Bugzilla@Mozilla – Bug 472668
Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified
Last modified: 2009-07-21 21:22:25 PDT
Summon comment box
Created attachment 355970 [details] binding needed for testcase See upcoming testcase, which crashes current trunk build. It also crashes Firefox 3, so marking security sensitive for now. It doesn't crash Firefox 2, I can look for a regression range, if wanted. http://crash-stats.mozilla.com/report/index/4d1fdf06-c323-4d3c-baeb-f3cf12090108?p=1 0 xul.dll nsFrame::GetBoxAscent layout/generic/nsFrame.cpp:6352 1 xul.dll nsSprocketLayout::GetAscent layout/xul/base/src/nsSprocketLayout.cpp:1525 2 xul.dll nsStyleContext::GetStyleVisibility layout/style/nsStyleStructList.h:103
Created attachment 355971 [details] testcase
###!!! ASSERTION: element not in the document: 'doc', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsChildIterator.cpp, line 62 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null
Perhaps this is related to bug 468211?
The output in comment 2 makes it look very related.
This does still crash, although bug 468211 doesn't
(In reply to comment #5) > This does still crash, although bug 468211 doesn't I was wrong, bug 468211 does still crash.
the patch for Bug 468211 fixes this one too.
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Created attachment 364790 [details] testcase v2 updated testcase for bugzilla's new attachment names
Created attachment 364791 [details] testcase v3 Sorry, uploaded the original again
I cannot get the testcase to run correctly from bugzilla due to whatever redirecting magic we're doing. Despite directly referencing the pseudo sub-domain correctly I get a non-same-origin security warning: Security Error: Content at https://bug472668.bugzilla.mozilla.org/attachment.cgi?id=355970 may not load data from https://bugzilla.mozilla.org/attachment.cgi?id=355970. The binding can't access itself? (note it's the same attachment number) As a local file I don't get a crash either. Martijn: can you still repro this problem in 1.9.0.x? I do get some of the same assertions: ###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file ../../../dist/include/content/nsContentUtils.h, line 1446 WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 971 ###!!! ASSERTION: element not in the document: 'doc', file /Users/daniel/dev/ff3/mozilla/layout/base/nsChildIterator.cpp, line 62 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null ###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 159 ###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 936 --DOMWINDOW == 17 (0x194609ec) [serial = 84] [outer = 0x174b1da0] [url = file:///Users/Daniel/dev/test/bug472668.xul]
Martijn, can we get a new test case for this?
Created attachment 367035 [details] zipped up testcase This one crashes (in builds prior to the fix) when opening the tt.xul file. Fwiw, because of bugzilla's current brokenness, I've stopped trying to get testcases that crash online, when the crash depends on multiple files. Instead, I'm now just attaching the zipped up testcase.
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090208 Shiretoko/3.1b3pre (.NET CLR 3.5.30729) I noticed that it crashed in a 1.9.1 build from 2009-01-19. Oddly enough, it didn't seem to crash in a Firefox3.0.7 build.
(In reply to comment #7) > the patch for Bug 468211 fixes this one too.
fixed in bug 445177
The assertions are fixed now in 1.9.0.12. I can't reliably reproduce the crash on 1.9.0.x
Marking verified1.9.0.12. I can't reproduce the crash either.