265585 - Crash running Zalewski cgi [@ nsCSSFrameConstructor::FindFrameWithContent]

Status: VERIFIED DUPLICATE of bug 265181

(Core :: Layout, defect)

Description

[Peter Weilbacher]

Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041021

When running the Zalewski cgi test program I discovered a reproducible crash
with a garbage HTML file that I will attach shortly. The OS/2 debugger tells me
that it is in nsCSSFrameConstructor::FindFrameWithContent in the line
   kidFrame = aParentFrame->GetFirstChild(listName);
This I cannot reproduce with 1.7.3, only happens on the trunk. Don't have a
Linux trunk build handy to confirm.

Perhaps there is security involved...

Comment 1

[Peter Weilbacher]

Attachment: testcase

The garbled HTML as created by the Zalewski test program.

Comment 2

[Asa Dotzler [:asa]]

bug 203041?

Comment 3

[Peter Weilbacher]

It's not a regression in the sense that the testcase from bug 203041 would crash
the browser (it doesn't). The backtrace shows that the stack is different from
the one in that bug, too. Just running a non-stripped build (don't have
resources for a debug build currently) on Linux under gdb I get this:

(gdb) bt
#0  0x40d20917 in nsCSSFrameConstructor::FindFrameWithContent () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#1  0x40d20ab6 in nsCSSFrameConstructor::FindPrimaryFrameFor () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#2  0x40ca2dff in nsFrameManager::GetPrimaryFrameFor () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#3  0x40cd3c9a in PresShell::GetPrimaryFrameFor () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#4  0x40e5055e in nsGenericHTMLElement::GetPrimaryFrameFor () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#5  0x40e50595 in nsGenericHTMLElement::GetFormControlFrameFor () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#6  0x40ea1722 in nsHTMLSelectElement::GetSelectFrame () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#7  0x40ea3034 in nsHTMLSelectElement::DoneAddingChildren () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#8  0x40ec25df in SinkContext::CloseContainer () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#9  0x40ec50c0 in HTMLContentSink::CloseContainer () from
/home/mozcompile/obj-trunk/dist/bin/components/libgklayout.so
#10 0x4096ea6a in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#11 0x4096eb09 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#12 0x4096ee50 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#13 0x40969e70 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#14 0x4097d2d0 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#15 0x4097e311 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#16 0x4097f4d9 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libhtmlpars.so
#17 0x410e4fc2 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libdocshell.so
#18 0x4084b77d in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libnecko.so
#19 0x408b0b29 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libnecko.so
#20 0x408345a2 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libnecko.so
#21 0x408341b9 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libnecko.so
#22 0x4061b49a in nsInputStreamReadyEvent::EventHandler () from
/home/mozcompile/obj-trunk/dist/bin/libxpcom.so
#23 0x406344c2 in PL_HandleEvent () from
/home/mozcompile/obj-trunk/dist/bin/libxpcom.so
#24 0x406343b9 in PL_ProcessPendingEvents () from
/home/mozcompile/obj-trunk/dist/bin/libxpcom.so
#25 0x40635f1d in nsEventQueueImpl::NotifyObservers () from
/home/mozcompile/obj-trunk/dist/bin/libxpcom.so
#26 0x40bd6f16 in _IcePaAuthDataEntries () from
/home/mozcompile/obj-trunk/dist/bin/components/libwidget_gtk.so
#27 0x40bd6be5 in _IcePaAuthDataEntries () from
/home/mozcompile/obj-trunk/dist/bin/components/libwidget_gtk.so
#28 0x40273f9e in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#29 0x40275773 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#30 0x40275d39 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#31 0x40275eec in g_main_run () from /usr/lib/libglib-1.2.so.0
#32 0x401912e3 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#33 0x40bd71c9 in _IcePaAuthDataEntries () from
/home/mozcompile/obj-trunk/dist/bin/components/libwidget_gtk.so
#34 0x41274f32 in NSGetModule () from
/home/mozcompile/obj-trunk/dist/bin/components/libnsappshell.so
#35 0x08055109 in main1 ()
#36 0x08055b4e in main ()
#37 0x403ee1c4 in __libc_start_main () from /lib/libc.so.6

Will try to get a talkback from the 1.8a4 release.

Comment 4

[Bernd]

nsCSSFrameConstructor::FindFrameWithContent(nsPresContext * 0x0250b228,
nsFrameManager * 0x02542004, nsIFrame * 0x035dc81c, nsIContent * 0x024059b8,
nsIContent * 0x024e7f58, nsFindFrameHint * 0x00000000) line 11194 + 11 bytes
nsCSSFrameConstructor::FindPrimaryFrameFor(nsPresContext * 0x0250b228,
nsFrameManager * 0x02542004, nsIContent * 0x024e7f58, nsIFrame * * 0x0012fb10,
nsFindFrameHint * 0x00000000) line 11309 + 26 bytes
nsFrameManager::GetPrimaryFrameFor(nsIContent * 0x024e7f58) line 443
PresShell::GetPrimaryFrameFor(const PresShell * const 0x02541fe8, nsIContent *
0x024e7f58, nsIFrame * * 0x0012fb38) line 5268 + 14 bytes
nsGenericHTMLElement::GetPrimaryFrameFor(nsIContent * 0x024e7f58, nsIDocument *
0x024d4790, int 0x00000000) line 2236
nsGenericHTMLElement::GetFormControlFrameFor(nsIContent * 0x024e7f58,
nsIDocument * 0x024d4790, int 0x00000000) line 2245 + 14 bytes
nsHTMLSelectElement::GetSelectFrame() line 943 + 39 bytes
nsHTMLSelectElement::DoneAddingChildren() line 1676 + 8 bytes
SinkContext::CloseContainer(nsHTMLTag eHTMLTag_select) line 1434
HTMLContentSink::CloseContainer(HTMLContentSink * const 0x02540598, nsHTMLTag
eHTMLTag_select) line 3045 + 17 bytes
CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_select, nsHTMLTag eHTMLTag_select,
int 0x00000000) line 3518 + 30 bytes
CNavDTD::CloseContainersTo(int 0x00000009, nsHTMLTag eHTMLTag_select, int
0x00000000) line 3550 + 17 bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_select, int 0x00000000) line 3708
+ 17 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x02544010, unsigned int 0x00000000, int
0x00000001, nsIParser * 0x024d4ac8, nsIContentSink * 0x02540598) line 603 + 22 bytes
nsParser::DidBuildModel(unsigned int 0x00000000) line 1248 + 44 bytes
nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 1843
nsParser::ContinueParsing(nsParser * const 0x024d4ac8) line 1362 + 18 bytes
nsParser::HandleParserContinueEvent() line 1426
nsParserContinueEvent::HandleEvent(PLEvent * 0x024a9658) line 237
PL_HandleEvent(PLEvent * 0x024a9658) line 692 + 9 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01136f60) line 627 + 8 bytes
_md_EventReceiverProc(HWND__ * 0x001b07e0, unsigned int 0x0000c1cf, unsigned int
0x00000000, long 0x01136f60) line 1433 + 8 bytes
USER32! 77d18709()
USER32! 77d187eb()
USER32! 77d189a5()
USER32! 77d1bccc()
nsNativeViewerApp::Run() line 90
main(int 0x00000001, char * * 0x00377cd0) line 155 + 11 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

it crashes as this functions is called on a previously deleted parentframe (its
full of 0xddddd

Comment 5

[Bernd]

the patch in bug 265181 fixes this one too

Comment 6

[Peter Weilbacher]

Can someone please confirm that the patch to bug 265404 fixed this? Cannot
reproduce any more, so from my point of view this can be resolved.

Comment 7

[Pavel Penaz]

WFM, no crash here

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0

Comment 8

[Boris Zbarsky [:bzbarsky]]

*** This bug has been marked as a duplicate of 265181 ***