552697 - Crash [@ nsLineBreaker::AppendText] with mathml, margin and popup

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which crashes in current trunk build.

http://crash-stats.mozilla.com/report/index/02082b1e-9ddf-43c7-8f12-fa9e22100316
0  	xul.dll  	_chkstk  	 chkstk.asm:99
1 	xul.dll 	nsLineBreaker::AppendText 	content/base/src/nsLineBreaker.cpp:268
2 	xul.dll 	gfxFont::RunMetrics::CombineWith 	gfx/thebes/src/gfxFont.cpp:805
3 		@0x1 	
4 		@0x80000009

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

On Linux, I'm seeing a hang rather than a crash.

Comment 2

[Bob Clary [:bc] (inactive)]

1.9.3 10.5 ppc analyzing minidump gives:

Operating system: Mac OS X 10.5.8 9L34 CPU: ppc 2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash address: 0xffffffffbf7ffff0

Thread 0 (crashed)
 0  XUL!nsTArray_base::IsAutoArray() [nsTArray.h : 147 + 0x4]
   srr0 = 0x03af1114    r1 = 0xbf800020

1.9.3 10.5 x86 gdb gives:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xbf7fffdc
0x03892a87 in nsTArray_base::GetAutoArrayBuffer (this=0xbf8001a0) at nsTArray.h:159
159	    Header* GetAutoArrayBuffer() {

with a huge number of

#28086 0x03bf1f9a in PresShell::DidDoReflow (this=0x1b4d2f10, aInterruptible=1) at /work/mozilla/builds/1.9.3/mozilla/layout/base/nsPresShell.cpp:7080
#28087 0x03c057d1 in PresShell::ProcessReflowCommands (this=0x1b4d2f10, aInterruptible=1) at /work/mozilla/builds/1.9.3/mozilla/layout/base/nsPresShell.cpp:7343

looks like it recursed to death and ate the stack.

Comment 3

[Bob Clary [:bc] (inactive)]

Martijn, I can't reproduce on Beta/11, Aurora/12, Nightly/13. wfm ?

Comment 4

[Martijn Wargers (dead)]

Let's mark it wfm then.