron.
Attachment #151662 -
Flags: superreview?(dbaron)
Attachment #151662 -
Flags: superreview+
Attachment #151662 -
Flags: review?(dbaron)
Attachment #151662 -
Flags: review+
|
|
Assignee | |
Comment 102•21 years ago
|
||
updated to comments.
Attachment #151662 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 103•21 years ago
|
||
Comment on attachment 151756 [details] [diff] [review]
revised patch
David, I'd appreciate it if you could take another look at this before I check
it in. In particular whether I'm doing the right thing to check for inlines
(!aFrame->GetStyleDisplay()->IsBlockLevel())
Attachment #151756 -
Flags: superreview?(dbaron)
Attachment #151756 -
Flags: review?(dbaron)
|
|
||
Comment 104•21 years ago
|
||
Comment on attachment 151756 [details] [diff] [review]
revised patch
Oh, I was thinking more of iterating overflowLines at the caller and checking
line->IsBlock(), and then walking the descendants of each line that isn't.
Although that in theory could have problems with inline-blocks (it's ok for
block-within-inline, though), so maybe this is better.
Also s/it's/its/.
Attachment #151756 -
Flags: superreview?(dbaron)
Attachment #151756 -
Flags: superreview+
Attachment #151756 -
Flags: review?(dbaron)
Attachment #151756 -
Flags: review+
|
|
Assignee | |
Comment 105•21 years ago
|
||
checked in
Status: ASSIGNED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → FIXED
ign.com still crashed in Print Preview, but the stack is different now, and I've
verified that the reduced testcase for this bug,
http://bugzilla.mozilla.org/attachment.cgi?id=151258&action=view no longer crashes.
See bug 248825 for the new frame crasher.
|
||
Comment 107•21 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040628 Firefox/0.8.0+
Testcase #3; http://bugzilla.mozilla.org/attachment.cgi?id=135617&action=view
still hangs firefox-2004-06-28-trunk on Win98SE (-> bug 245300 ).
|
|
||
Updated•21 years ago
|
Flags: blocking1.8a2?
|
||
Comment 108•21 years ago
|
||
attachment 135617 [details] still freezes my Firefox when I print-preview
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a2) Gecko/20040630 Firefox/0.8.0+
|
|
||
Comment 109•20 years ago
|
||
*** Bug 232450 has been marked as a duplicate of this bug. ***
Original testcase at
https://bugzilla.mozilla.org/attachment.cgi?id=109295&action=view works fine now
using build 2004-11-12-04 under Windows XP. We've got plenty of other
outstanding Print Preview crash/hang bugs...this one is gone.
Status: RESOLVED → VERIFIED
|
|
||
Updated•20 years ago
|
Flags: blocking1.7.5? → blocking1.7.5-
|
||
Comment 111•20 years ago
|
||
*** Bug 269623 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•