Closed Bug 1293521 Opened 8 years ago Closed 8 years ago

An Read Access Violation in xul!nsTextBoxFrame::CalculateTitleForWidth

Categories

(Core :: Layout: Text and Fonts, defect)

48 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1293523

People

(Reporter: wangmei.S102, Unassigned)

Details

Attachments

(1 file)

Attached file A7.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce: Run the attached file(A7.html). Actual results: This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (588.a40): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=76e77eeb edx=00000000 esi=0000012c edi=00000000 eip=76e470b4 esp=0013a978 ebp=0013a9e4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 ntdll!KiFastSystemCallRet: 76e470b4 c3 ret 0:000> .ecxr eax=00000000 ebx=00000000 ecx=163acad0 edx=0013b238 esi=163acad0 edi=0013e87c eip=5d8fabb6 esp=0013b060 ebp=0013b2f0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 xul!nsTextBoxFrame::CalculateTitleForWidth+0x2d: 5d8fabb6 8b4054 mov eax,dword ptr [eax+54h] ds:0023:00000054=???????? 0:000> kb *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child 0013b200 5d6985ab 0013e87c 000028c8 0013e648 xul!nsTextBoxFrame::CalculateTitleForWidth+0x2d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nstextboxframe.cpp @ 628] 0013b264 5d698137 0013e87c 0013e648 163acad0 xul!nsTextBoxFrame::CalcDrawRect+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nstextboxframe.cpp @ 1078] 0013b2f0 5d8c32ac 163acad0 0013e648 00000000 xul!nsTextBoxFrame::DoXULLayout+0x38 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nstextboxframe.cpp @ 966] 0013b5cc 5d8c1613 15f40960 157b2068 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013b738 5d68f8f9 157b2068 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013b824 5d8c1613 15f40f78 1575de70 0013e648 xul!nsStackLayout::XULLayout+0x1d1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsstacklayout.cpp @ 342] 0013b990 5d8c32ac 1575de70 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013bc6c 5d8c1613 15f40960 1575da20 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013bdd8 5d8c32ac 1575da20 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013c0b4 5d8c1613 15f40960 157508a8 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013c220 5d8c32ac 157508a8 0013e648 00000001 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013c4fc 5d8c1613 15f40960 157503e8 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013c668 5d66ddc8 157503e8 0013e648 00000744 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013c67c 5d66dd5b 0013e648 157504e8 0013e648 xul!nsIFrame::XULLayout+0x17 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsbox.cpp @ 511] 0013c6b0 5d8f83a3 00000000 0013c6dc 0013e648 xul!nsXULScrollFrame::LayoutScrollArea+0x9d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsgfxscrollframe.cpp @ 4721] 0013c778 5dbd2ee7 0013e648 0013e648 15750460 xul!nsXULScrollFrame::XULLayout+0xe1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsgfxscrollframe.cpp @ 4912] 0013c788 5d8c32ac 15750460 0013e648 00000000 xul!nsXULScrollFrame::DoXULLayout+0x13 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsgfxscrollframe.cpp @ 1494] 0013ca64 5d8c1613 15f40960 1570e588 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013cbd0 5d8c32ac 1570e588 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013ceac 5d8c1613 15f40960 1570da10 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013d018 5d8c32ac 1570da10 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013d2f4 5d8c1613 15f40960 156b5708 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013d460 5d8c32ac 156b5708 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013d73c 5d8c1613 15f40960 15674418 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013d8a8 5d8c32ac 15674418 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013db84 5d8c1613 15f40960 1566cea0 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013dcf0 5d68f8f9 1566cea0 0013e648 0000000c xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013dddc 5d8c1613 15f40f78 1566cdb8 0013e648 xul!nsStackLayout::XULLayout+0x1d1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsstacklayout.cpp @ 342] 0013df4c 5db6efe0 1566cdb8 0013e648 0013e648 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013df68 5d8c32ac 1566cdb8 00000000 00000000 xul!nsDeckFrame::DoXULLayout+0x21 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsdeckframe.cpp @ 214] 0013e244 5d8c1613 15f40960 14c02fb8 0013e648 xul!nsSprocketLayout::XULLayout+0xcec [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nssprocketlayout.cpp @ 484] 0013e3b0 5d68f8f9 14c02fb8 0013e648 00000000 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013e49c 5d8c1613 15f40f78 14c02de0 0013e648 xul!nsStackLayout::XULLayout+0x1d1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsstacklayout.cpp @ 342] 0013e608 5d68f02e 14c02de0 0013e648 14c02de0 xul!nsBoxFrame::DoXULLayout+0x46 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 913] 0013e6bc 5d68bf90 1519b000 0013e7f8 0013e748 xul!nsBoxFrame::Reflow+0x163 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\xul\nsboxframe.cpp @ 709] 0013e6e4 5d68c4ad 14c02de0 1519b000 0013e7f8 xul!nsContainerFrame::ReflowChild+0x47 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nscontainerframe.cpp @ 1070] 0013e850 5d8baff9 1519b000 0013ea08 0013e900 xul!ViewportFrame::Reflow+0x129 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsviewportframe.cpp @ 315] 0013eae8 5d8db122 14c029d0 00000001 00000004 xul!PresShell::DoReflow+0x34b [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nspresshell.cpp @ 9269] 0013eb44 5d80609e 00000001 00000001 12db9850 xul!PresShell::ProcessReflowCommands+0x9c [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nspresshell.cpp @ 9436] 0013ec00 5d7541df 00000004 13660000 0013ee40 xul!PresShell::FlushPendingNotifications+0x20a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nspresshell.cpp @ 4098] 0013ee18 5ebaa2a0 a46a544f 01a8a808 16c27300 xul!nsRefreshDriver::Tick+0x27a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 1786] 0013ee70 5de9bc82 00000000 00000000 5db9cf7c xul!nsRefreshDriver::DoTick+0x59 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 1388] 0013eea4 5db9ceb1 00000005 00000000 0013ef10 xul!nsRefreshDriver::FinishedWaitingForTransaction+0x2fec74 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 1990] 0013eec0 5d76eb5a 0013ef00 0013eef8 0013ef10 xul!mozilla::layers::CompositorBridgeChild::RecvDidComposite+0x2a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\layers\ipc\compositorbridgechild.cpp @ 405] 0013ef50 5d9e801e 0013f210 ffffffff 0013f210 xul!mozilla::layers::PCompositorBridgeChild::OnMessageReceived+0x182 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\ipc\ipdl\pcompositorbridgechild.cpp @ 1015] 0013f174 5d9e9692 0013f210 5f423f78 15f49800 xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x97 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1654] 0013f1f4 5d9e8b11 0013f210 0013f260 18593be0 xul!mozilla::ipc::MessageChannel::DispatchMessageW+0xe4 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1595] 0013f228 5d6c6915 00a04464 00a7c0c0 0013f294 xul!mozilla::ipc::MessageChannel::OnMaybeDequeueOne+0xc7 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1561] 0013f294 5d76f09b 00a03820 5fc19501 0013f3ac xul!MessageLoop::DoWork+0x18d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 444] 0013f2a4 5d9eb4b2 00a03820 00a45140 00a45130 xul!mozilla::ipc::DoWorkRunnable::Run+0x2a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagepump.cpp @ 228] 0013f3ac 5d9ead31 00a082b0 00000000 0013f3d3 xul!nsThread::ProcessNextEvent+0x276 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1000] 0013f3dc 5da56012 00a7c0c0 7afed3dd 00a04460 xul!mozilla::ipc::MessagePump::Run+0x72 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagepump.cpp @ 98] 0013f414 5da55fe1 00a082b0 00000001 5d8b8900 xul!MessageLoop::RunHandler+0x20 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 224] 0013f434 5da631dc 0b7622c0 00000000 5da62f55 xul!MessageLoop::Run+0x19 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 204] 0013f440 5da62f55 00a04460 0b7622c0 5da62f0c xul!nsBaseAppShell::Run+0x32 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\widget\nsbaseappshell.cpp @ 158] 0013f44c 5da62f0c 00a04460 665b2da5 11e29f20 xul!nsAppShell::Run+0x24 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\widget\windows\nsappshell.cpp @ 262] 0013f45c 5da4a363 0b7622c0 80000000 0013f6c0 xul!nsAppStartup::Run+0x20 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 285] 0013f640 5da4eb0c 00a04220 0013f808 0013f7c0 xul!XREMain::XRE_mainRun+0x4d4 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4347] 0013f664 5da4caa3 00000000 00247fe8 0013f800 xul!XREMain::XRE_main+0x1a0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4451] *** ERROR: Module load completed but symbols could not be loaded for firefox.exe 0013f7c0 00ea16ab 00000004 00247fe8 0013f808 xul!XRE_main+0x3e [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4560] WARNING: Stack unwind information not available. Following frames may be wrong. 0013f848 5d7fe77a 00000000 3ff00000 0013f8d4 firefox+0x16ab 0013f88c 5d7fefeb 00000001 00000002 00000003 xul!base::StatisticsRecorder::RegisterOrDeleteDuplicate+0x97 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\histogram.cc @ 1237] 0013f934 5d8ba589 0000d63a 755de9cc 7559cdcf xul!`anonymous namespace'::HistogramGet+0x175 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\components\telemetry\telemetry.cpp @ 1052] 0013f970 00ea7a72 00247fe8 00000001 00510f70 xul!mozilla::Telemetry::Accumulate+0xc8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\components\telemetry\telemetry.cpp @ 3905] 0013fa0c 00ea10e6 00eb5190 00000000 00000000 firefox+0x7a72 0013fa24 00ea24c8 00247fe8 001eff50 001f1f70 firefox+0x10e6 00000000 00000000 00000000 00000000 00000000 firefox+0x24c8
Like in bug 1293523, could you give a link to a crash report? It might be similar.
Group: firefox-core-security → layout-core-security
Component: Untriaged → Layout: Text
Product: Firefox → Core
From the stack and registers, I think this is almost certainly the same as bug 1293523 -- we crash due to calling GetDrawTarget() on an nsRenderingContext that was constructed with a null thebes context.
The bug numbers differ by 2 and the text is the same -- I'm sure this was just a double-submit
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: