Closed
Bug 315127
Opened 19 years ago
Closed 19 years ago
Crash [@ ntdll.dll + 0x2ae22]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bugs.caleb, Assigned: roc)
References
()
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051103 Firefox/1.6a1 ID:2005110320 I've been crashing for unkown reasons in the recent trunk builds. You can reproduce this crash by going to http://www.ynet.co.il. I believe that it _might_ be bug 313817, but I'm not quite sure. Talkback IDs: TB11431671M TB11432335Q
|
||
Comment 1•19 years ago
|
||
Incident ID: 11431671 Stack Signature ntdll.dll + 0x2ae22 (0x7c92ae22) c093a993 Product ID FirefoxTrunk Build ID 2005110305 Trigger Time 2005-11-03 21:26:21.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module ntdll.dll + (0002ae22) Since Last Crash 24 sec Total Uptime 778 sec Trigger Reason Access violation Stack Trace: ntdll.dll + 0x2ae22 (0x7c92ae22) msvcrt.dll + 0x1c2de (0x77c2c2de) txStripSpaceItem::addStripSpaceTest [mozilla/content/xslt/src/xslt/txToplevelItems.cpp, line 62] nsBlockFrame::QueryInterface [mozilla/layout/generic/nsBlockFrame.cpp, line 329] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 968] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3259] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2432] nsLineList::begin [mozilla/layout/generic/nsLineBox.h, line 1110] nsBlockFrame::GetFirstChild [mozilla/layout/generic/nsBlockFrame.cpp, line 508] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableCellFrame::GetColSpan [mozilla/layout/tables/nsTableCellFrame.cpp, line 649] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableRowFrame::ReflowChildren [mozilla/layout/tables/nsTableRowFrame.cpp, line 911] nsTableRowFrame::IR_TargetIsChild [mozilla/layout/tables/nsTableRowFrame.cpp, line 1317] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableRowGroupFrame::InitChildReflowState [mozilla/layout/tables/nsTableRowGroupFrame.cpp, line 292] nsTableRowGroupFrame::SplitRowGroup [mozilla/layout/tables/nsTableRowGroupFrame.cpp, line 1129] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableFrame::ReflowChildren [mozilla/layout/tables/nsTableFrame.cpp, line 3116] IsFixedStyleHeight [mozilla/layout/tables/nsTableFrame.cpp, line 1675] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableOuterFrame::IsAutoWidth [mozilla/layout/tables/nsTableOuterFrame.cpp, line 1201] nsTableOuterFrame::IR_CaptionInserted [mozilla/layout/tables/nsTableOuterFrame.cpp, line 1833] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 968] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3259] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2432] nsLineList::begin [mozilla/layout/generic/nsLineBox.h, line 1110] nsBlockFrame::GetFirstChild [mozilla/layout/generic/nsBlockFrame.cpp, line 508] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 968] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3259] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2432] nsLineList::begin [mozilla/layout/generic/nsLineBox.h, line 1110] nsBlockFrame::GetFirstChild [mozilla/layout/generic/nsBlockFrame.cpp, line 508] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableCellFrame::GetColSpan [mozilla/layout/tables/nsTableCellFrame.cpp, line 649] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableRowFrame::ReflowChildren [mozilla/layout/tables/nsTableRowFrame.cpp, line 911] nsTableRowFrame::IR_TargetIsChild [mozilla/layout/tables/nsTableRowFrame.cpp, line 1317] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableRowGroupFrame::InitChildReflowState [mozilla/layout/tables/nsTableRowGroupFrame.cpp, line 292] nsTableRowGroupFrame::SplitRowGroup [mozilla/layout/tables/nsTableRowGroupFrame.cpp, line 1129] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableFrame::ReflowChildren [mozilla/layout/tables/nsTableFrame.cpp, line 3116] IsFixedStyleHeight [mozilla/layout/tables/nsTableFrame.cpp, line 1675] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsTableOuterFrame::IsAutoWidth [mozilla/layout/tables/nsTableOuterFrame.cpp, line 1201] nsTableOuterFrame::IR_CaptionInserted [mozilla/layout/tables/nsTableOuterFrame.cpp, line 1833] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 968] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3259] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2432] nsLineList::begin [mozilla/layout/generic/nsLineBox.h, line 1110] nsBlockFrame::GetFirstChild [mozilla/layout/generic/nsBlockFrame.cpp, line 508] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 968] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3259] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2432] nsLineList::begin [mozilla/layout/generic/nsLineBox.h, line 1110] nsBlockFrame::GetFirstChild [mozilla/layout/generic/nsBlockFrame.cpp, line 508] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] CanvasFrame::QueryInterface [mozilla/layout/generic/nsHTMLFrame.cpp, line 191] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881] nsAutoRepeatBoxFrame::QueryInterface [mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp, line 97] NS_NewHTMLScrollFrame [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 97] nsHTMLScrollFrame::TryLayout [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 391] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 881]
Keywords: crash
|
||
Comment 2•19 years ago
|
||
I get only crashes in the last few builds. No crash in 1.9a1_2005110313, crash in 1.9a1_2005110322. But maybe it's only "this computer". :)
msvcrt+0x1c2de is msvcrt!free-0xc3 specifically, it's the statement after: call dword ptr [msvcrt!_imp__HeapFree (77c110ec)] which is: call msvcrt!_SEH_epilog (77c3745b) i'm less sure about: ntdll+0x2ae22 is ntdll!RtlpWin32NTNameToNtPathName_U+0xb0 basically, this is probably heap corruption, most likely a double free.
|
||
Comment 4•19 years ago
|
||
This is what I get when minimising the crash at http://www.ynet.co.il/ It can crash when loading the testcase, else try clicking on the button.
I just filed bug 315127 which might be dupe of this it also requires a rtl text.
|
|
||
Comment 7•19 years ago
|
||
(In reply to comment #4) > Created an attachment (id=201883) [edit] > testcase > > This is what I get when minimising the crash at http://www.ynet.co.il/ > It can crash when loading the testcase, else try clicking on the button. > Testcase doesn't crash here (although Firefox hangs and doesn't close properly).
|
Assignee | |
Comment 9•19 years ago
|
||
This is probably because of the change to the allocation of nsDirectionalFrame. We should revert the allocation back to using the global heap instead of the presshell ... and then file a bug about understanding what is actually going on here.
|
|
Assignee | |
Comment 10•19 years ago
|
||
This just reverses part of attachment 201686 [details] [diff] [review] so we go back to allocating nsDirectionalFrame on the heap. This fixes the crash. It's a trivial patch.
Assignee: nobody → roc
Status: NEW → ASSIGNED
Attachment #202038 -
Flags: superreview?(dbaron)
Attachment #202038 -
Flags: review?(dbaron)
|
||
Comment 11•19 years ago
|
||
Comment on attachment 202038 [details] [diff] [review] partial backout of attachment 201686 [details] [diff] [review] Sure, but it's worth figuring out why this makes us crash.
Attachment #202038 -
Flags: superreview?(dbaron)
Attachment #202038 -
Flags: superreview+
Attachment #202038 -
Flags: review?(dbaron)
Attachment #202038 -
Flags: review+
|
|
Assignee | |
Comment 12•19 years ago
|
||
fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED using build 2005-11-07-10 of SeaMonkey trunk on Windows XP; no crash.
Status: RESOLVED → VERIFIED
|
||
Comment 15•19 years ago
|
||
Might this fix have caused the regression in Bug 312135, which now causes Thunderbird crashes with this stack: nsCSSFrameConstructor::RestyleEvent::HandleEvent [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13302] 0x778b0c24 nsBidi::doWriteReverse [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsBidi.cpp, line 2211] 0xe9c03330
|
||
Updated•14 years ago
|
Crash Signature: [@ ntdll.dll + 0x2ae22]
You need to log in
before you can comment on or make changes to this bug.
Description
•