Closed
Bug 291531
Opened 19 years ago
Closed 19 years ago
Crash [@ nsTreeBodyFrame::PrefillPropertyArray] treecols:hover {display:none} with evil xul testcase
Categories
(Core :: XUL, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: janv)
References
Details
(4 keywords, Whiteboard: [sg:fix])
Crash Data
Attachments
(5 files)
620 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
436 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
3.53 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
1.79 KB,
text/plain
|
Details | |
1.94 KB,
patch
|
neil
:
review+
bzbarsky
:
superreview+
mtschrep
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
Could be related to bug 284252, perhaps. The upcoming testcase crashes my most recent trunk build when hovering over the text. Talkback ID: TB5286683X nsTreeBodyFrame::PrefillPropertyArray [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp, line 1592] nsTreeBodyFrame::PaintColumn [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp, line 2161] nsTreeBodyFrame::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp, line 2109] PresShell::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 5768] nsView::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 316] nsViewManager::RenderDisplayListElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 1464] nsViewManager::RenderViews [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 1379] nsViewManager::Refresh [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 938] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2037] HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1180] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4384] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1472] USER32.dll + 0x27b17 (0x77d37b17) USER32.dll + 0x2cdce (0x77d3cdce) USER32.dll + 0x459d (0x77d1459d) USER32.dll + 0x47b4 (0x77d147b4) ntdll.dll + 0x2589f (0x77f6589f) USER32.dll + 0x9611 (0x77d19611) nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 145] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 60] kernel32.dll + 0x1eb69 (0x77e5eb69)
Reporter | ||
Comment 1•19 years ago
|
||
Comment 2•19 years ago
|
||
I hit the same crash while playing with bug 306663. Here's my testcase. It's pretty similar to the other testcase, but it uses removeChild instead of display:none.
Comment 3•19 years ago
|
||
This might be exploitable. I've seen crashes that I think are related with 0 and 8 at the top of the stack.
Comment 4•19 years ago
|
||
Comment on attachment 197166 [details]
another testcase
I couldn't get this one to crash.
Comment 5•19 years ago
|
||
Comment on attachment 181579 [details]
Testcase
Well, this crash happens because of a stale scrollable view pointer.
Comment 6•19 years ago
|
||
I've seen crashes that seem related with 0xf7fff7fc and ShowProfileManager at the top of the stack, so I'm marking this bug as [sg:fix].
Flags: blocking1.8b5?
Whiteboard: [sg:fix]
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
Comment 7•19 years ago
|
||
This should fix the problem.
Attachment #197725 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 8•19 years ago
|
||
Nate - since you are taking care of it assigning to you.
Assignee: nobody → nielsen
Comment 9•19 years ago
|
||
Comment on attachment 197725 [details] [diff] [review] Le Patch Passing the buck to someone more familiar with scrolling views ;-)
Attachment #197725 -
Flags: review?(neil.parkwaycc.co.uk) → review?(roc)
Attachment #197725 -
Flags: superreview+
Attachment #197725 -
Flags: review?(roc)
Attachment #197725 -
Flags: review+
Comment 10•19 years ago
|
||
Niel, if you have a moment could you commit this? I don't have commit access.
Updated•19 years ago
|
Status: NEW → ASSIGNED
Comment 11•19 years ago
|
||
landed on trunk, roc, is this pretty safe for branch?
Comment 12•19 years ago
|
||
No, this was a trunk-only regression.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Component: Layout → XP Toolkit/Widgets: Trees
Keywords: regression
Resolution: --- → FIXED
Comment 13•19 years ago
|
||
The first testcase crashes for me using yesterday's Gecko 1.8 branch build of Firefox on WinXP.
I think this could be taken on branch if it helps there.
Reporter | ||
Comment 15•19 years ago
|
||
Yes, it helps the 1.8 branch. See also the date when I filed this, which was way before the 1.9a branch opened.
Comment on attachment 197725 [details] [diff] [review] Le Patch see comments.
Attachment #197725 -
Flags: approval1.8b5?
Updated•19 years ago
|
Flags: blocking1.8b5+ → blocking1.8b5-
Comment 17•19 years ago
|
||
Comment on attachment 197725 [details] [diff] [review] Le Patch too scary for a not-topcrasher.
Attachment #197725 -
Flags: approval1.8b5? → approval1.8b5-
Comment 18•19 years ago
|
||
The problem is that like a lot of our other crashes this is likely to be exploitable...
Comment 19•19 years ago
|
||
How is this exploitable? It's a crash caused by a dangling pointer.
Comment 20•19 years ago
|
||
Dangling pointer situations are often exploitable if the code calls a virtual function on the object, because calling a virtual function involves looking up a function address using memory that is part of the deleted object object.
Comment 21•19 years ago
|
||
Makes sense. And since nsIScrollableView is an interface obviously all calls on the dangling pointer are virtual. So, it's theoretically (extremely theoretically) exploitable.
Comment 22•19 years ago
|
||
Jesse, if you think security concerns warrant landing this on the branch, please rerequest approval, ok?
Updated•19 years ago
|
Attachment #197725 -
Flags: approval1.8b5- → approval1.8b5?
Updated•19 years ago
|
Attachment #197725 -
Flags: approval1.8b5? → approval1.8b5+
Still crashing in today's SeaMonkey and Firefox Windows XP builds. I'll attach the "new" stack; I say "new" because this has always crashed, it's just in a slightly different area now (same method, though).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 25•19 years ago
|
||
I see the same crash as Stephen on the first testcase using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051003 Firefox/1.6a1.
Comment 26•19 years ago
|
||
Hmmm, interesting. I may be missing something but.... - Although similar, this isn't the bug (or stack trace) which I reproduced and fixed. - It looks like it is caused by dangling pointers in the nsTreeColumn code which Jan Varga wrote. Reassigning. The fact that it happens now and didn't happen earlier, is probably just due to pure luck (earlier) and internal memory heap changes etc... - This doesn't crash for me which is a bummer.
Assignee: nielsen → Jan.Varga
Status: REOPENED → NEW
Assignee | ||
Comment 27•19 years ago
|
||
Nice, let's assign all crashers to original authors of the code. Anyway, I'll take a look on linux.
Assignee | ||
Comment 28•19 years ago
|
||
Attachment #198432 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 29•19 years ago
|
||
Over the years I've gotten frustrated with the progress on the horizontal scrolling bug, and I guess Mozilla development in general. I just want to get this over and done with so I can move on. At this point I'd really rather never see another nsCOMPtr or nsAutoString again. But that's no excuse for being belligerent. Sorry bout that.
Assignee | ||
Comment 30•19 years ago
|
||
I'm sorry too, what's so bad on smart pointers?
Comment 31•19 years ago
|
||
(In reply to comment #30) >I'm sorry too, what's so bad on smart pointers? Dunno, I was wondering whether mFirstColumn should be an nsCOMPtr...
Comment 32•19 years ago
|
||
I was referring to two classes one commonly interacts with when programming Mozilla. ie: Would rather be hacking something else at this point.
Comment 33•19 years ago
|
||
(In reply to comment #31) >(In reply to comment #30) >>I'm sorry too, what's so bad on smart pointers? >Dunno, I was wondering whether mFirstColumn should be an nsCOMPtr... Sorry, I mean an nsRefPtr of course.
Comment 34•19 years ago
|
||
Comment on attachment 198432 [details] [diff] [review] patch Well, it doesn't crash for me either way, but the patch generally improves the code - although perhaps not as well as an nsRefPtr ;-)
Attachment #198432 -
Flags: review?(neil.parkwaycc.co.uk) → review+
Assignee | ||
Updated•19 years ago
|
Attachment #198432 -
Flags: superreview?(bzbarsky)
Updated•19 years ago
|
Attachment #198432 -
Flags: superreview?(bzbarsky) → superreview+
Comment 35•19 years ago
|
||
did "Le Patch" land on the 1.8 branch?
Assignee | ||
Comment 36•19 years ago
|
||
Comment on attachment 198432 [details] [diff] [review] patch checked in
I'd resolve this as VERIFIED FIXED, but since I can't jump from NEW to VERIFIED in one step, Jan, can you please mark this FIXED?
Assignee | ||
Comment 38•19 years ago
|
||
sure
Status: NEW → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Thanks, Jan. Verified FIXED using SeaMonkey 1.1a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Mozilla/1.0
Status: RESOLVED → VERIFIED
Comment 40•19 years ago
|
||
I think the second patch is still needed on the Gecko 1.8 branch. See bug 313539.
Blocks: 313539
Comment 41•19 years ago
|
||
(In reply to comment #40) >I think the second patch is still needed on the Gecko 1.8 branch. See bug 313539. That's quite possible; the first crash patch was against 1.9-only code.
Updated•19 years ago
|
Flags: blocking1.8rc1?
Comment 42•19 years ago
|
||
neil and bz, can you comment on the risk of taking this patch on the branch?
Flags: blocking1.8rc1? → blocking1.8rc1+
Updated•19 years ago
|
Attachment #198432 -
Flags: approval1.8rc1?
Comment 43•19 years ago
|
||
I don't really know this code well enough to evaluate risk. :(
Comment 44•19 years ago
|
||
Neil and I talked about this briefly over IM. If everyone thinks this is a serious, exploitable bug then we should take this fix today on the branch.
Comment 45•19 years ago
|
||
Now I'm starting to get confused about the two patches, the more I look at this. I think we need Jan to comment here. The first patch (le Patch) is needed on the trunk only? The second patch will still fix the original test case on the branch (which I can reproduce on the branch)?
Updated•19 years ago
|
Attachment #197725 -
Flags: approval1.8b5+
Comment 46•19 years ago
|
||
Applying the patch to the branch works, with these warnings for nsTreeColumns.cpp: Hunk #5 succeeded at 513 with fuzz 2 (offset -1 lines). Hunk #6 succeeded at 536 with fuzz 2 (offset -1 lines). Before applying the patch to my branch tree, I was able to reproduce this crash with an opt build, but not with a debug build. After applying the patch, I can no longer reproduce the crash with an opt build. I tested using both the first testcase here and the testcase in bug 313539.
Comment 47•19 years ago
|
||
*** Bug 313539 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 48•19 years ago
|
||
(In reply to comment #45) > The first patch (le Patch) is needed on the trunk only? yes, there were quite big changes on the trunk (support for horizontal scrolling) > > The second patch will still fix the original test case on the branch (which I > can reproduce on the branch)? > yes, I think this patch fixes the real problem with hidden cols
Updated•19 years ago
|
Attachment #198432 -
Flags: approval1.8rc1? → approval1.8rc1+
Comment 49•19 years ago
|
||
Jan - if the last patch fixes the problem on the branch can you land it there?
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: layout → xptoolkit.widgets
Depends on: 506871
No longer depends on: 506871
No longer depends on: 506871
Updated•13 years ago
|
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray]
You need to log in
before you can comment on or make changes to this bug.
Description
•