Closed Bug 1252 Opened 26 years ago Closed 26 years ago

[CRASH]Crash in initial layout of empty framesets

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect, P1)

All
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: morse, Assigned: karnaze)

References

()

Details

(Whiteboard: fixed long ago but has since regressed - 06/01/99)

Bringing up the browswer on a page containing the following html results in a
gp-trap:

 <HTML>
   <HEAD>
     <TITLE>Cookies</TITLE>
     <SCRIPT>
       function loadButtons(){
         top.frames[0].document.open();
         top.frames[0].document.close();
       }
     </SCRIPT>
   </HEAD>
   <FRAMESET onLoad=loadButtons()>
     <FRAME>
     <FRAME>
   </FRAMESET>
 </HTML>

If the document.open and document.close is commented out, the trap doesn't
occur.

This is blocking a lot of other implementation work from happening.

The stack trace at the time of the trap is as follows:

GlobalWindowImpl::GetDocument(GlobalWindowImpl * const 0x01340128,
nsIDOMDocument * * 0x00129e40) line 269 + 13 bytes
GetWindowProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long
0xfffffffb, long * 0x0012a2c4) line 149 + 16 bytes
js_GetProperty(JSContext * 0x01310670, JSObject * 0x018a5a60, long
0x01318a10, long * 0x0012a2c4) line 1623 + 25 bytes
js_Interpret(JSContext * 0x01310670, long * 0x0012a41c) line 2153 + 801
bytes
js_Invoke(JSContext * 0x01310670, unsigned int 0x00000000, int
0x00000000) line 657 + 13 bytes
js_Interpret(JSContext * 0x01310670, long * 0x0012a974) line 2187 + 15
bytes
js_Invoke(JSContext * 0x01310670, unsigned int 0x00000001, int
0x00000000) line 657 + 13 bytes
js_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long
0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long *
0x0012aac4) line 726 + 15 bytes
JS_CallFunctionValue(JSContext * 0x01310670, JSObject * 0x018a4210, long
0x018a5608, unsigned int 0x00000001, long * 0x0012aabc, long *
0x0012aac4) line 2336 + 29 bytes
nsJSEventListener::ProcessEvent(nsIDOMEvent * 0x01336c60) line 97 + 34
bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012ac18, nsIDOMEvent * * 0x0012ab8c, nsEventStatus &
nsEventStatus_eIgnore) line 491 + 17 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x013154e4,
nsIPresContext & {...}, nsEvent * 0x0012ac18, nsIDOMEvent * *
0x0012ab8c, unsigned int 0x00000001, nsEventStatus &
nsEventStatus_eIgnore) line 1724
nsWebShell::OnConnectionsComplete(nsWebShell * const 0x012856f0) line
1655 + 34 bytes
nsDocLoaderImpl::LoadURLComplete(nsIURL * 0x013032c0, nsISupports *
0x013031b0, int 0x00000000) line 966
nsDocumentBindInfo::OnStopBinding(nsDocumentBindInfo * const 0x013031b0,
nsIURL * 0x013032c0, int 0x00000000, const nsString & {...}) line 1416
OnStopBindingProxyEvent::HandleEvent(OnStopBindingProxyEvent * const
0x0130b280) line 538 + 45 bytes
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x0130b284) line 421 +
12 bytes
PL_HandleEvent(PLEvent * 0x0130b284) line 395 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01235f60) line 357 + 9 bytes
_md_EventReceiverProc(void * 0x01270110, unsigned int 0x0000c084,
unsigned int 0x00000000, long 0x01235f60) line 675 + 9 bytes
USER32! 77e71250()
01235f60()
Status: NEW → ASSIGNED
Summary: javascript and frames: document.open causes gp-trap → js doc object needs to be reflected before doc load
*** Bug 1098 has been marked as a duplicate of this bug. ***
Updating summary
Setting all current Open Critical and Major to M3
per leger, assigning QA contacts to all open bugs without QA contacts according
to list at http://bugzilla.mozilla.org/describecomponents.cgi?product=Browser
Status: ASSIGNED → NEW
Target Milestone: M3 → M5
Assignee: joki → troy
Summary: js doc object needs to be reflected before doc load → Crash in initial layout of empty framesets
Changing subject from
  js doc object needs to be reflected before doc load
I think that bug may still exist but theres a different one now that hits
first.  Document dies in a reflow stack during initial document layout.  Troy
can you look at this and if the reflow gets fixed and load event crash recurs
send it back.
Assignee: troy → karnaze
Chris, we're hitting an assert in the nsHTMLOuterFrame code. Here's the stack
trace:

NTDLL! 77f76148()
nsDebug::Assertion(const char * 0x007bd5a0, const char * 0x007bd580, const char
* 0x007bd548, int 348) line 140 + 13 bytes
nsHTMLFrameOuterFrame::Reflow(nsHTMLFrameOuterFrame * const 0x01133604,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 4294967295) line 348 + 38 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x01133600, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
4294967295) line 388 + 28 bytes
nsHTMLFramesetFrame::ReflowPlaceChild(nsIFrame * 0x01133600, nsIPresContext &
{...}, const nsHTMLReflowState & {...}, nsPoint & {x=0 y=0}, nsSize &
{width=9180 height=4470}, nsPoint * 0x0012e954 {x=0 y=0}) line 751
nsHTMLFramesetFrame::Reflow(nsHTMLFramesetFrame * const 0x01132054,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 6483869) line 1140
nsLineLayout::ReflowFrame(nsIFrame * 0x01132050, nsIFrame * * 0x0012f564,
unsigned int & 6483869) line 842
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineBox *
0x01133f60, nsIFrame * 0x01132050, unsigned char * 0x0012ebe0) line 2729 + 26
bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox *
0x01133f60, int * 0x0012ec70) line 2610 + 24 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x01133f60, int
* 0x0012ec70) line 1717 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1522 + 20 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x011324b4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 892 + 18 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x011324b4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 509 + 28 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x011324b0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 388 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x011328a4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 253
nsContainerFrame::ReflowChild(nsIFrame * 0x011328a0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 388 + 28 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x0112ae14, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 434
PresShell::InitialReflow(PresShell * const 0x01109f90, int 9180, int 4470) line
878
HTMLContentSink::StartLayout() line 1980
HTMLContentSink::CloseFrameset(HTMLContentSink * const 0x010e7850, const
nsIParserNode & {...}) line 1822
CNavDTD::CloseFrameset(const nsIParserNode & {...}) line 2232 + 31 bytes
CNavDTD::CloseContainer(const nsIParserNode & {...}, nsHTMLTag
eHTMLTag_frameset, int 1) line 2366 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_frameset, int 1) line 2402
+ 26 bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_frameset, int 1) line 2423 + 20
bytes
CNavDTD::HandleEndToken(CToken * 0x01128460) line 1231 + 14 bytes
NavDispatchTokenHandler(CToken * 0x01128460, nsIDTD * 0x010a4050) line 245 + 12
bytes
CTokenHandler::operator()(CToken * 0x01128460, nsIDTD * 0x010a4050) line 80 + 14
bytes
CNavDTD::HandleToken(CNavDTD * const 0x010a4050, CToken * 0x01128460, nsIParser
* 0x010e7fa0) line 604 + 18 bytes
CNavDTD::BuildModel(CNavDTD * const 0x010a4050, nsIParser * 0x010e7fa0,
nsITokenizer * 0x010a3840, nsITokenObserver * 0x00000000, nsIContentSink *
0x010e7850) line 502 + 20 bytes
nsParser::BuildModel() line 804 + 34 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000) line 756 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x010e7fa4, nsIURL * 0x010ae6f0,
nsIInputStream * 0x010a3b70, unsigned int 306) line 968 + 17 bytes
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x010ae7f0,
nsIURL * 0x010ae6f0, nsIInputStream * 0x010a3b70, unsigned int 306) line 1783 +
24 bytes
OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const
0x010a0c70) line 632
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x010a0c74) line 471 + 12
bytes
PL_HandleEvent(PLEvent * 0x010a0c74) line 476 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0104e950) line 437 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0011052a, unsigned int 49403, unsigned int 0,
long 17099088) line 799 + 9 bytes
USER32! 77e71250()
0104e950()
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
This works on my 3/29 pm WinNT debug build. I fixed another frameset bug
yesterday which fixes the crash here. In the test case, the <frameset> has no
rows or cols, so it will never display anything. If the intent is to eventually
use the dom to add rows and/or cols, Eric Pollman is currently working on that.
Whiteboard: awaiting stable win32 3/30 build to verify
The crash is back except now the stack trace is completely different.  So rather
than reopening this report, I've created a new report.  See bug 5643.
Status: RESOLVED → REOPENED
QA Contact: glynn → claudius
Hardware: PC → All
Summary: Crash in initial layout of empty framesets → [CRASH]Crash in initial layout of empty framesets
Whiteboard: awaiting stable win32 3/30 build to verify → fixed long ago but has since regressed - 06/01/99
This bug is now crashing again. All platforms, with the 1999060108 builds (5/25 on Mac). It is reopened and I'll post a stack trace
to compare.

*Interesting note changing <FRAME> to <FRAME SRC=about:blank> prevents this from crashing although that was a related issue
- see bug 5643
Resolution: FIXED → ---
OK Talkback is acting up but my Linux box says we're crashing in nsHTMLFrameInnerFrame whereas before it was
nsHTMLFrameOuterFrame.

Program received signal SIGSEGV, Segmentation fault.
0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow ()

#0  0x40a48c7b in nsHTMLFrameInnerFrame::DidReflow ()
#1  0x409b57e9 in nsContainerFrame::DidReflow ()
#2  0x40a4aebc in nsHTMLFramesetFrame::ReflowPlaceChild ()
#3  0x40a4be38 in nsHTMLFramesetFrame::Reflow ()
#4  0x409c86a0 in nsLineLayout::ReflowFrame ()
#5  0x409b06c3 in nsBlockFrame::ReflowInlineFrame ()
#6  0x409b0551 in nsBlockFrame::ReflowInlineFrames ()
#7  0x409af5ff in nsBlockFrame::ReflowLine ()
#8  0x409af332 in nsBlockFrame::ReflowDirtyLines ()
#9  0x409aebb7 in nsBlockFrame::Reflow ()
#10 0x409ace94 in nsAreaFrame::Reflow ()
#11 0x409b5ddf in nsContainerFrame::ReflowChild ()
#12 0x409bd6a7 in RootFrame::Reflow ()
#13 0x409b5ddf in nsContainerFrame::ReflowChild ()
#14 0x409daeb8 in ViewportFrame::Reflow ()
#15 0x409cf2d3 in PresShell::InitialReflow ()
#16 0x40a409fc in HTMLContentSink::StartLayout ()
#17 0x40a4068b in HTMLContentSink::CloseFrameset ()
#18 0x40284c31 in CNavDTD::CloseFrameset ()
#19 0x4028518a in CNavDTD::CloseContainer ()
#20 0x4028528e in CNavDTD::CloseContainersTo ()
#21 0x40285388 in CNavDTD::CloseContainersTo ()
#22 0x40283bfd in CNavDTD::HandleEndToken ()
#23 0x40281acb in CNavDTD::Release ()
#24 0x4028e97b in CTokenHandler::operator() ()
#25 0x402825ba in CNavDTD::HandleToken ()
#26 0x402821be in CNavDTD::BuildModel ()
#27 0x4028c981 in nsParser::BuildModel ()
#28 0x4028c8bb in nsParser::ResumeParse ()
#29 0x4028cc25 in nsParser::OnDataAvailable ()
#30 0x4025b766 in nsDocumentBindInfo::OnDataAvailable ()
#31 0x40247ec4 in XP_FindContextOfType ()
#32 0x402029c6 in NET_GetMaxMemoryCacheSize ()
#33 0x40179da1 in net_ResumeHTTP ()
#34 0x40179762 in NET_getInternetKeyword ()
#35 0x4017a65e in net_ResumeHTTP ()
#36 0x40224f3f in NET_ProcessNet ()
#37 0x4022a5d7 in NET_PollSockets ()
#38 0x4024329d in nsNetlibService::NetPollSocketsCallback ()
#39 0x400f727a in TimerImpl::FireTimeout ()
#40 0x400f75dc in nsTimerExpired ()
#41 0x80e6b53 in g_main_iteration ()
#42 0x80e60d8 in g_list_length ()
#43 0x80e6553 in g_list_length ()
#44 0x80e666d in g_main_iteration ()
#45 0x8084593 in gtk_main ()
#46 0x400b12c3 in nsAppShell::Run ()
#47 0x40018fb6 in nsAppShellService::Run ()
#48 0x8051327 in main ()
Status: REOPENED → RESOLVED
Closed: 26 years ago26 years ago
Resolution: --- → FIXED
Target Milestone: M5 → M7
Fixed with latest checkin.
Status: RESOLVED → VERIFIED
VERIFIED fixed fro WinNT, MacOS, and RHLinux with 1999060708 builds
As far as i can tell, this bug has been back again for a while.
Over the past few months i have successfully repeatedly crashed
mozilla 0.9.9, 1.1.0 and now mozilla-1.2b-0_rh7 (all on redhat).

The following HTML is all you need to re-create this crash:
<html>
<frameset rows="0" cols="0">
<frame src="">
</frameset>
</body>
</html>

-jonny
wfm on 11/26/2 win2k debug.
it's nice to hear it works okay on w2k.
on linux - it doesn't.

just tested it again on a fresh rh 8.0 install with moz 1.2 stable (xft).

crashed like a crashing thing.

cheers,
-jonny
crashes on Redhat 7.3 1.2b 

works on win2k
Revised delivery date - 07/21
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.