User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.6b) Gecko/20031208 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.6b) Gecko/20031208 crashes at hixie.ch by switching stylesheet Reproducible: Always Steps to Reproduce: 1.go to http://hixie.ch/. 2.Use the style "Orange". Actual Results: Application Error. Expected Results: Works.

OS -> All, I'm seeing this on 1.6b Linux Seeing if I can get a testcase now

Okay, it's these three style declarations working together html { display: table; } body { display: table-cell; } h1 { position: absolute; top: 0; right: 0; } I haven't done anything with the html yet. I can get logs of anything if people tell me how... RH Linux 9

All right, the html doesn't seem to affect it, it crashes with just <html> <head> <link rel='alternate stylesheet' href='hixie.ch_files/a.css' type='text/css' title='crashtest' /> <title>blah</title> </head> <body> <h1>blah</h1> </body> </html> Moving this over to style and confirming.

TB27847119Y, TB27846837W tested with Mozilla 1.5 I recommend using TB27847119Y as it was done after reboot, and first pageload besides loading this bug. I´m seeing this crash with 1.4.1, 1.5 and current nightly: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20031222 I didn´t test 1.6, 1.6b I can test with latest Netscape Release if the talkback from there would be of any use.

From the source: <link rel="stylesheet" href="/resources/style/spaced.css" type="text/css" media="all" title="Spaced"> <link rel="alternate stylesheet" href="/resources/style/orange/" type="text/css" title="Orange" media="all"> <link rel="alternate stylesheet" href="/resources/style/debug.css" type="text/css" title="Debugging" media="all"> compare: http://hixie.ch/resources/style/spaced.css http://hixie.ch/resources/style/orange/

The weird filename isn't the crasher, and in fact when I was testcasing the filename was a.css as you can see in comment 3 cc'ing myself since I forgot to before...

Stacktrace for this crash: GKLAYOUT! nsLineBox::GetAscent(void) + 10 bytes GKLAYOUT! nsIFrame::GetView(void) + 17 bytes GKLAYOUT! nsHTMLContainerFrame::CreateViewForFrame(class nsIFrame *,class nsIFrame *,int) + 73 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrameByDisplayType(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,struct nsStyleDisplay const *,class nsIContent *,int,class nsIAtom *,class nsIFrame *,class nsStyleContext *,struct nsFrameItems &) + 1162 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrameInternal(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,class nsIAtom *,int,class nsStyleContext *,struct nsFrameItems &,int) + 1031 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrame(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,struct nsFrameItems &) + 272 bytes GKLAYOUT! nsCSSFrameConstructor::ProcessChildren(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,int,struct nsFrameItems &,int,struct nsTableCreator *) + 318 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructTableCellFrame(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,class nsStyleContext *,struct nsTableCreator &,int,struct nsFrameItems &,class nsIFrame * &,class nsIFrame * &,int &) + 584 bytes GKLAYOUT! nsCSSFrameConstructor::TableProcessChild(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIContent *,class nsIFrame *,class nsIAtom *,class nsStyleContext *,struct nsTableCreator &,struct nsFrameItems &,class nsIFrame * &) + 738 bytes GKLAYOUT! nsCSSFrameConstructor::TableProcessChildren(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,struct nsTableCreator &,struct nsFrameItems &,class nsIFrame * &) + 442 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructTableFrame(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,class nsIFrame *,class nsStyleContext *,struct nsTableCreator &,int,struct nsFrameItems &,class nsIFrame * &,class nsIFrame * &,int &) + 442 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrameByDisplayType(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,struct nsStyleDisplay const *,class nsIContent *,int,class nsIAtom *,class nsIFrame *,class nsStyleContext *,struct nsFrameItems &) + 2837 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrameInternal(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,class nsIAtom *,int,class nsStyleContext *,struct nsFrameItems &,int) + 1031 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructFrame(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,struct nsFrameItems &) + 272 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructDocElementTableFrame(class nsIPresShell *,class nsIPresContext *,class nsIContent *,class nsIFrame *,class nsIFrame * &,class nsILayoutHistoryState *) + 94 bytes GKLAYOUT! nsCSSFrameConstructor::ConstructDocElementFrame(class nsIPresShell *,class nsIPresContext *,class nsFrameConstructorState &,class nsIContent *,class nsIFrame *,class nsStyleContext *,class nsIFrame * &) + 982 bytes GKLAYOUT! nsCSSFrameConstructor::ReconstructDocElementHierarchy(class nsIPresContext *) + 635 bytes GKLAYOUT! nsCSSFrameConstructor::RecreateFramesForContent(class nsIPresContext *,class nsIContent *) + 538 bytes GKLAYOUT! nsCSSFrameConstructor::ProcessRestyledFrames(class nsStyleChangeList &,class nsIPresContext *) + 313 bytes GKLAYOUT! PresShell::ReconstructStyleData(void) + 498 bytes GKLAYOUT! PresShell::EndUpdate(class nsIDocument *,unsigned int) + 48 bytes GKLAYOUT! nsDocument::EndUpdate(unsigned int) + 89 bytes GKLAYOUT! CSSStyleSheetImpl::SetDisabled(int) + 159 bytes XPCOM! XPTC_InvokeByIndex + 39 bytes XPC3250! XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) + 3875 bytes XPC3250! XPCWrappedNative::SetAttribute(class XPCCallContext &) + 14 bytes XPC3250! XPC_WN_GetterSetter(struct JSContext *,struct JSObject *,unsigned int,long *,long *) + 329 bytes JS3250! js_Invoke + 2557 bytes JS3250! js_InternalInvoke + 225 bytes JS3250! js_InternalGetOrSet + 296 bytes JS3250! js_SetProperty + 743 bytes JS3250! js_Interpret + 38551 bytes JS3250! js_Invoke + 2653 bytes JS3250! js_InternalInvoke + 225 bytes JS3250! JS_CallFunctionValue + 34 bytes JSDOM! nsJSContext::CallEventHandler(void *,void *,unsigned int,void *,int *) + 367 bytes JSDOM! nsJSEventListener::HandleEvent(class nsIDOMEvent *) + 1859 bytes GKLAYOUT! nsEventListenerManager::HandleEventSubType(struct nsListenerStruct *,class nsIDOMEvent *,class nsIDOMEventTarget *,unsigned int,unsigned int) + 690 bytes GKLAYOUT! nsEventListenerManager::HandleEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,class nsIDOMEventTarget *,unsigned int,enum nsEventStatus *) + 749 bytes GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3429 bytes GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes GKLAYOUT! nsXULElement::HandleDOMEvent(class nsIPresContext *,struct nsEvent *,class nsIDOMEvent * *,unsigned int,enum nsEventStatus *) + 3719 bytes GKLAYOUT! PresShell::HandleDOMEventWithTarget(class nsIContent *,struct nsEvent *,enum nsEventStatus *) + 145 bytes GKLAYOUT! nsMenuFrame::Execute(struct nsGUIEvent *) + 767 bytes GKLAYOUT! nsMenuFrame::HandleEvent(class nsIPresContext *,struct nsGUIEvent *,enum nsEventStatus *) + 697 bytes GKLAYOUT! PresShell::HandleEventInternal(struct nsEvent *,class nsIView *,unsigned int,enum nsEventStatus *) + 949 bytes GKLAYOUT! PresShell::HandleEvent(class nsIView *,struct nsGUIEvent *,enum nsEventStatus *,int,int &) + 1386 bytes

In my Linux trunk build from this morning: (gdb) bt 5 #0 0x40ec26a4 in nsIFrame::GetStateBits() const (this=0x0) at nsIFrame.h:791 #1 0x40eea042 in nsIFrame::GetView() const (this=0x0) at nsFrame.cpp:2303 #2 0x40f043a2 in nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*, int) (aFrame=0x89191dc, aContentParentF rame=0x890a358, aForce=0) at nsHTMLContainerFrame.cpp:544 #3 0x40fc11db in nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell*, nsIPresContext*, nsFrameConstructorS tate&, nsStyleDisplay const*, nsIContent*, int, nsIAtom*, nsIFrame*, nsStyleContext*, nsFrameItems&) ( this=0x8829b20, aPresShell=0x883c3a8, aPresContext=0x8760408, aState=@0xbfffc0dc, aDisplay=0x885f23c, aContent=0x890ee50, aNameSpaceID=3, aTag=0x0, aParentFrame=0x890a358, aStyleContext=0x8918d68, aFrameItems=@0xbfffbaa4) at nsCSSFrameConstructor.cpp:6207 #4 0x40fc26a7 in nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell*, nsIPresContext*, nsFrameConstructorState& , nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) (this=0x8829b20, aPresShell=0x883c3a8, aPresContext=0x8760408, aState=@0xbfffc0dc, aContent=0x890ee50, aParentFrame=0x890a358, aTag=0x80cf2c0, aNameSpaceID=3, aStyleContext=0xbfffb6a4, aFrameItems=@0xbfffbaa4, aXBLBaseTag=0) at nsCSSFrameConstructor.cpp:7182 (gdb) f 2 #2 0x40f043a2 in nsHTMLContainerFrame::CreateViewForFrame(nsIFrame*, nsIFrame*, int) (aFrame=0x89191dc, aContentParentF rame=0x890a358, aForce=0) at nsHTMLContainerFrame.cpp:544 544 nsIView* parentView = parent->GetView(); (gdb) p parent $1 = (class nsIFrame *) 0x0

The stack is similar to 131008 (see bug 131008 comment 8)

I noticed the same bug on Mac OS X, but I attached the report (attachment 137898 [details]) to bug 131008, before I found this bug. It seems Matt is right, we came both to the same conclusion.

Add a virtual *** Bug xxxxxx has been marked as a duplicate of this bug. *** here. I just discovered this bug and went through the process of isolating the offending code (dummy - before doing a Bugzilla search). The testcase is nearly exactly what I found, but it isn't a true testcase in that more code can still be removed: the "top: 0; right: 0;" CSS code is unnecessary, and Mozilla (Firebird) crashes just as "well" when those two rules are removed. I can upload my testcase if desired, but for such a small change it probably isn't necessary.

The testcase Mats attached is showing bug 231776, methinks.

The culprit is nsHTMLContainerFrame::CreateViewForFrame (see comment 7 and comment 8) so bug 231776 is a duplicate of this one, methinks ;-)

Sure thing, but that bug has only three comments, all to the point, which include an explanation of which code is causing the problem and what we should do to solve it... ;)

*** This bug has been marked as a duplicate of 231776 ***

*** Bug 236576 has been marked as a duplicate of this bug. ***