firefox 30 crashes when open the print preview or the print dialog on a page with a relatively positioned table header/footer that has absolutely positioned descendants if the table crosses page boundaries

VERIFIED FIXED in Firefox 31

Status

()

defect
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: rwinkelm, Assigned: seth)

Tracking

(4 keywords)

30 Branch
mozilla33
x86_64
All
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox30- wontfix, firefox31+ verified, firefox32+ verified, firefox33+ verified)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

Posted file ff_bugreport.txt (obsolete) —
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 (Beta/Release)
Build ID: 20140619004025

Steps to reproduce:

1. View a webapp page with stylesheet-media='all'

2. Click menu print-preview


(does not occur on ff 29 and before,
also occurs on ff 31b2 and 32a2)


Actual results:

firefox crashes


Expected results:

show print-preview
OS: Linux → All
Please go to about:crashes and post the crash report ids here.

Also, can you make a minimized testcase, or post a link to a webapp like that?
Hi, thanks for feedback!

Crash-IDs:

bp-bfce4568-ffff-4962-9465-bca3e2140623

30930ee5-d59c-41b5-b8e3-a041f1aed907

2870190d-e176-4f2b-854d-7465f5725141


The web app is unfortunately not publicly available.
Only about 5% of cases the ff crashes at this page.
I'll try to extract a testcase from the "defective" constellation...
(In reply to rwinkelm from comment #2)

Thanks.

> 30930ee5-d59c-41b5-b8e3-a041f1aed907
> 
> 2870190d-e176-4f2b-854d-7465f5725141

These two don’t work; maybe it’s because you haven’t followed the links to generate them.
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozalloc_abort(char const* const) | NS_DebugBreak | nsTableFrame::GetTableFrame(nsIFrame*) ]
QA Whiteboard: [bugday-20140623]
Component: Untriaged → Layout
Ever confirmed: true
Product: Firefox → Core
OK, they are all same.
So it happens with both Windows XP and Linux x86_64?
Severity: normal → critical
Attachment #8442788 - Attachment is obsolete: true
(In reply to [:Aleksej] from comment #5)
> OK, they are all same.
> So it happens with both Windows XP and Linux x86_64?

Yes. Tested (and crashes) with Win-XP, Win-7 and x86_64 GNU/Linux
I have saved the defective page to disk. The crash is reproducible.
Because the page contains sensitive data, I'll still anonymize ...
Same on Win 8.1 -> bp-8f7b0711-1b14-4e50-9661-1b2692140623
Yes, the "View ALL products and versions for this signature." link on the bug pages shows all Windows versions since Windows XP, but no GNU/Linux.
Anonymous test case.

Extract took a bit - if a "div" or "tr" was deleted too much, the page-preview worked fine.
Thanks for the testcase!  On GNU/Linux: bp-5299b46b-bce1-459d-8699-38dfd2140623
[@ mozalloc_abort(char const*) | NS_DebugBreak | nsTableFrame::GetTableFrame(nsIFrame*) ]
This signature is just a little bit different (one const* less), and there are less than 100 reports with it in the past 28 days, mostly from FennecAndroid.
Crash Signature: [@ mozalloc_abort(char const* const) | NS_DebugBreak | nsTableFrame::GetTableFrame(nsIFrame*) ] → [@ mozalloc_abort(char const* const) | NS_DebugBreak | nsTableFrame::GetTableFrame(nsIFrame*) ] [@ mozalloc_abort(char const*) | NS_DebugBreak | nsTableFrame::GetTableFrame(nsIFrame*) ]
(-g and -b are "good" and "bad", mozregression options)
-g 2014-03-02-03-02-03-mozilla-central-firefox-30.0a1.en-US.linux-x86_64
-g 2014-03-11-03-02-01-mozilla-central-firefox-30.0a1.ru.linux-x86_64 41d962d23e81
-b 2014-03-12-03-02-01-mozilla-central-firefox-30.0a1.en-US.linux-x86_64 44ae8462d6ab
-b 2014-03-14-03-02-02-mozilla-central-firefox-30.0a1.en-US.linux-x86_64
-b 2014-06-22-03-02-03-mozilla-central-firefox-33.0a1.ru.linux-x86_64

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=41d962d23e81&tochange=44ae8462d6ab
Keywords: regression
My money in that range is on bug 63895.

We're landing in nsTableFrame::GetTableFrame and hitting this line:

  NS_RUNTIMEABORT("unable to find table parent");

with the caller being nsTableFrame::RegisterPositionedTablePart (which is where bug 63895 comes in).  aFrame is a rowgroup with a null GetParent().  We're getting here via nsCSSFrameConstructor::CreateContinuingTableFrame, which indeed calls MakeTablePartAbsoluteContainingBlockIfNeeded before doing headerFooterFrame->Init().

Seth, should those two calls just be in the opposite order?

And yes, thank you _very_ much for the testcase.  Made this way easier to sort out.  ;)
Blocks: 63895
Flags: needinfo?(seth)
Attachment #8444332 - Attachment mime type: application/octet-stream → application/zip
Summary: firefox 30 crashes when open the print preview or the print dialog → firefox 30 crashes when open the print preview or the print dialog on a page with a relatively positioned table header/footer that has absolutely positioned descendants if the table crosses page boundaries
(In reply to Boris Zbarsky [:bz] from comment #13)
> Seth, should those two calls just be in the opposite order?

Sounds very likely. I'm going to try to reproduce this locally now. It seems like it shouldn't be too hard to put a patch together.
Flags: needinfo?(seth)
Duplicate of this bug: 1033025
Component: Layout → Layout: Tables
So an update on this: yesterday I determined that the fix Boris recommended does work. However, the page then spews a huge number of these assertions:

> 0:09.05 [6393] ###!!! ASSERTION: Cannot bind twice, need to unbind first: '!mBoundFrame', file /Users/mfowler/Code/mozdev/content/html/content/src/nsTextEditorState.cpp, line 1074
> 0:09.07 nsTextEditorState::BindToFrame(nsTextControlFrame*)+0x000000F8 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x028F9DF8]
> 0:09.08 mozilla::dom::HTMLInputElement::BindToFrame(nsTextControlFrame*)+0x00000038 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02852988]
> 0:09.08 non-virtual thunk to mozilla::dom::HTMLInputElement::BindToFrame(nsTextControlFrame*)+0x0000002F [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x028529CF]
> 0:09.08 nsTextControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&)+0x00000119 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x0316E099]
> 0:09.08 non-virtual thunk to nsTextControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&)+0x0000002F [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x0316EE7F]
> 0:09.09 nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&)+0x00000070 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8D010]
> 0:09.09 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000002CA [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8467A]
> 0:09.09 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&)+0x00000F48 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8C298]
> 0:09.10 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&)+0x00000228 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F90518]
> 0:09.10 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&)+0x000000F6 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02FFAE16]
> 0:09.10 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000007CE [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F84B7E]
> 0:09.11 nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*, nsIFrame*, nsIFrame*, nsStyleContext*, nsIFrame**, nsFrameItems&, nsIFrame*, PendingBinding*)+0x0000040A [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F880FA]
> 0:09.11 nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&)+0x0000021B [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8C87B]
> 0:09.11 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&)+0x000006C3 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8BA13]
> 0:09.12 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&)+0x00000228 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F90518]
> 0:09.12 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&)+0x000000F6 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02FFAE16]
> 0:09.12 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000007CE [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F84B7E]
> 0:09.13 nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*, nsIFrame*, nsIFrame*, nsStyleContext*, nsIFrame**, nsFrameItems&, nsIFrame*, PendingBinding*)+0x0000040A [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F880FA]
> 0:09.13 nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&)+0x0000021B [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8C87B]
> 0:09.13 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&)+0x000006C3 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8BA13]
> 0:09.13 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&)+0x00000228 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F90518]
> 0:09.14 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&)+0x000000F6 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02FFAE16]
> 0:09.14 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000007CE [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F84B7E]
> 0:09.14 nsCSSFrameConstructor::ConstructTableCell(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&)+0x000003BC [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F85C1C]
> 0:09.15 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&)+0x000006C3 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8BA13]
> 0:09.15 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&)+0x00000228 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F90518]
> 0:09.15 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&)+0x000000F6 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02FFAE16]
> 0:09.16 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000007CE [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F84B7E]
> 0:09.16 nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&)+0x00000322 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F85552]
> 0:09.16 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&)+0x000006C3 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F8BA13]
> 0:09.17 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&)+0x00000228 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F90518]
> 0:09.17 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&)+0x000000F6 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02FFAE16]
> 0:09.17 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)+0x000007CE [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F84B7E]
> 0:09.18 nsCSSFrameConstructor::CreateContinuingTableFrame(nsIPresShell*, nsPresContext*, nsIFrame*, nsIFrame*, nsIContent*, nsStyleContext*)+0x000002EB [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F9B95B]
> 0:09.18 nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsIFrame*, bool)+0x000003A7 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F9AC67]
> 0:09.18 nsCSSFrameConstructor::CreateContinuingOuterTableFrame(nsIPresShell*, nsPresContext*, nsIFrame*, nsIFrame*, nsIContent*, nsStyleContext*)+0x000000B5 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F9A825]
> 0:09.19 nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsIFrame*, bool)+0x00000362 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x02F9AC22]
> 0:09.19 nsBlockFrame::CreateContinuationFor(nsBlockReflowState&, nsLineBox*, nsIFrame*)+0x00000078 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x03047C98]
> 0:09.19 nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*)+0x00000FD7 [/Users/mfowler/Code/mozdev/obj/dist/NightlyDebug.app/Contents/MacOS/XUL +0x030448A7]

I currently suspect that these assertions are unrelated to bug 63895. I'm about to build an old revision to test that hypothesis.
OK, it's confirmed, those assertions are present in revisions before bug 63895.

I'm now preparing a patch along with a crashtest.
Here's the patch, as bz recommended in comment 13. It does indeed eliminate the crash.
Attachment #8449796 - Flags: review?(bzbarsky)
Assignee: nobody → seth
Status: NEW → ASSIGNED
Comment on attachment 8449796 [details] [diff] [review]
(Part 1) - Don't use a frame before initializing it in CreateContinuingTableFrame

r=me.  Add a test?
Attachment #8449796 - Flags: review?(bzbarsky) → review+
Here's a crashtest for this issue. This test fails without part 1 applied and passes with it applied.
Attachment #8449895 - Flags: review?(bzbarsky)
Thanks for the quick review, Boris.

Try job here for both parts:

https://tbpl.mozilla.org/?tree=Try&rev=5dc9e596f8a6
Given the time constraints here, I went ahead and pushed part 1:

https://hg.mozilla.org/integration/mozilla-inbound/rev/d402b14b4ad8
Attachment #8449796 - Flags: checkin+
Keywords: leave-open
Comment on attachment 8449895 [details] [diff] [review]
(Part 2) - Crashtest

r=me
Attachment #8449895 - Flags: review?(bzbarsky) → review+
Seth, could you fill the uplift requests to have them in today beta ? Thanks
Flags: needinfo?(seth)
Pushed the crashtest:

https://hg.mozilla.org/integration/mozilla-inbound/rev/90c7fc5b9034
Flags: needinfo?(seth)
Attachment #8449895 - Flags: checkin+
Keywords: leave-open
Comment on attachment 8449796 [details] [diff] [review]
(Part 1) - Don't use a frame before initializing it in CreateContinuingTableFrame

Approval Request Comment
[Feature/regressing bug #]: 63895
[User impact if declined]: Crashes when table headers or footers are relatively positioned.
[Describe test coverage new/current, TBPL]: A crashtest has been added.
[Risks and why]: This is very low risk. The original bug occurred because a frame object was used before it got fully initialized. This patch simply rearranges a couple of statements to ensure that the frame object is full initialized before it gets used. Other than avoiding crashes, this should have no effect on functionality.
[String/UUID change made/needed]: None.
Attachment #8449796 - Flags: approval-mozilla-beta?
Attachment #8449796 - Flags: approval-mozilla-aurora?
Comment on attachment 8449895 [details] [diff] [review]
(Part 2) - Crashtest

Approval Request Comment

(This is the crashtest for the bug above. Just marking it for approval so anyone doing the uplift also takes the test.)
Attachment #8449895 - Flags: approval-mozilla-beta?
Attachment #8449895 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/90c7fc5b9034
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment on attachment 8449796 [details] [diff] [review]
(Part 1) - Don't use a frame before initializing it in CreateContinuingTableFrame

Print preview is an important feature. It should not crash Firefox...
Attachment #8449796 - Flags: approval-mozilla-beta?
Attachment #8449796 - Flags: approval-mozilla-beta+
Attachment #8449796 - Flags: approval-mozilla-aurora?
Attachment #8449796 - Flags: approval-mozilla-aurora+
Comment on attachment 8449895 [details] [diff] [review]
(Part 2) - Crashtest

+ tests are good.
Attachment #8449895 - Flags: approval-mozilla-beta?
Attachment #8449895 - Flags: approval-mozilla-beta+
Attachment #8449895 - Flags: approval-mozilla-aurora?
Attachment #8449895 - Flags: approval-mozilla-aurora+
Verified on central.linux_x86-64 with 2014-07-05-03-02-03-mozilla-central-firefox-33.0a1.ru.linux-x86_64 compared to 2014-07-02-03-02-01.
Reproduced the initial crash on Firefox 31 beta 2, verified that the issue is fixed on Windows 7 64bit, Ubuntu 13.04 64bit using Firefox 31 beta 8, latest Nightly and latest Aurora
Many thanks to all of you for the quick and successful trouble shooting!
You need to log in before you can comment on or make changes to this bug.