Closed Bug 1274125 Opened 8 years ago Closed 7 years ago

Stack exhaustion crash in nsPresShell.cpp

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: truber, Unassigned)

Details

(Keywords: crash, csectype-dos, testcase)

Attachments

(2 files)

testcase.html
250 bytes, text/html
Details
gdb output
126.52 KB, text/plain
Details
Attached file testcase.html 
SEGV caused by attached testcase with various signatures. Looks like stack exhaustion.

Build from https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/1463493096/
Latest debug build crashes in the same way.

#0  0x00007f2db3def2c6 in mozilla::WritingMode::WritingMode(nsStyleContext*) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#1  0x00007f2db44a4f87 in nsLayoutUtils::GetFontMetricsForStyleContext(nsStyleContext*, float, unsigned char) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#2  0x00007f2db4533523 in nsHTMLReflowState::CalcLineHeight(nsIContent*, nsStyleContext*, int, float) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#3  0x00007f2db44db683 in nsBlockReflowState::nsBlockReflowState(nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, bool, bool, bool, int) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#4  0x00007f2db44e48be in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#5  0x00007f2db44f7571 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#6  0x00007f2db4510748 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#7  0x00007f2db44f7571 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#8  0x00007f2db45070e9 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#9  0x00007f2db4507738 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#10 0x00007f2db451b3a9 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#11 0x00007f2db44f765e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#12 0x00007f2db4554f6b in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#13 0x00007f2db44bd25c in PresShell::DoReflow(nsIFrame*, bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#14 0x00007f2db44ccca5 in PresShell::ProcessReflowCommands(bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#15 0x00007f2db44cd08e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#16 0x00007f2db44cd18a in PresShell::FlushPendingNotifications(mozFlushType) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#17 0x00007f2db44cc847 in PresShell::DidDoReflow(bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#18 0x00007f2db44ccdc5 in PresShell::ProcessReflowCommands(bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#19 0x00007f2db44cd08e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#20 0x00007f2db44cd18a in PresShell::FlushPendingNotifications(mozFlushType) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
#21 0x00007f2db44cc847 in PresShell::DidDoReflow(bool) () from /home/truber/builds/m-c-1463493096-opt/dist/bin/libxul.so
Attached file gdb output 

    
  
Severity: normal → critical
Keywords: csectype-dos

    
    

    
  
Something in the range below fixed this, but I don't know what. Release builds stopped crashing from Fx51 onwards.

INFO: First good revision: 45682df2d2d45e5a8385fd842579e661a4b60bc5 (2016-07-08)
INFO: Last bad revision: 63cc31d6cc1c8089590461016ce0b4a2fb77ecbc (2016-07-07)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=63cc31d6cc1c8089590461016ce0b4a2fb77ecbc&tochange=45682df2d2d45e5a8385fd842579e661a4b60bc5

NI myself to land the crashtest.
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox49:
          affected → ---
Flags: in-testsuite?
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: