Closed Bug 291531 Opened 19 years ago Closed 19 years ago

Crash [@ nsTreeBodyFrame::PrefillPropertyArray] treecols:hover {display:none} with evil xul testcase

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: janv)

References

Details

(4 keywords, Whiteboard: [sg:fix])

Crash Data

Attachments

(5 files)

Testcase
620 bytes, application/vnd.mozilla.xul+xml
Details
another testcase
436 bytes, application/vnd.mozilla.xul+xml
Details
Le Patch
3.53 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
Stack
1.79 KB, text/plain
Details
patch
1.94 KB, patch
neil
: review+
bzbarsky
: superreview+
mtschrep
: approval1.8rc1+
Details | Diff | Splinter Review 
Could be related to bug 284252, perhaps.

The upcoming testcase crashes my most recent trunk build when hovering over the
text.

Talkback ID: TB5286683X

nsTreeBodyFrame::PrefillPropertyArray 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,
line 1592]
nsTreeBodyFrame::PaintColumn 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,
line 2161]
nsTreeBodyFrame::Paint 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp,
line 2109]
PresShell::Paint 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5768]
nsView::Paint 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line
316]
nsViewManager::RenderDisplayListElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1464]
nsViewManager::RenderViews 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1379]
nsViewManager::Refresh 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 938]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2037]
HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line
174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1180]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4384]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1472]
USER32.dll + 0x27b17 (0x77d37b17)
USER32.dll + 0x2cdce (0x77d3cdce)
USER32.dll + 0x459d (0x77d1459d)
USER32.dll + 0x47b4 (0x77d147b4)
ntdll.dll + 0x2589f (0x77f6589f)
USER32.dll + 0x9611 (0x77d19611)
nsAppStartup::Run 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 145]
main 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 60]
kernel32.dll + 0x1eb69 (0x77e5eb69)
Attached file Testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        another testcase
      

    


  
I hit the same crash while playing with bug 306663.  Here's my testcase.  It's
pretty similar to the other testcase, but it uses removeChild instead of
display:none.

    
  
Blocks: stirdom

    
    

    
  
This might be exploitable.  I've seen crashes that I think are related with 0
and 8 at the top of the stack.

    
    

    
  
Comment on attachment 197166 [details]
another testcase

I couldn't get this one to crash.

    
    

    
  
Comment on attachment 181579 [details]
Testcase

Well, this crash happens because of a stale scrollable view pointer.

    
    

    
  
I've seen crashes that seem related with 0xf7fff7fc and ShowProfileManager at
the top of the stack, so I'm marking this bug as [sg:fix].
Flags: blocking1.8b5?
Whiteboard: [sg:fix]

    
  
Flags: blocking1.8b5? → blocking1.8b5+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Le PatchSplinter Review
      

    


  
This should fix the problem.

        Attachment #197725 -
        Flags: review?(neil.parkwaycc.co.uk)

    
    

    
  
Nate - since you are taking care of it assigning to you.
Assignee: nobody → nielsen

    
    

    
  
Comment on attachment 197725 [details] [diff] [review]
Le Patch

Passing the buck to someone more familiar with scrolling views ;-)

        Attachment #197725 -
        Flags: review?(neil.parkwaycc.co.uk) → review?(roc)

    
    

    
  
Niel, if you have a moment could you commit this? I don't have commit access. 

    
  
Status: NEW → ASSIGNED

    
    

    
  
landed on trunk, roc, is this pretty safe for branch?

    
    

    
  
No, this was a trunk-only regression.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Component: Layout → XP Toolkit/Widgets: Trees
Keywords: regression
Resolution: --- → FIXED

    
    

    
  
The first testcase crashes for me using yesterday's Gecko 1.8 branch build of
Firefox on WinXP.

    
    

    
  
I think this could be taken on branch if it helps there.

    
    

    
  
Yes, it helps the 1.8 branch. See also the date when I filed this, which was way
before the 1.9a branch opened.

    
  
Flags: blocking1.8b5+ → blocking1.8b5-

    
    

    
  
Comment on attachment 197725 [details] [diff] [review]
Le Patch

too scary for a not-topcrasher.

        Attachment #197725 -
        Flags: approval1.8b5? → approval1.8b5-

    
    

    
  
The problem is that like a lot of our other crashes this is likely to be
exploitable...

    
    

    
  
How is this exploitable? It's a crash caused by a dangling pointer. 

    
    

    
  
Dangling pointer situations are often exploitable if the code calls a virtual
function on the object, because calling a virtual function involves looking up a
function address using memory that is part of the deleted object object.

    
    

    
  
Makes sense. And since nsIScrollableView is an interface obviously all calls on
the dangling pointer are virtual. So, it's theoretically (extremely
theoretically) exploitable. 



    
    

    
  
Jesse, if you think security concerns warrant landing this on the branch, please
rerequest approval, ok?

    
  

        Attachment #197725 -
        Flags: approval1.8b5- → approval1.8b5?

    
  

        Attachment #197725 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Still crashing in today's SeaMonkey and Firefox Windows XP builds.  I'll attach
the "new" stack; I say "new" because this has always crashed, it's just in a
slightly different area now (same method, though).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
I see the same crash as Stephen on the first testcase using Mozilla/5.0
(Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051003 Firefox/1.6a1.

    
    

    
  
Hmmm, interesting. I may be missing something but....

- Although similar, this isn't the bug (or stack trace) which I 
  reproduced and fixed. 
- It looks like it is caused by dangling pointers in the nsTreeColumn 
  code which Jan Varga wrote. Reassigning. The fact that it happens now 
  and didn't happen earlier, is probably just due to pure luck (earlier) 
  and internal memory heap changes etc...
- This doesn't crash for me which is a bummer.

Assignee: nielsen → Jan.Varga
Status: REOPENED → NEW

    
    

    
  
Nice, let's assign all crashers to original authors of the code.
Anyway, I'll take a look on linux.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #198432 -
        Flags: review?(neil.parkwaycc.co.uk)

    
    

    
  
Over the years I've gotten frustrated with the progress on the horizontal
scrolling bug, and I guess Mozilla development in general. I just want to get
this over and done with so I can move on. At this point I'd really rather never
see another nsCOMPtr or nsAutoString again.

But that's no excuse for being belligerent. Sorry bout that. 

    
    

    
  
I'm sorry too, what's so bad on smart pointers?

    
    

    
  
(In reply to comment #30)
>I'm sorry too, what's so bad on smart pointers?
Dunno, I was wondering whether mFirstColumn should be an nsCOMPtr...

    
    

    
  
I was referring to two classes one commonly interacts with when programming
Mozilla. ie: Would rather be hacking something else at this point. 

    
    

    
  
(In reply to comment #31)
>(In reply to comment #30)
>>I'm sorry too, what's so bad on smart pointers?
>Dunno, I was wondering whether mFirstColumn should be an nsCOMPtr...
Sorry, I mean an nsRefPtr of course.

    
    

    
  
Comment on attachment 198432 [details] [diff] [review]
patch

Well, it doesn't crash for me either way, but the patch generally improves the
code - although perhaps not as well as an nsRefPtr ;-)

        Attachment #198432 -
        Flags: review?(neil.parkwaycc.co.uk) → review+

    
  

        Attachment #198432 -
        Flags: superreview?(bzbarsky)

        Attachment #198432 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
did "Le Patch" land on the 1.8 branch? 

    
    

    
  
Comment on attachment 198432 [details] [diff] [review]
patch

checked in

    
    

    
  
I'd resolve this as VERIFIED FIXED, but since I can't jump from NEW to VERIFIED
in one step, Jan, can you please mark this FIXED?

    
    

    
  
sure
Status: NEW → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED

    
    

    
  
Thanks, Jan.  Verified FIXED using SeaMonkey 1.1a;Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Mozilla/1.0
Status: RESOLVED → VERIFIED

    
    

    
  
I think the second patch is still needed on the Gecko 1.8 branch.  See bug 313539.
Blocks: 313539

    
    

    
  
(In reply to comment #40)
>I think the second patch is still needed on the Gecko 1.8 branch. See bug 313539.
That's quite possible; the first crash patch was against 1.9-only code.

    
  
Flags: blocking1.8rc1?

    
    

    
  
neil and bz, can you comment on the risk of taking this patch on the branch?
Flags: blocking1.8rc1? → blocking1.8rc1+

    
  

        Attachment #198432 -
        Flags: approval1.8rc1?

    
    

    
  
I don't really know this code well enough to evaluate risk.  :(

    
    

    
  
Neil and I talked about this briefly over IM. If everyone thinks this is a serious, exploitable bug then we should take this fix today on the branch. 

    
    

    
  
Now I'm starting to get confused about the two patches, the more I look at this. I think we need Jan to comment here.

The first patch (le Patch) is needed on the trunk only? 

The second patch will still fix the original test case on the branch (which I can reproduce on the branch)?

    
  

        Attachment #197725 -
        Flags: approval1.8b5+

    
    

    
  
Applying the patch to the branch works, with these warnings for nsTreeColumns.cpp:

Hunk #5 succeeded at 513 with fuzz 2 (offset -1 lines).
Hunk #6 succeeded at 536 with fuzz 2 (offset -1 lines).

Before applying the patch to my branch tree, I was able to reproduce this crash with an opt build, but not with a debug build.  After applying the patch, I can no longer reproduce the crash with an opt build.  I tested using both the first testcase here and the testcase in bug 313539.

    
    

    
  
*** Bug 313539 has been marked as a duplicate of this bug. ***

    
    

    
  
(In reply to comment #45)
> The first patch (le Patch) is needed on the trunk only? 

yes, there were quite big changes on the trunk (support for horizontal scrolling)

> 
> The second patch will still fix the original test case on the branch (which I
> can reproduce on the branch)?
> 

yes, I think this patch fixes the real problem with hidden cols



    
  

        Attachment #198432 -
        Flags: approval1.8rc1? → approval1.8rc1+

    
    

    
  
Jan - if the last patch fixes the problem on the branch can you land it there?  

    
    

    
  
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8

    
    

    
  
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8

    
  
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: layout → xptoolkit.widgets
Depends on: 506871
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: