Closed Bug 313173 Opened 19 years ago Closed 19 years ago

Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed][@ nsGrid::GetScrollBox]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase
776 bytes, application/vnd.mozilla.xul+xml
Details
Proposed patch
3.39 KB, patch
neil
: review+
roc
: superreview+
dveditz
: approval-aviary1.0.8+
dveditz
: approval1.7.13+
asa
: approval1.8rc1+
Details | Diff | Splinter Review 
The upcoming testcase crashes Mozilla when clicking on the button.

Talkback ID: TB10392796Y
(can't see the tb id right now, but iirc, I once got appr. the same stack as the
one from bug 311710, so marking as a security bug for now)

nsGrid::GetScrollBox 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 1493]
nsGridRowLayout::GetParentGridPart 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 91]
nsGridRowLayout::GetGrid 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 176]
nsGridRowLayout::GetGrid 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 179]
nsGridRowLayout::GetGrid 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 124]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 85]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
Attached file testcase — 

    
    

    
  
Yep.  Calling methods on a deleted box... :(  Gotta love grids.  :(  Is there
any way we can disable them for this release?  Or are they too widely used?
Flags: blocking1.8rc1?
OS: Windows XP → All
Hardware: PC → All

    
  
Summary: Crash with evil xul testcase, using table-caption/-moz-grid → Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed]

    
  
Summary: Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed] → Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed][@ nsGrid::GetScrollBox]

    
    

    
  
So the issue is that a GridRowLayout has a ChildrenRemoved override but a
GridLayout2 does not?

    
    

    
  
Hmm.. Yeah, that seems to be it.  The same issue in bug 312784, in fact.
Blocks: 312784

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch
        — 
          — Splinter Review
      

    


  
This fixes this bug and bug 312784.  We still assert in
nsGrid::GetMin/Pref/MaxRowSize because we have no columns and someone passes a
column index of 0, but the code there also bails out safely in addition to
asserting, so we're sorta ok.

        Attachment #200288 -
        Flags: superreview?(roc)

        Attachment #200288 -
        Flags: review?(neil.parkwaycc.co.uk)

        Attachment #200288 -
        Flags: superreview?(roc) → superreview+

    
  
Flags: blocking1.8rc1? → blocking1.8rc1+

    
    

    
  
Comment on attachment 200288 [details] [diff] [review]
Proposed patch

I think we should just get this in on trunk so we can verify and maybe get this
on branch in time for freeze.  I talked to Neil on IRC and he seemed happy with
the patch; I assume he'll mark review once he wakes up...

        Attachment #200288 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 200288 [details] [diff] [review]
Proposed patch

Are the assertions in nsGrid.cpp "normal"? I also wonder whether the
mMarkingDirty member is relevant to the rebuild.

        Attachment #200288 -
        Flags: review?(neil.parkwaycc.co.uk) → review+

    
    

    
  
> Are the assertions in nsGrid.cpp "normal"?

No; I will file a followup bug on them.



    
  
Assignee: nobody → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1

    
  

        Attachment #200288 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 200288 [details] [diff] [review]
Proposed patch

Please land on the trunk, ASAP. We'll evaluate it for the branch once it's been
landed and verified on the trunk. Thanks.

        Attachment #200288 -
        Flags: approval1.8rc1?

    
    

    
  
Fixed on trunk a few hours ago.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Filed bug 313303 on the assert.

    
    

    
  
This is potentially exploitable
Whiteboard: [sg:critical?]

    
    

    
  
jesse, care to do an hourly build based verification on the trunk for this bug? 

    
    

    
  
The atlantia tinderbox is on fire, so I can't get an hourly build, but I'll test
with my own debug build in a bit.

    
    

    
  
WFM with the Mac build from
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-21-15-trunk/.  I
was able to reproduce this crash in a build from yesterday (before the patch
went in).  I'm not sure I should mark this bug as verified, because Martijn
originally reported this bug on Windows.

    
    

    
  
OK. I've verified that the testcase does crash me with yesterday's build and
does not crash me with the latest hourly build on windows. 
Status: RESOLVED → VERIFIED

    
  

        Attachment #200288 -
        Flags: approval1.8rc1? → approval1.8rc1+

    
    

    
  
Fixed on branch.
Keywords: fixed1.8
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+

    
    

    
  
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
Flags: testcase+

    
    

    
  
Comment on attachment 200288 [details] [diff] [review]
Proposed patch

aviary101/moz17 landing approval: a=dveditz for drivers. Please add the fixed1.7.13 and fixed-aviary1.0.8 keywords when landed.

        Attachment #200288 -
        Flags: approval1.7.13+

        Attachment #200288 -
        Flags: approval-aviary1.0.8+

    
    

    
  
Fixed on 1.7 and aviary 1.0.x branches.
Keywords: fixed-aviary1.0.8, 
          
            fixed1.7.13

    
    

    
  
The testcase is still crashing for me with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20060209 Firefox/1.0.7.  Will post my Talkback stack once it's processed to see if we're crashing somewhere else now.   

Can anyone else confirm this is still a problem on the Aviary branch, even with the checkin from 2/6?

    
    

    
  
Jay, this worksforme with my aviary branch build.... Did that talkback ID ever materialize?

    
    

    
  
Here's my recent Aviary crash (looks similar):
Incident ID: 14972347
Stack Signature	nsGrid::GetScrollBox f0a28047
Email Address	jay@mozilla.org
Product ID	Firefox10
Build ID	2006020905
Trigger Time	2006-02-09 14:50:09.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (002d9c14)
URL visited	https://bugzilla.mozilla.org/show_bug.cgi?id=313173
User Comments	crash with evil xul testcae with 1.0.8 .. might not be the same bug, but still a problem.
Since Last Crash	547 sec
Total Uptime	547 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 1489
Stack Trace 	
nsGrid::GetScrollBox  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 1489]
nsGridRowLeafLayout::ComputeChildSizes  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp, line 321]
nsSprocketLayout::Layout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 285]
nsContainerBox::DoLayout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsLineLayout::ReflowFrame  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsLineLayout.cpp, line 993]
nsBlockFrame::ReflowInlineFrame  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3748]
nsBlockFrame::DoReflowInlineFrames  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3446]
nsBlockFrame::DoReflowInlineFramesAuto  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3347]
nsBlockFrame::ReflowInlineFrames  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3292]
nsBlockFrame::ReflowLine  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2456]
nsBlockFrame::ReflowDirtyLines  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2098]
nsBlockFrame::Reflow  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 817]
nsTableOuterFrame::Reflow  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1974]
nsBoxToBlockAdaptor::Reflow  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 884]
nsBoxToBlockAdaptor::RefreshSizeCache  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 385]
nsBoxToBlockAdaptor::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 590]
nsStackLayout::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsStackLayout.cpp, line 178]
nsContainerBox::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595]
nsBoxFrame::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 955]
nsContainerBox::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595]
nsBoxFrame::GetAscent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 955]
nsContainerBox::DoLayout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsContainerBox::DoLayout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsRootBoxFrame::Reflow  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 240]
nsContainerFrame::ReflowChild  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 982]
ViewportFrame::Reflow  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 249]
IncrementalReflow::Dispatch  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 904]
PresShell::ProcessReflowCommands  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6401]
ReflowEvent::HandleEvent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6226]
PL_HandleEvent  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/threads/plevent.c, line 674]
0x778b0c24
PreferredFontEnumCallback  [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLChar.cpp, line 983]
0xc03302eb

    
    

    
  
Hmm... That crashes in a different place, but _possibly_ related.  Is it reliably reproducible?

    
    

    
  
bz:  I just crashed again with today's 1.0.8 build using the testcase in this bug, so it appears to be easily reproducible.  Let me know if we need to reopen this bug or log a new one.

    
    

    
  
New one, I guess?  And note that "easily" and "reliably" are not the same thing.  "easily" would be "crashes once out of every three loads or so" while "reliably" is crashes every load.  Which one is it?

    
    

    
  
bz:  It is reliably reproducible for me... I have crashed 4 out of 4 times on loading the testcase with 2 recent builds.  Are you able to reproduce?  I will log a bug as soon as my most recent crash is processed and I can confirm the stack is the same as the one I posted.

    
    

    
  
jay, did you file a new bug?
I reliably crash on windows, mac and linux:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060214 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060214 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214
Fx -  Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8

    
    

    
  
So I finally managed to reproduce Jay's crash.  That's bug 275896 (landed on trunk about a year ago, so it's in 1.8, but it never made it to 1.7).

Not sure whether we care for 1.7, since it's a null pointer dereference, not a deleted pointer dereference...

    
    

    
  
Tracy: Nope,  haven't logged a bug yet, but looks like bz found an existing one.  I'll leave it up to the devs to decide what needs to be done about that one.  

I'm just going to mark this verified on 1.0.8 since my crash is different than the one that was fixed here.  I'll nominate bug 275896 for 1.0.9 in case we want to take the null pointer checks for the next release.

Thanks bz for digging that bug up.


Keywords: fixed-aviary1.0.8verified-aviary1.0.8
Group: security
Flags: in-testsuite+ → in-testsuite?

    
    

    
  
crash test landed
http://hg.mozilla.org/mozilla-central/rev/811d3a773dc0
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsGridRow::IsCollapsed]
[@ nsGrid::GetScrollBox]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: