Closed
Bug 263846
Opened 20 years ago
Closed 20 years ago
[FIX]crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest]
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8alpha5
People
(Reporter: peter.van.der.sanden, Assigned: bzbarsky)
References
()
Details
(4 keywords)
Crash Data
Attachments
(4 files)
(deleted),
text/plain
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
roc
:
review+
roc
:
superreview+
asa
:
approval-aviary+
asa
:
approval1.7.5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Click on "actueel" above the website http://www.hema.nl
Firefox crashes and Netscape error message pop up.
No idea why.
Reproducible: Always
Steps to Reproduce:
1. visit www.hema.nl
2. click on "actueel" above
3. crash.
After restart FF: All icons in Bookmarks toolbar Folders are removed --> blanc
icon (default)
Comment 1•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041011
Firefox/0.10
WFM
Update to FF1.0PR please
Comment 2•20 years ago
|
||
WFM
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041008
Firefox/0.10
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Web Site → General
Resolution: --- → WORKSFORME
Comment 3•20 years ago
|
||
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041011 Firefox/0.10
firefox aviary cvs 2004-10-11
crashes with these STR:
1) http://www.hema.nl - wait for full load
2) actueel - wait for full load
3) back button
X) may need to repeat steps 2, 3 once or thrice
talkback reports from fx0.9:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1241269Y
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1241424Z
Status: RESOLVED → UNCONFIRMED
OS: Windows 2000 → All
Resolution: WORKSFORME → ---
Comment 4•20 years ago
|
||
stack between nsImageFrame::FrameChanged and
nsEventQueueImpl::ProcessPendingEvents looks same as bug 191336, but...
Assignee: bugs → jdunn
Status: UNCONFIRMED → NEW
Component: General → Layout: Images
Ever confirmed: true
Product: Firefox → Browser
QA Contact: core.layout.images
Summary: crash if i click on "actueel" above the website. → crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged]
Version: unspecified → Other Branch
Comment 5•20 years ago
|
||
Comment 6•20 years ago
|
||
Also crashes linux seamonkey 1.8a4 gtk2+xft;
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1243611Z
Version: Other Branch → Trunk
Comment 7•20 years ago
|
||
There is an
###!!! ASSERTION: Registering a placeholder for a frame that already has a
placeholder!: '!entry->placeholderFrame', file
/home/tt/src/mozilla/AVIARY/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 556
Break: at file
/home/tt/src/mozilla/AVIARY/mozilla/layout/html/base/src/nsFrameManager.cpp,
line 556
on one of the page loads leading to the crash, but not immediately before
the crash.
Reporter | ||
Comment 8•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
With new Firefox 0.10.1: No crash found!
Comment 9•20 years ago
|
||
*** Bug 264347 has been marked as a duplicate of this bug. ***
Comment 10•20 years ago
|
||
Looks like a pretty common website to crash on according to talkback.
nsImageFrame::SourceRectToDest is also prevelant.
Summary: crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged] → crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest][@ nsImageFrame::SourceRectToDest]
Comment 11•20 years ago
|
||
Yeah, I put in nsImageFrame::FrameChanged since that's where the stacks converge.
14 nsImageFrame::SourceRectToDest
10 nsStyleContext::GetStyleData
7 nsImageFrame::ConvertPxRectToTwips
5 nsImageFrame::FrameChanged
3 nsRuleNode::GetStyleData
1 nsFrameManager::GetPropertyListFor
Summary: crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest][@ nsImageFrame::SourceRectToDest] → crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest]
Comment 12•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041017
Firefox/0.9.1+
I am seeing this; debug build from my tree; backtrace suggests using memory
after free'ing it
Comment 13•20 years ago
|
||
load, then keep reloading this until it crashes. Might take 5 reloads.
(tested with linux trunk 2004101606)
Comment 14•20 years ago
|
||
this started crashing with checkin for bug 233094 although that patch did fix
the layout for the testcase, so it probably just exposed this bug.
Keywords: testcase
Assignee | ||
Comment 15•20 years ago
|
||
The key here is:
(gdb) frame 2
#2 0x412456ce in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x8ac0318,
aSID=eStyleStruct_Visibility) at nsIFrame.h:612
612 return mStyleContext->GetStyleData(aSID);
(gdb) p *this
$4 = {<nsISupports> = {_vptr.nsISupports = 0xdadadada}, mRect = {x = -623191334,
y = -623191334, width = -623191334, height = -623191334}, mContent =
0xdadadada,
mStyleContext = 0xdadadada, mParent = 0xdadadada, mNextSibling = 0xdadadada,
mState = 3671775962}
According to botbot, "0xdadadada" is "the MSVC debug-alloc boundary-marker or
PL_FREE_PATTERN"
I'll take a look at the testcase. Thanks for making one, Andrew!
Assignee | ||
Comment 16•20 years ago
|
||
This is all mine. The patch to bug 233094 wasn't quite right (and now I find
myself wondering how it actually worked).
Assignee: jdunn → bzbarsky
Priority: -- → P1
Summary: crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest] → [FIX]crash if i click on "actueel" above the website. [@ nsImageFrame::FrameChanged][@ nsImageFrame::SourceRectToDest]
Target Milestone: --- → mozilla1.8alpha5
Assignee | ||
Comment 17•20 years ago
|
||
Assignee | ||
Comment 18•20 years ago
|
||
Comment on attachment 162438 [details] [diff] [review]
Patch
The short story is that we weren't adding the floats to the float list of the
pseudo block right after constructing them. I don't know how this worked given
that we then pop the float containing block and hence reset the float list in
the state....
In any case, what happened here is that the <table> inside a <span> triggered
WipeContainingBlock(), which destroyed all the newly created frames. Or rather
tried to. Since the float wasn't in the anonymous block's child list yet, the
float and all its descendants did NOT get destroyed.
So you end up with an image frame floating about that's not in the frame tree.
When we tear down the frame tree we don't Destroy() it, but then we reclaim the
PLArena it's allocated from, possibly stomping on its memory (always stomping
with 0xdadadada in debug builds).
The image is animated, which means it makes callbacks to the image frame when
it switches animation frames. If it does this after the image frame has been
stomped on, we crash.
All this patch does is move InsertOutOfFlow() up near the top of the file so I
can use it in ProcessTableForeignObject(), then makes us use it to insert any
floating descendants of anonymous block.
Attachment #162438 -
Flags: superreview?(roc)
Attachment #162438 -
Flags: review?(roc)
Attachment #162438 -
Flags: superreview?(roc)
Attachment #162438 -
Flags: superreview+
Attachment #162438 -
Flags: review?(roc)
Attachment #162438 -
Flags: review+
Assignee | ||
Comment 19•20 years ago
|
||
Comment on attachment 162438 [details] [diff] [review]
Patch
Given that bug 233094 landed on branch, I think it's worth taking this as
well... This is a very safe crash fix.
Attachment #162438 -
Flags: approval1.7.x?
Attachment #162438 -
Flags: approval-aviary?
Comment 20•20 years ago
|
||
Comment on attachment 162438 [details] [diff] [review]
Patch
a=asa for branches checkins.
Attachment #162438 -
Flags: approval1.7.x?
Attachment #162438 -
Flags: approval1.7.x+
Attachment #162438 -
Flags: approval-aviary?
Attachment #162438 -
Flags: approval-aviary+
Assignee | ||
Comment 21•20 years ago
|
||
Fixed on trunk, 1.7 branch, aviary branch.
Status: NEW → RESOLVED
Closed: 20 years ago → 20 years ago
Keywords: fixed-aviary1.0,
fixed1.7.x
Resolution: --- → FIXED
Verified FIXED on the trunk using build 2004-11-12-04, Windows XP.
Status: RESOLVED → VERIFIED
Comment 23•20 years ago
|
||
*** Bug 271076 has been marked as a duplicate of this bug. ***
Updated•14 years ago
|
Crash Signature: [@ nsImageFrame::FrameChanged]
[@ nsImageFrame::SourceRectToDest]
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•