Closed Bug 369542 Opened 18 years ago Closed 18 years ago

Crash [@ nsHTMLReflowState::ComputePadding] on branch, with partly minimised testcase from bug 363813

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:critical] should be fixed by bug 306533)

Crash Data

Attachments

(2 files)

testcase
(deleted), text/html
Details
testcase #2
(deleted), text/html
Details
This is a follow-up from bug 363813, marking security sensitive since it's crashing branch builds. I crash with the latest branch builds on the partly minimised testcase from bug 363813. Talkback ID: TB28534877X 0x00000922 nsHTMLReflowState::ComputePadding [mozilla/layout/generic/nsHTMLReflowState.cpp, line 2444] nsHTMLReflowState::InitConstraints [mozilla/layout/generic/nsHTMLReflowState.cpp, line 1759] nsHTMLReflowState::Init [mozilla/layout/generic/nsHTMLReflowState.cpp, line 342] nsHTMLReflowState::nsHTMLReflowState [mozilla/layout/generic/nsHTMLReflowState.cpp, line 217] nsLineLayout::ReflowFrame [mozilla/layout/generic/nsLineLayout.cpp, line 913] nsInlineFrame::ReflowInlineFrame [mozilla/layout/generic/nsInlineFrame.cpp, line 689] nsInlineFrame::ReflowFrames [mozilla/layout/generic/nsInlineFrame.cpp, line 519] nsFirstLineFrame::Reflow [mozilla/layout/generic/nsInlineFrame.cpp, line 1049] nsLineLayout::ReflowFrame [mozilla/layout/generic/nsLineLayout.cpp, line 996] nsBlockFrame::ReflowInlineFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 4245] nsBlockFrame::DoReflowInlineFrames [mozilla/layout/generic/nsBlockFrame.cpp, line 3898] nsBlockFrame::ReflowInlineFrames [mozilla/layout/generic/nsBlockFrame.cpp, line 3779] nsBlockFrame::ReflowLine [mozilla/layout/generic/nsBlockFrame.cpp, line 2772] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2302] nsBlockFrame::Reflow [mozilla/layout/generic/nsBlockFrame.cpp, line 905] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 905] nsHTMLScrollFrame::ReflowScrolledFrame [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523] nsHTMLScrollFrame::ReflowContents [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571] nsHTMLScrollFrame::Reflow [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 769] nsBlockReflowContext::ReflowBlock [mozilla/layout/generic/nsBlockReflowContext.cpp, line 606] nsBlockFrame::ReflowFloat [mozilla/layout/generic/nsBlockFrame.cpp, line 6030] nsBlockReflowState::FlowAndPlaceFloat [mozilla/layout/generic/nsBlockReflowState.cpp, line 863] nsBlockReflowState::PlaceBelowCurrentLineFloats [mozilla/layout/generic/nsBlockReflowState.cpp, line 1132] nsBlockFrame::PlaceLine [mozilla/layout/generic/nsBlockFrame.cpp, line 4609] nsBlockFrame::DoReflowInlineFrames [mozilla/layout/generic/nsBlockFrame.cpp, line 4010] nsBlockFrame::ReflowInlineFrames [mozilla/layout/generic/nsBlockFrame.cpp, line 3779] nsBlockFrame::ReflowLine [mozilla/layout/generic/nsBlockFrame.cpp, line 2772] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2302] nsBlockFrame::Reflow [mozilla/layout/generic/nsBlockFrame.cpp, line 905] nsBlockReflowContext::ReflowBlock [mozilla/layout/generic/nsBlockReflowContext.cpp, line 606] nsBlockFrame::ReflowBlockFrame [mozilla/layout/generic/nsBlockFrame.cpp, line 3492] nsBlockFrame::ReflowLine [mozilla/layout/generic/nsBlockFrame.cpp, line 2651] nsBlockFrame::ReflowDirtyLines [mozilla/layout/generic/nsBlockFrame.cpp, line 2302] nsBlockFrame::Reflow [mozilla/layout/generic/nsBlockFrame.cpp, line 905] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 905] CanvasFrame::Reflow [mozilla/layout/generic/nsHTMLFrame.cpp, line 536] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 905] nsHTMLScrollFrame::ReflowScrolledFrame [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523] nsHTMLScrollFrame::ReflowContents [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571] nsHTMLScrollFrame::Reflow [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 769] nsContainerFrame::ReflowChild [mozilla/layout/generic/nsContainerFrame.cpp, line 905] ViewportFrame::Reflow [mozilla/layout/generic/nsViewportFrame.cpp, line 240] IncrementalReflow::Dispatch [mozilla/layout/base/nsPresShell.cpp, line 914] PresShell::ProcessReflowCommands [mozilla/layout/base/nsPresShell.cpp, line 6928] PresShell::WillPaint [mozilla/layout/base/nsPresShell.cpp, line 6565] 0x778b0c24 0x00200064 0xe84d8d50 0x4badaf9a
In a debug build I get Access violation reading location 0xddddddfd. A deleted frame is passed to nsHTMLReflowState::Init() nsCachedStyleData::GetStyleData() Line 210 C++ nsStyleContext::GetStyleData() Line 248 C++ nsIFrame::GetStyleData() Line 612 C++ nsIFrame::GetStylePosition() Line 82 C++ > nsHTMLReflowState::Init() Line 332 C++ nsHTMLReflowState::nsHTMLReflowState() Line 217 C++ nsLineLayout::ReflowFrame() Line 912 C++ nsInlineFrame::ReflowInlineFrame() Line 683 C++ nsInlineFrame::ReflowFrames() Line 518 C++ nsFirstLineFrame::Reflow() Line 1049 C++ nsLineLayout::ReflowFrame() Line 995 C++ nsBlockFrame::ReflowInlineFrame() Line 4058 C++ nsBlockFrame::DoReflowInlineFrames() Line 3897 C++ nsBlockFrame::ReflowInlineFrames() Line 3778 C++ nsBlockFrame::ReflowLine() Line 2771 C++ nsBlockFrame::ReflowDirtyLines() Line 2301 C++ nsBlockFrame::Reflow() Line 903 C++ nsContainerFrame::ReflowChild() Line 905 C++ nsHTMLScrollFrame::ReflowScrolledFrame() Line 515 C++ nsHTMLScrollFrame::ReflowContents() Line 570 C++ nsHTMLScrollFrame::Reflow() Line 768 C++ nsBlockReflowContext::ReflowBlock() Line 605 C++ nsBlockFrame::ReflowFloat() Line 6029 C++ nsBlockReflowState::FlowAndPlaceFloat() Line 853 C++ nsBlockReflowState::PlaceBelowCurrentLineFloats() Line 1128 C++ nsBlockFrame::PlaceLine() Line 4609 C++ nsBlockFrame::DoReflowInlineFrames() Line 4010 C++ nsBlockFrame::ReflowInlineFrames() Line 3778 C++ nsBlockFrame::ReflowLine() Line 2771 C++ nsBlockFrame::ReflowDirtyLines() Line 2301 C++ nsBlockFrame::Reflow() Line 903 C++ nsBlockReflowContext::ReflowBlock() Line 605 C++ nsBlockFrame::ReflowBlockFrame() Line 3492 C++ nsBlockFrame::ReflowLine() Line 2651 C++ nsBlockFrame::ReflowDirtyLines() Line 2301 C++ nsBlockFrame::Reflow() Line 903 C++ nsContainerFrame::ReflowChild() Line 905 C++ CanvasFrame::Reflow() Line 536 C++ nsContainerFrame::ReflowChild() Line 905 C++ nsHTMLScrollFrame::ReflowScrolledFrame() Line 515 C++ nsHTMLScrollFrame::ReflowContents() Line 570 C++ nsHTMLScrollFrame::Reflow() Line 768 C++ nsContainerFrame::ReflowChild() Line 905 C++ ViewportFrame::Reflow() Line 239 C++ IncrementalReflow::Dispatch() Line 906 C++ PresShell::ProcessReflowCommands() Line 6928 C++ PresShell::WillPaint() Line 6565 C++ nsViewManager::FlushPendingInvalidates() Line 4409 C++ nsViewManager::EnableRefresh() Line 3445 C++ nsViewManager::EndUpdateViewBatch() Line 3487 C++ nsCSSFrameConstructor::RestyleEvent::HandleEvent() Line 14215 C++ HandleRestyleEvent() Line 14224 C++ PL_HandleEvent() Line 688 C PL_ProcessPendingEvents() Line 623 C _md_EventReceiverProc() Line 1408 C 77d48744 77d48826 77d489dd 77d49412 77d48a20 nsAppShell::Run() Line 133 C++ nsAppStartup::Run() Line 151 C++ XRE_main() Line 2444 C++ main() Line 61 C++ mainCRTStartup() Line 398 C 7c816fd7
Assignee: nobody → roc
Whiteboard: [sg:critical]
Attached file testcase (deleted) —
This minimized testcase produces a scary assertion about floats having the wrong parent. I believe this was fixed on trunk by the fix for bug 306534. However, applying that fix doesn't solve the crash. I'll keep working on it.
Attached file testcase #2 (deleted) —
This testcase is somewhat minimized, and with the fix for 306534, still produces scary assertions about frames not being found when deleting lines.
It seems the assertions in testcase #2 were fixed by bug 306533 on trunk. Indeed, applying just that patch to the branch fixes the crash in attachment #248632. So we need to get that on branch.
Depends on: 306533
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
should we close this one out now as dup of, or fixed by, 306533 or other marking; then just get that patch on the branch?
Lets just land that fix on branch and then mark this FIXED.
Whiteboard: [sg:critical] → [sg:critical] should be fixed by bug 306533
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Should be fixed now that I've landed the fix for bug 306533 on branch.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
adding fixed keywords based on bug 306533 landing. Adding 'qawanted' to verify that the bug is in fact fixed by that.
Keywords: fixed1.8.0.12, fixed1.8.1.4, qawanted
Seems to already have been fixed on branch somehow between 2007-03-09 and 2007-03-23. I can confirm, the url still doesn't crash, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12pre) Gecko/20070419 Firefox/1.5.0.12pre and: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4pre) Gecko/20070420 BonEcho/2.0.0.4pre
Keywords: fixed1.8.0.12, fixed1.8.1.4, qawantedverified1.8.0.12, verified1.8.1.4
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsHTMLReflowState::ComputePadding]
Crash tests: https://hg.mozilla.org/integration/mozilla-inbound/rev/a105bb59b049
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: