Closed
Bug 398982
Opened 17 years ago
Closed 17 years ago
Crash [@ DoDeletingFrameSubtree] with menuitem, tooltip, treecols and removing position: absolute
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.9beta1
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [dbaron-1.9:Rs])
Crash Data
Attachments
(7 files, 1 obsolete file)
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build after 200ms.
This regressed between 2007-10-05 and 2007-10-07:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-10-05+04&maxdate=2007-10-07+09&cvsroot=%2Fcvsroot
Somehow a regression from bug 372685?
http://crash-stats.mozilla.com/report/index/4c3f3d97-7591-11dc-94e2-001a4bd43e5c
0 DoDeletingFrameSubtree mozilla/layout/base/nsCSSFrameConstructor.cpp:9285
1 DoDeletingFrameSubtree mozilla/layout/base/nsCSSFrameConstructor.cpp:9291
2 DoDeletingFrameSubtree mozilla/layout/base/nsCSSFrameConstructor.cpp:9291
3 DeletingFrameSubtree mozilla/layout/base/nsCSSFrameConstructor.cpp:9339
4 nsCSSFrameConstructor::RemoveMappingsForFrameSubtree(nsIFrame*) mozilla/layout/base/nsCSSFrameConstructor.cpp:9378
5 nsPopupSetFrame::DestroyPopupFrame(nsCSSFrameConstructor*, nsIFrame*) mozilla/layout/xul/base/src/nsPopupSetFrame.cpp:303
6 nsPopupSetFrame::Destroy() mozilla/layout/xul/base/src/nsPopupSetFrame.cpp:147
7 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67
8 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
9 nsBoxFrame::RemoveFrame(nsIAtom*, nsIFrame*) mozilla/layout/xul/base/src/nsBoxFrame.cpp:1012
10 nsRootBoxFrame::RemoveFrame(nsIAtom*, nsIFrame*) mozilla/layout/xul/base/src/nsRootBoxFrame.cpp:212
11 nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) mozilla/layout/base/nsFrameManager.cpp:690
12 nsCSSFrameConstructor::ReconstructDocElementHierarchyInternal() mozilla/layout/base/nsCSSFrameConstructor.cpp:7740
13 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) mozilla/layout/base/nsCSSFrameConstructor.cpp:11120
14 nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:9973
15 nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:13001
16 nsCSSFrameConstructor::ProcessPendingRestyles() mozilla/layout/base/nsCSSFrameConstructor.cpp:13054
17 PresShell::DoFlushPendingNotifications(mozFlushType, int) mozilla/layout/base/nsPresShell.cpp:4443
18 PresShell::FlushPendingNotifications(mozFlushType) mozilla/layout/base/nsPresShell.cpp:4407
19 nsCSSFrameConstructor::RestyleEvent::Run() mozilla/layout/base/nsCSSFrameConstructor.cpp:13110
20 nsThread::ProcessNextEvent(int, int*) mozilla/xpcom/threads/nsThread.cpp:490
21 NS_ProcessNextEvent_P(nsIThread*, int) nsThreadUtils.cpp:227
22 nsBaseAppShell::Run() mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:154
23 nsAppStartup::Run() mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
24 XRE_main mozilla/toolkit/xre/nsAppRunner.cpp:3142
25 main mozilla/browser/app/nsBrowserApp.cpp:153
26 WinMain mozilla/browser/app/nsBrowserApp.cpp:166
27 __tmainCRTStartup crtexe.c:589
28 BaseProcessStart
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → mats.palmgren
Blocks: 372685
Flags: blocking1.9?
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 1•17 years ago
|
||
ReconstructDocElementHierarchyInternal() clears the frame manager maps
before destroying the frame tree:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1408&root=/cvsroot&mark=7724-7728,7739#7691
ClearPlaceholderFrameMap() removes all the placeholder/out-of-flow mappings
so DoDeletingFrameSubtree() will eventually crash on a null out-of-flow:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1408&root=/cvsroot&mark=9284#9247
RemoveMappingsForFrameSubtree() has a check to prevent this:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1408&root=/cvsroot&mark=9367#9364
but |mIsDestroyingFrameTree| is false in this case...
Assignee | ||
Comment 2•17 years ago
|
||
This patch fixes the crash, but maybe we should call WillDestroyFrameTree()
instead, to clear counters and pending restyles - there's no point in
keeping those if we recreate the entire frame tree is there?
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1408&root=/cvsroot&mark=10190#10183
more later...
Comment 3•17 years ago
|
||
Yes, clearing quotes, counters, and pending restyles here would be a really good idea.
Assignee | ||
Comment 4•17 years ago
|
||
Assignee | ||
Comment 5•17 years ago
|
||
There is actually a problem with the unconditional
RemoveMappingsForFrameSubtree() that we added in bug 372685.
This is the frame dump + trace for Testcase #2. This time
ReconstructDocElementHierarchyInternal() is not involved at all, it's a
restyle causing RecreateFramesForContent(). See the original frame tree
before it begins at the top, and the stack at the bottom.
Note that all popup-list children are out-of-flows (red,blue,pink).
We should not call RemoveMappingsForFrameSubtree() for out-of-flows when
the placeholder is on a reachable frame list since we would traverse the
same frames twice (same as DoDeletingFrameSubtree() avoids those lists).
- aFc->RemoveMappingsForFrameSubtree(aPopup);
+ if (!(aPopup->GetStateBits() & NS_FRAME_OUT_OF_FLOW))
+ aFc->RemoveMappingsForFrameSubtree(aPopup);
would do the right thing, but...
After reading the frame construction code, it looks like a PopupSet's
::popupList can only contain out-of-flows which means we don't need to call
RemoveMappingsForFrameSubtree() at all here since all these frames will be
reachable (directly or indirectly) through a placeholder from outside the
::popupList itself. So, I'm leaning towards removing it again and adding
assertions instead... I'll investigate some more...
Assignee | ||
Comment 6•17 years ago
|
||
AFAICT, a popupset frame's ::popupList will only contain out-of-flow
MenuPopupFrames.
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1410&root=/cvsroot&mark=6028-6031,6045,6100,6147#6024
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1410&root=/cvsroot&mark=1366,1370,1371,1399,1404#1348
Assignee | ||
Comment 7•17 years ago
|
||
* call WillDestroyFrameTree() before destroying the frame tree
* revert the patch from bug 372685 and add assertions that the ::popupList
frames must be out-of-flow MenuPopupFrames
* add nsPopupSetFrame::List() that also prints the ::popupList frames
Attachment #284041 -
Attachment is obsolete: true
Attachment #284978 -
Flags: superreview?(bzbarsky)
Attachment #284978 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 8•17 years ago
|
||
The attached testcases in Mochitest form.
Comment 9•17 years ago
|
||
Comment on attachment 284978 [details] [diff] [review]
Patch rev. 1
DEBUG, not NS_DEBUG, please. r+sr=bzbarsky with that.
Attachment #284978 -
Flags: superreview?(bzbarsky)
Attachment #284978 -
Flags: superreview+
Attachment #284978 -
Flags: review?(bzbarsky)
Attachment #284978 -
Flags: review+
Assignee | ||
Comment 10•17 years ago
|
||
Comment on attachment 284978 [details] [diff] [review]
Patch rev. 1
ok, I'll fix that before checkin
Attachment #284978 -
Flags: approval1.9?
Flags: blocking1.9? → blocking1.9+
Updated•17 years ago
|
Whiteboard: [dbaron-1.9:Rs]
Reporter | ||
Comment 11•17 years ago
|
||
Fyi, the patch doesn't need approval, because this bug is blockg1.9+, so you should be ale to check it in.
Comment 12•17 years ago
|
||
That's no longer the case, at least till after beta. It needs approval now to land for beta1.
Reporter | ||
Comment 13•17 years ago
|
||
I think I also get this crash while playing around with the search input in the Places Organizer:
http://crash-stats.mozilla.com/report/index/fd7d6f30-8171-11dc-a531-001a4bd46e84
Assignee | ||
Comment 14•17 years ago
|
||
Looks like it. Maybe we should take this for beta1 then?
Target Milestone: --- → mozilla1.9 M9
Comment 15•17 years ago
|
||
Should this definitely block beta? Criteria to use to judge:
* Most sites should display properly and regression free (from previous
major release)
* No known common data loss bugs
* No common hangs or crashes
* No problems with major features in common use cases
Also, what's the risk of regression w/ this patch?
Thanks for any clarification here.
Comment 16•17 years ago
|
||
Comment on attachment 284978 [details] [diff] [review]
Patch rev. 1
Approved to land for beta. Please check in ASAP.
Attachment #284978 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 17•17 years ago
|
||
Assignee | ||
Comment 18•17 years ago
|
||
mozilla/layout/xul/test/Makefile.in 1.4
mozilla/layout/xul/test/test_bug398982-1.xul 1.1
mozilla/layout/xul/test/test_bug398982-2.xul 1.1
mozilla/layout/base/nsCSSFrameConstructor.cpp 1.1417
mozilla/layout/xul/base/src/nsPopupSetFrame.cpp 1.172
mozilla/layout/xul/base/src/nsPopupSetFrame.h 1.62
-> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment 19•17 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007102407 Minefield/3.0a9pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007102404 Minefield/3.0a9pre. I ran both testcases in the bug and no crash was observed.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ DoDeletingFrameSubtree]
You need to log in
before you can comment on or make changes to this bug.
Description
•