Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]

VERIFIED FIXED in mozilla1.8alpha5

Status

()

defect
P3
critical
VERIFIED FIXED
15 years ago
8 years ago

People

(Reporter: thomas+mozilla, Assigned: bzbarsky)

Tracking

({crash, fixed-aviary1.0, fixed1.7.5})

Trunk
mozilla1.8alpha5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041020

I was using iExploder - http://toadstool.se/software/iexploder/ - to do some QA work on FireFox, and 
this was the first crash it found. The test case is simple:

<isindex style="position: fixed; ">

This happens in FireFox and Mozilla nightly trunk builds from 2004-10-20, both Linux and Mac OS X.




Reproducible: Always
Steps to Reproduce:
1. Visit http://toadstool.se/software/iexploder/iexploder.cgi?test=18149&lookup=1
2. Wait

Actual Results:  
It Crashed


Expected Results:  
Probably nothing

Stacktrace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
Crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
13  com.apple.HIToolbox 	0x927d1fc8 DispatchEventToHandlers + 0x150
(Reporter)

Comment 1

15 years ago
Warning: clicking on this attachment will crash Mozilla and FireFox
confirming with win2k build 20041018
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: crash
QA Contact: general → core.layout
could be related to bug 200347 (fixed a long time ago)
Posted patch FixSplinter Review
Comment on attachment 163024 [details] [diff] [review]
Fix

isindex should just always have a space manager...
Attachment #163024 - Flags: superreview?(roc)
Attachment #163024 - Flags: review?(roc)

Updated

15 years ago
Summary: Crash when ISINDEX is used with position: fixed → Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]
Attachment #163024 - Flags: superreview?(roc)
Attachment #163024 - Flags: superreview+
Attachment #163024 - Flags: review?(roc)
Attachment #163024 - Flags: review+
(Assignee)

Updated

15 years ago
Assignee: nobody → bzbarsky
Priority: -- → P3
Target Milestone: --- → mozilla1.8alpha5
Comment on attachment 163024 [details] [diff] [review]
Fix

This crash fix is pretty straightforward; probably worth taking on the
branches.
Attachment #163024 - Flags: approval1.7.x?
Attachment #163024 - Flags: approval-aviary?
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Comment on attachment 163024 [details] [diff] [review]
Fix

a=mkaply for 1.7.

Sent a note to aviary for aviary approval.

I think we need this for aviary. For some reason, this crash completely
corrupted my Mozilla when it happened.
Attachment #163024 - Flags: approval1.7.x? → approval1.7.x+

Comment 9

15 years ago
Comment on attachment 163024 [details] [diff] [review]
Fix

a=asa for aviary checkin.
Attachment #163024 - Flags: approval-aviary? → approval-aviary+
Fixed on branches.
vrfy'd fixed on linux and mac using 200411030x-0.11 bits. don't crash when
visiting either the URL in comment 0 or the testcase.
Status: RESOLVED → VERIFIED

Updated

14 years ago
Blocks: iexploder
Crash Signature: [@ nsBlockBandData::Init]
You need to log in before you can comment on or make changes to this bug.