Closed Bug 350754 Opened 18 years ago Closed 18 years ago

Crash [@ ntdll.dll][@ nsFrameManager::GetPrimaryFrameFor] with xbl testcase

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files, 2 obsolete files)

testcase 18 years ago Martijn Wargers (dead) (deleted), application/xhtml+xml		Details
Testcase #2 - mutual recursive binding 18 years ago Mats Palmgren (inactive) (deleted), application/xhtml+xml		Details
Patch rev. 1 18 years ago Mats Palmgren (inactive) (deleted), patch		Details \| Diff \| Splinter Review
Screenshot of the warning message 18 years ago Mats Palmgren (inactive) (deleted), image/png		Details
Patch rev. 2 18 years ago Mats Palmgren (inactive) (deleted), patch	bzbarsky : review- bzbarsky : superreview-	Details \| Diff \| Splinter Review
Patch rev. 3 18 years ago Mats Palmgren (inactive) (deleted), patch	bzbarsky : review+ bzbarsky : superreview+	Details \| Diff \| Splinter Review

Martijn Wargers (dead)

Reporter

Description

•

18 years ago

See upcoming testcase, which crashes current trunk Mozilla builds when loading. It also crashes Mozilla1.7, so no (recent) regression. It seems like some kind of infinite recursion crash or something. Talkback ID: TB22701395E ntdll.dll + 0x10701 (0x7c910701) MSVCR80.dll + 0x4ce9 (0x78134ce9) 0x06f06800 Talkback ID: TB22699388Z PL_DHashTableOperate [mozilla\xpcom\build\pldhash.c, line 537] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 350] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] nsFrameManager::GetPrimaryFrameFor [mozilla\layout\base\nsframemanager.cpp, line 404] nsCSSFrameConstructor::FindPrimaryFrameFor [mozilla\layout\base\nscssframeconstructor.cpp, line 11434] etc That last Talkback ID, I got with an external xbl document.

Martijn Wargers (dead)

Reporter

Comment 1

•

18 years ago

Attached file testcase (deleted) — Details

Mats Palmgren (inactive)

Assignee

Updated

•

18 years ago

Assignee: general → mats.palmgren

OS: Windows XP → All

Hardware: PC → All

Mats Palmgren (inactive)

Assignee

Comment 2

•

18 years ago

Attached file Testcase #2 - mutual recursive binding (deleted) — Details

Mats Palmgren (inactive)

Assignee

Comment 3

•

18 years ago

Attached patch Patch rev. 1 (obsolete) (deleted) — Details — Splinter Review

This fixes both testcases.

Attachment #236383 - Flags: superreview?(bzbarsky)

Attachment #236383 - Flags: review?(bzbarsky)

Mats Palmgren (inactive)

Assignee

Comment 4

•

18 years ago

Attached image Screenshot of the warning message (deleted) — Details

Boris Zbarsky [:bzbarsky]

Comment 5

•

18 years ago

Hmm... It would make more sense to me to have the check in LoadBindings() instead of in the callers. Also, why is the walk along the GetParent() chain starting at GetBindingParent() and not along the GetBindingParent() chain? On a separate note, Martijn, what happens if two XBL bindings inherit from each other? I suspect we don't deal well with that either; if so, separate bug?

Mats Palmgren (inactive)

Assignee

Comment 6

•

18 years ago

Attached patch Patch rev. 2 (obsolete) (deleted) — Details — Splinter Review

Moved to nsXBLService::LoadBindings() and walking GetBindingParent() chain. The first test: if (!bindingParent || aChild == bindingParent) { is just an optimisation - we could just fall through and not enter the loop. About 40% of the calls take the early return. Let me know if you don't think it's worth it.

Attachment #236383 - Attachment is obsolete: true

Attachment #236603 - Flags: superreview?(bzbarsky)

Attachment #236603 - Flags: review?(bzbarsky)

Attachment #236383 - Flags: superreview?(bzbarsky)

Attachment #236383 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Comment 7

•

18 years ago

Comment on attachment 236603 [details] [diff] [review] Patch rev. 2 >Index: content/xbl/src/nsXBLService.cpp >+IsAncestorBinding(nsIDocument* aDocument, >+ if (!bindingParent || aChild == bindingParent) { I think we can nix this optimization. More below. >+ nsCString spec1; >+ nsresult rv = aChildBindingURI->GetSpec(spec1); We shouldn't need the spec, imo. >+ if (NS_SUCCEEDED(rv) && spec1.Equals(spec2)) { I think we should use nsIURI::Equals here. And if that fails, treat it as being equal, to be safe. Then we wouldn't need spec1 or the optimization above. With those nits this looks pretty good.

Attachment #236603 - Flags: superreview?(bzbarsky)

Attachment #236603 - Flags: superreview-

Attachment #236603 - Flags: review?(bzbarsky)

Attachment #236603 - Flags: review-

Mats Palmgren (inactive)

Assignee

Comment 8

•

18 years ago

Attached patch Patch rev. 3 (deleted) — Details — Splinter Review

Nits fixed.

Attachment #236603 - Attachment is obsolete: true

Attachment #237213 - Flags: superreview?(bzbarsky)

Attachment #237213 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Comment 9

•

18 years ago

Comment on attachment 237213 [details] [diff] [review] Patch rev. 3 Looks great!

Attachment #237213 - Flags: superreview?(bzbarsky)

Attachment #237213 - Flags: superreview+

Attachment #237213 - Flags: review?(bzbarsky)

Attachment #237213 - Flags: review+

Martijn Wargers (dead)

Reporter

Comment 10

•

18 years ago

I'm an idiot, I didn't even notice I filed an infinite recursion bug. This is basically a duplicate of bug 55070. (In reply to comment #5) > On a separate note, Martijn, what happens if two XBL bindings inherit from each > other? I suspect we don't deal well with that either; if so, separate bug? xbl:inherits="style" is working fine with the patch. Using extends is still crashing with the patch, I attached a testcase for that to bug 55070.

Boris Zbarsky [:bzbarsky]

Updated

•

18 years ago

Flags: blocking1.9+

Boris Zbarsky [:bzbarsky]

Updated

•

18 years ago

Blocks: 55070

Martijn Wargers (dead)

Reporter

Comment 11

•

18 years ago

Mats, the patch has r+ and sr+, so it can be checked in. Are you waiting for something?

Mats Palmgren (inactive)

Assignee

Comment 12

•

18 years ago

Checked in to trunk at 2006-10-08 03:18 PDT. -> FIXED

Status: NEW → RESOLVED

Closed: 18 years ago

Resolution: --- → FIXED

Olli Pettay [:smaug][bugs@pettay.fi]

Updated

•

18 years ago

Depends on: 374547

Mats Palmgren (inactive)

Assignee

Updated

•

18 years ago

Flags: in-testsuite?

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ ntdll.dll] [@ nsFrameManager::GetPrimaryFrameFor]

You need to log in before you can comment on or make changes to this bug.