286491 - Crash [@ nsLineLayout::ReflowFrame] with evil testcase with iframe and flash inside it

Status: VERIFIED FIXED

(Core :: Layout: Block and Inline, defect)

Description

[Martijn Wargers (dead)]

The title sucks, but I couldn't think of a better one, I'm afraid.

The testcase is still a bit complicated.
You should have flash installed to get the crash.
I think I've reduced the testcase as far as it goes.

Talkback ID: TB4396728E

0x00000000
nsLineLayout::ReflowFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineLayout.cpp,
line 1144]
nsInlineFrame::ReflowInlineFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsInlineFrame.cpp,
line 712]
nsInlineFrame::ReflowFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsInlineFrame.cpp,
line 530]
nsInlineFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsInlineFrame.cpp,
line 444]
nsLineLayout::ReflowFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineLayout.cpp,
line 999]
nsBlockFrame::ReflowInlineFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 4109]
nsBlockFrame::DoReflowInlineFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 3799]
nsBlockFrame::ReflowInlineFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 3688]
nsBlockFrame::ReflowLine 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 2723]
nsBlockFrame::ReflowDirtyLines 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 2234]
nsBlockFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 827]
nsBlockReflowContext::ReflowBlock 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockReflowContext.cpp,
line 547]
nsBlockFrame::ReflowBlockFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 3417]
nsBlockFrame::ReflowLine 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 2604]
nsBlockFrame::ReflowDirtyLines 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 2234]
nsBlockFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp,
line 827]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 954]
CanvasFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsHTMLFrame.cpp,
line 522]
nsFrame::BoxReflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrame.cpp,
line 5361]
nsFrame::DoLayout 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrame.cpp,
line 5103]
nsIFrame::Layout 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 802]
nsIFrame::Layout 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 802]
nsGfxScrollFrameInner::LayoutBox 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 1624]
nsHTMLScrollFrame::DoLayout 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 560]
nsIFrame::Layout 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 802]
nsHTMLScrollFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 488]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsContainerFrame.cpp,
line 954]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsViewportFrame.cpp,
line 240]
IncrementalReflow::Dispatch 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 907]
PresShell::ProcessReflowCommands 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6435]
ReflowEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6261]
PL_HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/xpcom/threads/plevent.c,
line 699]
SHELL32.dll + 0x520c24 (0x778b0c24)

Comment 1

[Martijn Wargers (dead)]

Attachment: Testcase

To trigger the crash:
- Hover first over link2, then hover over link1.

The button 'doe()' shows maybe something interesting. After clicking button
doe(), both links should be on the same line, since after they've gone through
display:block, the get back to their default style, which is display:inline.
That's not what they are doing.
If you repeat function doe() every 20ms, you soon hit some frame corruption and
Mozilla becomes unusable.

Comment 2

[Martijn Wargers (dead)]

It seems like a regression.
The crashing/freezing doesn't happen with 2005-02-22 07:26am build.
But the crashing/freezing happens with 2005-02-23 07:24am build.
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-02-22+07%3A00%3A00&maxdate=2005-02-23+08%3A00%3A00&cvsroot=%2Fcvsroot

Comment 3

[Boris Zbarsky [:bzbarsky]]

Hmm... What does that last frame look like?  I get this to assert on Linux, but
not crash....

Comment 4

[Martijn Wargers (dead)]

In my debug build, I also don't crash.
I get this assertion, though:
http://wargers.org/test/mozilla/bt.txt

Comment 5

[Xanthor Sccas]

I crash also on Linux with Moz1.8b1 ¹, and I haven't got Flash plugin
TB4407577Y

¹ : Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217

Comment 6

[Boris Zbarsky [:bzbarsky]]

Yeah, that's the assert I was seeing too...

Comment 7

[Martijn Wargers (dead)]

I get a crash with the same stack here:
http://houseofstrauss.co.uk/index.php
when I click at the "<>" image at the right just above the "Site Assistant" box.
It causes the whole right section to collapse/uncollapse. When I do it very
quickly after one another, I crash.
While minimising the testcase, I got basically the same as what is already attached.

Comment 8

[Robert O'Callahan (:roc) (email my personal email if necessary)]

I crash sometimes on Linux debug, but it takes a while to trigger. I crashed in
nsLineLayout::Reflowframe trying to reflow a deleted frame.

Comment 9

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Attachment: fix

The root problem seems to be the layout bug Martijn mentioned in comment #1.
The problem seems to be that recreating frames for the <A> does not recreate
the containing block, because the <A>'s frame itself is not special. We need to
check to see whether the block's parent frame is special, because that's the
frame that will be the IB special frame in this case. I think in general if a
block frame causes IB-splitting then its parent frame will be special.

Fixing that problem seems to fix this bug. No more assertions, no more crashes.

Comment 10

[Robert O'Callahan (:roc) (email my personal email if necessary)]

checked in. I'll apply for branch approval in a couple of days.

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 191551 [details] [diff] [review]
fix

no regressions seen yet. Fixes a crasher.

Comment 12

[Robert O'Callahan (:roc) (email my personal email if necessary)]

checked in on branch.

Comment 13

[Jay Patel [:jay]]

v.fixed with 9/27 trunk and branch builds, testcase in comment #1 does not crash
Win32.

Comment 14

[Mats Palmgren (inactive)]

Added crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6051da676c88

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/6051da676c88