Closed Bug 310668 Opened 19 years ago Closed 19 years ago

Evil xul tree testcase and overflow:scroll crashes Mozilla [@ nsTreeBodyFrame::GetRowAt]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

Details

(5 keywords)

Crash Data

Attachments

(5 files)

testcase
(deleted), application/vnd.mozilla.xul+xml
Details
patch; diff -w for review
(deleted), patch
bzbarsky
: superreview+
Details | Diff | Splinter Review
patch for checkin
(deleted), patch
dbaron
: review+
bzbarsky
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4-
Details | Diff | Splinter Review
1.8 branch patch
(deleted), patch
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review
1.8 bustage fix
(deleted), patch
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review 
See testcase.
When clicking on the button, Mozilla crashes.
This regressed between 2005-08-30 and 2005-08-31, indicating bug 212789 as a
likely cause.
Attached file testcase (deleted) — 
When clicking on the button in the testcase, Mozilla crashes.
From talkback ID: TB9946810E

nsTreeBodyFrame::GetRowAt 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,
line 967]
nsTreeBodyFrame::GetRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,
line 639]
PresShell::ContentInserted 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5146]
PresShell::Observe 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6726]
PresShell::Thaw 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6274]
SHELL32.dll + 0x520c24 (0x778b0c24)
Summary: Evil xul tree testcase and overflow:scroll crashes Mozilla → Evil xul tree testcase and overflow:scroll crashes Mozilla [@ nsTreeBodyFrame::GetRowAt]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051001
Firefox/1.6a1 ID:2005100108

Small improvement; it does not crash anymore (like this morning) but leaves an
idle process in the task manager that has to be killed.
Flags: blocking1.9a1?
This stack trace is either corrupted or doesn't make sense at all. GetRowHeight
does not call GetRowAt etc...
Blocks: 321106
So... the mScrollbar member is pointing to a dead frame.  I see no provisions for resetting that member if the frame dies; am I just missing it?
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
crash - nom approved
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Assignee: nobody → roc
Attached patch patch; diff -w for review (deleted) — Splinter Review 
Here's the patch. It simply removes frame and view references from nsTreeBodyFrame and refetches them whenever they're needed. It's pretty simple, but it looks big because I've altered internal function signatures so we can pass the fetched parts around to avoid redundant fetches.
Attachment #218229 - Flags: superreview?(bzbarsky)
Attachment #218229 - Flags: review?(Jan.Varga)
Comment on attachment 218229 [details] [diff] [review]
patch; diff -w for review

>+    // The way we do this, searching through the entire frame subtree, is pretty
>+    // dumb! We should know where these frames are.
Theoretically more advanced themes might want to be able to extend the XBL to adjust the appearance of their trees.
Perhaps, but those more advanced themes would get a nasty surprise if they included an element in their XBL that happened to have overflow:auto, and nsTreeBodyFrame decided to randomly grab those scrollbars and use them to scroll the tree.
Attachment #218229 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 218229 [details] [diff] [review]
patch; diff -w for review

I don't want to wait for Jan; this needs to move into the tree now so I'm going with bz's sr.
Attachment #218229 - Flags: review?(Jan.Varga)
Attachment #218230 - Flags: approval1.8.0.4?
Attachment #218230 - Flags: approval-branch-1.8.1?(bzbarsky)
checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Backporting to the 1.8 branch won't be trivial because of the changes to add horizontal scrolling to trees, but it shouldn't be terribly hard either.
Comment on attachment 218230 [details] [diff] [review]
patch for checkin

Looks ok for 1.8.1 branch, but keep an eye out for trunk regressions over the next few days, ok?
Attachment #218230 - Flags: approval-branch-1.8.1?(bzbarsky) → approval-branch-1.8.1+
Comment on attachment 218230 [details] [diff] [review]
patch for checkin

>+    // The way we do this, searching through the entire frame subtree, is pretty
>+    // dumb! We should know where these frames are.
Oh, so you'd prefer remote xbl to cause a crash by rearranging the frames?
I'd prefer to have a foolproof way to find the right frames if they exist, regardless of any anonymous content thrown into the pot by a theme.
Testcase https://bugzilla.mozilla.org/attachment.cgi?id=198120 no longer crashes for me using build 2006-04-26-04 of SeaMonkey trunk on Windows XP.

Verified FIXED.
Status: RESOLVED → VERIFIED
This does not crash in Firefox 1.5.0.2, and it appears the regressing patch was checked in on Aug 31, 2005 and the 1.8 branch was cut on Aug 12, 2005. Doesn't look like you need this on the 1.8
Flags: blocking1.8.0.4+
Comment on attachment 218230 [details] [diff] [review]
patch for checkin

Too big and too late, and doesn't appear necessary.

Renominating for 1.8.1 for a double-check that you really do still want it.
Attachment #218230 - Flags: approval1.8.0.4?
Attachment #218230 - Flags: approval1.8.0.4-
Attachment #218230 - Flags: approval-branch-1.8.1?(bzbarsky)
Attachment #218230 - Flags: approval-branch-1.8.1+
Attachment #218230 - Flags: approval-branch-1.8.1?(bzbarsky) → approval-branch-1.8.1+
We still want it for 1.8.1 (and imo for 1.8.0.x for whatever x).  If you want roc or me or Martijn to spend some time to create testcases that would crash 1.8 and 1.8.0 branches with similar issues, I'm pretty sure we can do so successfully.  But it seems like rather a waste of time.
Flags: blocking1.9a1?
We do need this on the branches, but without a testcase, it's non-urgent and can happily slip to 1.8.0.5.
OK, renominating for 1.8.0.5.  Please land on the 1.8 branch soon for testing, and get it in early in 1.8.0.5 when the tree opens for that.
Flags: blocking1.8.0.5?
Attachment #218230 - Flags: approval1.8.0.5?
Comment on attachment 218230 [details] [diff] [review]
patch for checkin

Given the size of the patch could we get a second pair of review eyes on this? Thanks
Attachment #218230 - Flags: review?(dbaron)
Could we at least get this landed on the 1.8 branch? You've already got 1.8.1 approval.
Comment on attachment 218230 [details] [diff] [review]
patch for checkin

I didn't look all that closely and I don't think size alone means it needs another review, but r=dbaron.
Attachment #218230 - Flags: review?(dbaron) → review+
roc:  Can you get you patch checked in on the 1.8.1 branch asap so we can let it bake for a few days and approve this for 1.8.0 (code freeze is next Wed. for 1.5.0.5).  Thanks!
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Whiteboard: need 1.8 patch? (comment 13)
Attached patch 1.8 branch patch (deleted) — Splinter Review 
It's smaller than the trunk patch. The horizontal scrolling code that landed on trunk made almost everything conflict, but it's still a relatively simple change (I hope).
Checked in on 1.8 branch.
Keywords: fixed1.8.1
There was bustage on the 1.8 branch, around the call to GetWindow() in #ifdef MAC code, which I have fixed, but will need to be merged for 1.8.0.5.
Attached patch 1.8 bustage fix (deleted) — Splinter Review 

        Attachment #225928 -
        Flags: approval1.8.0.5+

    
    

    
  
Comment on attachment 225825 [details] [diff] [review]
1.8 branch patch

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #225825 -
        Flags: approval1.8.0.5+

        Attachment #218230 -
        Flags: approval1.8.0.5?
Whiteboard: need 1.8 patch? (comment 13)

    
    

    
  
Someone could check this into 1.8 for me. Otherwise I'll do it on (my) Monday.

    
    

    
  
Checking in nsTreeBodyFrame.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,v  <--  nsTree
BodyFrame.cpp
new revision: 1.240.10.1.2.4; previous revision: 1.240.10.1.2.3
done
Checking in nsTreeBodyFrame.h;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.h,v  <--  nsTreeBo
dyFrame.h
new revision: 1.81.16.2; previous revision: 1.81.16.1
done

Checked into 1.8.0 branch.
Keywords: fixed1.8.0.5

    
    

    
  
verified with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060620 Firefox/1.5.0.5
Keywords: fixed1.8.0.5verified1.8.0.5
Flags: blocking1.8.1?
Crash Signature: [@ nsTreeBodyFrame::GetRowAt]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: