Closed Bug 1137723 Opened 9 years ago Closed 9 years ago

crash in nsIFrame::SetParent(nsContainerFrame*)

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox39 --- fixed

People

(Reporter: aryx, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [adv-main39-])

Crash Data

Attachments

(3 files)

testcase.html, v1
3.22 KB, text/html
Details
Testcase #2
883 bytes, text/html
Details
fix+test
4.52 KB, patch
roc
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-6cfa7f95-68ac-493b-a109-855bb2150227.
=============================================================

Firefox 36.0 and Firefox Nightly 39.0a1 20150227 on Windows 8.1 64 bit.

Steps to reproduce:
1. Open http://www.stuttgarter-zeitung.de/inhalt.griechenland-hilfe-bundestag-stimmt-verlaengerung-zu.daa3baae-e17d-47e8-ad28-62eece0b4cfa.html
2. Go to menu File > Print Preview.
Actual result: Crash

about:support info from a new 36.0 profile:

Application Basics
------------------

Name: Firefox
Version: 36.0
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Multiprocess Windows: 0/1

Extensions
----------

Graphics
--------

Adapter Description: Intel(R) HD Graphics 4600
Adapter Description (GPU #2): NVIDIA GeForce GTX 765M
Adapter Drivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
Adapter Drivers (GPU #2): nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
Adapter RAM: Unknown
Adapter RAM (GPU #2): 2048
Device ID: 0x0416
Device ID (GPU #2): 0x11e2
Direct2D Enabled: true
DirectWrite Enabled: true (6.3.9600.17415)
Driver Date: 9-29-2014
Driver Date (GPU #2): 2-5-2015
Driver Version: 10.18.10.3960
Driver Version (GPU #2): 9.18.13.4752
GPU #2 Active: false
GPU Accelerated Windows: 1/1 Direct3D 11 (OMTC)
Subsys ID: 35371558
Subsys ID (GPU #2): 35371558
Vendor ID: 0x8086
Vendor ID (GPU #2): 0x10de
WebGL Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D9Ex vs_3_0 ps_3_0)
windowLayerManagerRemote: true
AzureCanvasBackend: direct2d
AzureContentBackend: direct2d
AzureFallbackCanvasBackend: cairo
AzureSkiaAccelerated: 0

Important Modified Preferences
------------------------------

browser.cache.disk.capacity: 296960
browser.cache.disk.smart_size.first_run: false
browser.cache.frecency_experiment: 4
browser.places.smartBookmarksVersion: 7
browser.startup.homepage_override.buildID: 20150222232811
browser.startup.homepage_override.mstone: 36.0
extensions.lastAppVersion: 36.0
gfx.direct3d.last_used_feature_level_idx: 0
media.gmp-gmpopenh264.lastUpdate: 1425050242
media.gmp-gmpopenh264.version: 1.3
media.gmp-manager.lastCheck: 1425050242
network.cookie.prefsMigrated: true
places.history.expiration.transient_current_max_pages: 30683
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
privacy.sanitize.migrateFx3Prefs: true

Important Locked Preferences
----------------------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.10.7
Version in use: 4.10.7

NSS
Expected minimum version: 3.17.4 Basic ECC
Version in use: 3.17.4 Basic ECC

NSSSMIME
Expected minimum version: 3.17.4 Basic ECC
Version in use: 3.17.4 Basic ECC

NSSSSL
Expected minimum version: 3.17.4 Basic ECC
Version in use: 3.17.4 Basic ECC

NSSUTIL
Expected minimum version: 3.17.4
Version in use: 3.17.4

Experimental Features
---------------------
Is this reproducible with Fx 35?
Flags: needinfo?(archaeopteryx)
Yes, also crashes with 35.0.1.
Flags: needinfo?(archaeopteryx)
Keywords: testcase-wanted
OS: Windows NT → All
Hardware: x86 → All
Attached file testcase.html, v1 
This testcase of 3kB still can reproduce the issue. Removing nodes or style rules often stops the crash. Also shortening the url at the bottom (the Facebook one) will end the crashes.
Attached file Testcase #2 
The first testcase didn't crash for me (on Linux) but this does.
Using "US Letter" and Portrait mode in Print Preview.
Assignee: nobody → mats
(gdb) bt
#0  0x00007ffff0a7c428 in nsIFrame::IsBoxFrame
#1  0x00007ffff0b678d7 in IsBoxWrapped
#2  0x00007ffff0b81c90 in nsIFrame::SetParent
#3  0x00007ffff0bc10b6 in nsInlineFrame::DrainSelfOverflowListInternal
#4  0x00007ffff0bc0f04 in nsInlineFrame::DestroyFrom
...
(gdb) up
#1  0x00007ffff0b678d7 in IsBoxWrapped (aFrame=0x7fffb6ee3f10) at layout/generic/nsFrame.cpp:177
177              aFrame->GetParent()->IsBoxFrame() &&
(gdb) list
173     static bool
174     IsBoxWrapped(const nsIFrame* aFrame)
175     {
176       return aFrame->GetParent() &&
177              aFrame->GetParent()->IsBoxFrame() &&
178              !aFrame->IsBoxFrame();
179     }
(gdb) up
#2  0x00007ffff0b81c90 in nsIFrame::SetParent (this=0x7fffb6ee3f10, aParent=0x7fffb837f008) at layout/generic/nsFrame.cpp:8714
8714      bool wasBoxWrapped = ::IsBoxWrapped(this);
(gdb) list
8711    void
8712    nsIFrame::SetParent(nsContainerFrame* aParent)
8713    {
8714      bool wasBoxWrapped = ::IsBoxWrapped(this);
8715      mParent = aParent;
8716      if (!wasBoxWrapped && ::IsBoxWrapped(this)) {
8717        ::InitBoxMetrics(this, true);
8718      } else if (wasBoxWrapped && !::IsBoxWrapped(this)) {

nsIFrame::SetParent is trying to figure out if we were IsBoxWrapped
with the old parent, and if we will be with the new and then init
or delete the BoxMetricsProperty accordingly.  The problem is that,
due to our inline lazy re-parenting optimization, the current mParent
(on line 8714) might be stale at this point so IsBoxWrapped() crashed
trying to use it.
Attached patch fix+testSplinter Review 
(see the reason for the crash explained in the comment above)

I don't think this code needs to be this smart.  We can call InitBoxMetrics
with the *new* parent if we're IsBoxWrapped, otherwise just ignore that we
may have an existing BoxMetricsProperty, because that should be very rare
(unless we're going to or from mParent=null, it might not happen at all).

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e6011fb5bada
https://treeherder.mozilla.org/#/jobs?repo=try&revision=27be84b59c09

The testcases still generate some known Style System assertions,
bugs are filed.
Attachment #8571104 - Flags: review?(roc)
Blocks: 1095788
https://hg.mozilla.org/mozilla-central/rev/acc733decf7a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Verified fixed with Firefox Nightly 39.0a1 20150306030229 on Windows 8.1
Status: RESOLVED → VERIFIED
Blocks: 5588
Whiteboard: [adv-main39-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: