Closed
Bug 1252
Opened 26 years ago
Closed 26 years ago
[CRASH]Crash in initial layout of empty framesets
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect, P1)
Tracking
()
VERIFIED
FIXED
M7
People
(Reporter: morse, Assigned: karnaze)
References
()
Details
(Whiteboard: fixed long ago but has since regressed - 06/01/99)
Bringing up the browswer on a page containing the following html results in a gp-trap: <HTML> <HEAD> <TITLE>Cookies</TITLE> <SCRIPT> function loadButtons(){ top.frames[0].document.open(); top.frames[0].document.close(); } </SCRIPT> </HEAD> <FRAMESET onLoad=loadButtons()> <FRAME> <FRAME> </FRAMESET> </HTML> If the document.open and document.close is commented out, the trap doesn't occur. This is blocking a lot of other implementation work from happening. The stack trace at the time of the trap is as follows: GlobalWindowImpl::GetDocument(GlobalWindowImpl * const 0x01340128, nsIDOMDocument * * 0x00129e40) line 269 + 13 bytes GetWindowProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long 0xfffffffb, long * 0x0012a2c4) line 149 + 16 bytes js_GetProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long 0x01318a10, long * 0x0012a2c4) line 1623 + 25 bytes js_Interpret(JSContext * 0x01310670, long * 0x0012a41c) line 2153 + 801 bytes js_Invoke(JSContext * 0x01310670, unsigned int 0x00000000, int 0x00000000) line 657 + 13 bytes js_Interpret(JSContext * 0x01310670, long * 0x0012a974) line 2187 + 15 bytes js_Invoke(JSContext * 0x01310670, unsigned int 0x00000001, int 0x00000000) line 657 + 13 bytes js_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long 0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long * 0x0012aac4) line 726 + 15 bytes JS_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long 0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long * 0x0012aac4) line 2336 + 29 bytes nsJSEventListener::ProcessEvent(nsIDOMEvent * 0x01336c60) line 97 + 34 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012ac18, nsIDOMEvent * * 0x0012ab8c, nsEventStatus & nsEventStatus_eIgnore) line 491 + 17 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x013154e4, nsIPresContext & {...}, nsEvent * 0x0012ac18, nsIDOMEvent * * 0x0012ab8c, unsigned int 0x00000001, nsEventStatus & nsEventStatus_eIgnore) line 1724 nsWebShell::OnConnectionsComplete(nsWebShell * const 0x012856f0) line 1655 + 34 bytes nsDocLoaderImpl::LoadURLComplete(nsIURL * 0x013032c0, nsISupports * 0x013031b0, int 0x00000000) line 966 nsDocumentBindInfo::OnStopBinding(nsDocumentBindInfo * const 0x013031b0, nsIURL * 0x013032c0, int 0x00000000, const nsString & {...}) line 1416 OnStopBindingProxyEvent::HandleEvent(OnStopBindingProxyEvent * const 0x0130b280) line 538 + 45 bytes StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x0130b284) line 421 + 12 bytes PL_HandleEvent(PLEvent * 0x0130b284) line 395 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x01235f60) line 357 + 9 bytes _md_EventReceiverProc(void * 0x01270110, unsigned int 0x0000c084, unsigned int 0x00000000, long 0x01235f60) line 675 + 9 bytes USER32! 77e71250() 01235f60()
Updated•26 years ago
|
Status: NEW → ASSIGNED
Summary: javascript and frames: document.open causes gp-trap → js doc object needs to be reflected before doc load
Comment 2•26 years ago
|
||
Updating summary
Comment 4•26 years ago
|
||
per leger, assigning QA contacts to all open bugs without QA contacts according to list at http://bugzilla.mozilla.org/describecomponents.cgi?product=Browser
Updated•26 years ago
|
Assignee: joki → troy
Summary: js doc object needs to be reflected before doc load → Crash in initial layout of empty framesets
Comment 5•26 years ago
|
||
Changing subject from js doc object needs to be reflected before doc load I think that bug may still exist but theres a different one now that hits first. Document dies in a reflow stack during initial document layout. Troy can you look at this and if the reflow gets fixed and load event crash recurs send it back.
Chris, we're hitting an assert in the nsHTMLOuterFrame code. Here's the stack trace: NTDLL! 77f76148() nsDebug::Assertion(const char * 0x007bd5a0, const char * 0x007bd580, const char * 0x007bd548, int 348) line 140 + 13 bytes nsHTMLFrameOuterFrame::Reflow(nsHTMLFrameOuterFrame * const 0x01133604, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 4294967295) line 348 + 38 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x01133600, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 4294967295) line 388 + 28 bytes nsHTMLFramesetFrame::ReflowPlaceChild(nsIFrame * 0x01133600, nsIPresContext & {...}, const nsHTMLReflowState & {...}, nsPoint & {x=0 y=0}, nsSize & {width=9180 height=4470}, nsPoint * 0x0012e954 {x=0 y=0}) line 751 nsHTMLFramesetFrame::Reflow(nsHTMLFramesetFrame * const 0x01132054, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 6483869) line 1140 nsLineLayout::ReflowFrame(nsIFrame * 0x01132050, nsIFrame * * 0x0012f564, unsigned int & 6483869) line 842 nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineBox * 0x01133f60, nsIFrame * 0x01132050, unsigned char * 0x0012ebe0) line 2729 + 26 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox * 0x01133f60, int * 0x0012ec70) line 2610 + 24 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x01133f60, int * 0x0012ec70) line 1717 + 20 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1522 + 20 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x011324b4, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 892 + 18 bytes nsAreaFrame::Reflow(nsAreaFrame * const 0x011324b4, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 509 + 28 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x011324b0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 388 + 28 bytes RootFrame::Reflow(RootFrame * const 0x011328a4, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 253 nsContainerFrame::ReflowChild(nsIFrame * 0x011328a0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 388 + 28 bytes ViewportFrame::Reflow(ViewportFrame * const 0x0112ae14, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 434 PresShell::InitialReflow(PresShell * const 0x01109f90, int 9180, int 4470) line 878 HTMLContentSink::StartLayout() line 1980 HTMLContentSink::CloseFrameset(HTMLContentSink * const 0x010e7850, const nsIParserNode & {...}) line 1822 CNavDTD::CloseFrameset(const nsIParserNode & {...}) line 2232 + 31 bytes CNavDTD::CloseContainer(const nsIParserNode & {...}, nsHTMLTag eHTMLTag_frameset, int 1) line 2366 + 12 bytes CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_frameset, int 1) line 2402 + 26 bytes CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_frameset, int 1) line 2423 + 20 bytes CNavDTD::HandleEndToken(CToken * 0x01128460) line 1231 + 14 bytes NavDispatchTokenHandler(CToken * 0x01128460, nsIDTD * 0x010a4050) line 245 + 12 bytes CTokenHandler::operator()(CToken * 0x01128460, nsIDTD * 0x010a4050) line 80 + 14 bytes CNavDTD::HandleToken(CNavDTD * const 0x010a4050, CToken * 0x01128460, nsIParser * 0x010e7fa0) line 604 + 18 bytes CNavDTD::BuildModel(CNavDTD * const 0x010a4050, nsIParser * 0x010e7fa0, nsITokenizer * 0x010a3840, nsITokenObserver * 0x00000000, nsIContentSink * 0x010e7850) line 502 + 20 bytes nsParser::BuildModel() line 804 + 34 bytes nsParser::ResumeParse(nsIDTD * 0x00000000) line 756 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x010e7fa4, nsIURL * 0x010ae6f0, nsIInputStream * 0x010a3b70, unsigned int 306) line 968 + 17 bytes nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x010ae7f0, nsIURL * 0x010ae6f0, nsIInputStream * 0x010a3b70, unsigned int 306) line 1783 + 24 bytes OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const 0x010a0c70) line 632 StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x010a0c74) line 471 + 12 bytes PL_HandleEvent(PLEvent * 0x010a0c74) line 476 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x0104e950) line 437 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0011052a, unsigned int 49403, unsigned int 0, long 17099088) line 799 + 9 bytes USER32! 77e71250() 0104e950()
Assignee | ||
Updated•26 years ago
|
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•26 years ago
|
||
This works on my 3/29 pm WinNT debug build. I fixed another frameset bug yesterday which fixes the crash here. In the test case, the <frameset> has no rows or cols, so it will never display anything. If the intent is to eventually use the dom to add rows and/or cols, Eric Pollman is currently working on that.
Reporter | ||
Comment 8•26 years ago
|
||
The crash is back except now the stack trace is completely different. So rather than reopening this report, I've created a new report. See bug 5643.
Updated•26 years ago
|
Status: RESOLVED → REOPENED
QA Contact: glynn → claudius
Hardware: PC → All
Summary: Crash in initial layout of empty framesets → [CRASH]Crash in initial layout of empty framesets
Whiteboard: awaiting stable win32 3/30 build to verify → fixed long ago but has since regressed - 06/01/99
Comment 9•26 years ago
|
||
This bug is now crashing again. All platforms, with the 1999060108 builds (5/25 on Mac). It is reopened and I'll post a stack trace to compare. *Interesting note changing <FRAME> to <FRAME SRC=about:blank> prevents this from crashing although that was a related issue - see bug 5643
Updated•26 years ago
|
Resolution: FIXED → ---
Comment 10•26 years ago
|
||
OK Talkback is acting up but my Linux box says we're crashing in nsHTMLFrameInnerFrame whereas before it was nsHTMLFrameOuterFrame. Program received signal SIGSEGV, Segmentation fault. 0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow () #0 0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow () #1 0x409b57e9 in nsContainerFrame::DidReflow () #2 0x40a4aebc in nsHTMLFramesetFrame::ReflowPlaceChild () #3 0x40a4be38 in nsHTMLFramesetFrame::Reflow () #4 0x409c86a0 in nsLineLayout::ReflowFrame () #5 0x409b06c3 in nsBlockFrame::ReflowInlineFrame () #6 0x409b0551 in nsBlockFrame::ReflowInlineFrames () #7 0x409af5ff in nsBlockFrame::ReflowLine () #8 0x409af332 in nsBlockFrame::ReflowDirtyLines () #9 0x409aebb7 in nsBlockFrame::Reflow () #10 0x409ace94 in nsAreaFrame::Reflow () #11 0x409b5ddf in nsContainerFrame::ReflowChild () #12 0x409bd6a7 in RootFrame::Reflow () #13 0x409b5ddf in nsContainerFrame::ReflowChild () #14 0x409daeb8 in ViewportFrame::Reflow () #15 0x409cf2d3 in PresShell::InitialReflow () #16 0x40a409fc in HTMLContentSink::StartLayout () #17 0x40a4068b in HTMLContentSink::CloseFrameset () #18 0x40284c31 in CNavDTD::CloseFrameset () #19 0x4028518a in CNavDTD::CloseContainer () #20 0x4028528e in CNavDTD::CloseContainersTo () #21 0x40285388 in CNavDTD::CloseContainersTo () #22 0x40283bfd in CNavDTD::HandleEndToken () #23 0x40281acb in CNavDTD::Release () #24 0x4028e97b in CTokenHandler::operator() () #25 0x402825ba in CNavDTD::HandleToken () #26 0x402821be in CNavDTD::BuildModel () #27 0x4028c981 in nsParser::BuildModel () #28 0x4028c8bb in nsParser::ResumeParse () #29 0x4028cc25 in nsParser::OnDataAvailable () #30 0x4025b766 in nsDocumentBindInfo::OnDataAvailable () #31 0x40247ec4 in XP_FindContextOfType () #32 0x402029c6 in NET_GetMaxMemoryCacheSize () #33 0x40179da1 in net_ResumeHTTP () #34 0x40179762 in NET_getInternetKeyword () #35 0x4017a65e in net_ResumeHTTP () #36 0x40224f3f in NET_ProcessNet () #37 0x4022a5d7 in NET_PollSockets () #38 0x4024329d in nsNetlibService::NetPollSocketsCallback () #39 0x400f727a in TimerImpl::FireTimeout () #40 0x400f75dc in nsTimerExpired () #41 0x80e6b53 in g_main_iteration () #42 0x80e60d8 in g_list_length () #43 0x80e6553 in g_list_length () #44 0x80e666d in g_main_iteration () #45 0x8084593 in gtk_main () #46 0x400b12c3 in nsAppShell::Run () #47 0x40018fb6 in nsAppShellService::Run () #48 0x8051327 in main ()
Assignee | ||
Updated•26 years ago
|
Status: REOPENED → RESOLVED
Closed: 26 years ago → 26 years ago
Resolution: --- → FIXED
Target Milestone: M5 → M7
Assignee | ||
Comment 11•26 years ago
|
||
Fixed with latest checkin.
Updated•26 years ago
|
Status: RESOLVED → VERIFIED
Comment 12•26 years ago
|
||
VERIFIED fixed fro WinNT, MacOS, and RHLinux with 1999060708 builds
Comment 13•22 years ago
|
||
As far as i can tell, this bug has been back again for a while. Over the past few months i have successfully repeatedly crashed mozilla 0.9.9, 1.1.0 and now mozilla-1.2b-0_rh7 (all on redhat). The following HTML is all you need to re-create this crash: <html> <frameset rows="0" cols="0"> <frame src=""> </frameset> </body> </html> -jonny
Assignee | ||
Comment 14•22 years ago
|
||
wfm on 11/26/2 win2k debug.
Comment 15•22 years ago
|
||
it's nice to hear it works okay on w2k. on linux - it doesn't. just tested it again on a fresh rh 8.0 install with moz 1.2 stable (xft). crashed like a crashing thing. cheers, -jonny
Comment 16•22 years ago
|
||
crashes on Redhat 7.3 1.2b works on win2k
Comment 17•20 years ago
|
||
Revised delivery date - 07/21
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•