Crash [@ nsIFrame::GetStyleData() line 607] (called by CalculateHypotheticalBox) involving XUL menus

RESOLVED INCOMPLETE

Status

()

Core
Layout: R & A Pos
--
critical
RESOLVED INCOMPLETE
12 years ago
2 years ago

People

(Reporter: bc, Assigned: dbaron)

Tracking

(Blocks: 1 bug, {crash})

Trunk
x86
Windows XP
crash
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.0.1 -
blocking1.8.0.2 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] null dereference, crash signature)

(Reporter)

Description

12 years ago
Automated RandomStyles testing on WiNXP with today's FF trunk:

http://php5.akbkhome.com:81/svn.php
seed=140;skip=255;changesPerInterval=144;interval=246;

nsIFrame::GetStyleData(nsStyleStructID eStyleStruct_Visibility) line 607 + 3 bytes
nsIFrame::GetStyleVisibility() line 98 + 17 bytes
nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext * 0x030da0b8, nsIFrame * 0x0446ebd4, nsIFrame * 0x00000000, nsMargin & {...}, const nsHTMLReflowState * 0x0012e4a0, nsHypotheticalBox & {...}) line 893 + 8 bytes
nsHTMLReflowState::InitAbsoluteConstraints(nsPresContext * 0x030da0b8, const nsHTMLReflowState * 0x0012e4a0, int 0x00004b00, int 0x00003237) line 1066
nsHTMLReflowState::InitConstraints(nsPresContext * 0x030da0b8, int 0x00004b00, int 0x00003237, nsMargin * 0x00000000, nsMargin * 0x00000000) line 1965
nsHTMLReflowState::Init(nsPresContext * 0x030da0b8, int 0xffffffff, int 0xffffffff, nsMargin * 0x00000000, nsMargin * 0x00000000) line 343
nsHTMLReflowState::nsHTMLReflowState(nsPresContext * 0x030da0b8, const nsHTMLReflowState & {...}, nsIFrame * 0x04670550, const nsSize & {...}, nsReflowReason eReflowReason_Resize, int 0x00000001) line 217
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000001) line 5233
nsFrame::RefreshSizeCache(nsFrame * const 0x04670550, nsBoxLayoutState & {...}) line 4812 + 70 bytes
nsFrame::GetAscent(nsFrame * const 0x04670550, nsBoxLayoutState & {...}, int & 0x00000000) line 5019
nsSprocketLayout::GetAscent(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 1563
nsBoxFrame::GetAscent(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 971 + 38 bytes
nsSprocketLayout::Layout(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}) line 257
nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}) line 1089 + 34 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 802
nsStackLayout::Layout(nsStackLayout * const 0x028d14c0, nsIFrame * 0x040a7680, nsBoxLayoutState & {...}) line 321
nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a7680, nsBoxLayoutState & {...}) line 1089 + 34 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 802
nsBoxFrame::Reflow(nsBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 840
nsRootBoxFrame::Reflow(nsRootBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 215
nsContainerFrame::ReflowChild(nsIFrame * 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) line 891 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x040a75ec, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 229 + 43 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 857
PresShell::ProcessReflowCommands(int 0x00000001) line 6484
PresShell::WillPaint(PresShell * const 0x030dfd80) line 6143
nsViewManager::DispatchEvent(nsViewManager * const 0x030da5c0, nsGUIEvent * 0x0012f040, nsEventStatus * 0x0012ef24) line 2036
HandleEvent(nsGUIEvent * 0x0012f040) line 176
nsWindow::DispatchEvent(nsWindow * const 0x030da6b4, nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1140 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1166
nsWindow::OnPaint(HDC__ * 0x00000000) line 5717 + 28 bytes
nsWindow::ProcessMessage(unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000, long * 0x0012f554) line 4257 + 19 bytes
nsWindow::WindowProc(HWND__ * 0x002e0126, unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000) line 1329 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
nsWindow::DispatchStarvedPaints(HWND__ * 0x002e0126, long 0x00000000) line 4075 + 10 bytes
USER32! 77d4ccd1()
USER32! 77d4da57()
nsWindow::DispatchPendingEvents() line 4116
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156, long * 0x0012fb88) line 4488
nsWindow::WindowProc(HWND__ * 0x002b00f2, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156) line 1329 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x00baa870) line 135
nsAppStartup::Run(nsAppStartup * const 0x00baa7d0) line 161 + 26 bytes
XRE_main(int 0x00000001, char * * 0x003f6ed0, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes
main(int 0x00000001, char * * 0x003f6ed0) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()
(Reporter)

Comment 1

12 years ago
Similar stack:
http://www.faser.net/mab/chrome/content/mab.xul
seed=140;skip=255;changesPerInterval=144;interval=246
(Reporter)

Comment 2

12 years ago
Similar stack:
http://www.croczilla.com/svg/samples/xulsvg1/xulsvg1.xul
seed=140;skip=255;changesPerInterval=144;interval=246
Probably bug 253479
Depends on: 253479
Whiteboard: [sg:nse] null dereference

Updated

12 years ago
Flags: blocking1.8.0.1?
(Assignee)

Updated

12 years ago
Whiteboard: [sg:nse] null dereference → [sg:dos] null dereference
(Assignee)

Updated

12 years ago
Component: Layout → Layout: R & A Pos
QA Contact: layout → layout.r-and-a-pos
(Assignee)

Updated

12 years ago
Assignee: nobody → dbaron
(Assignee)

Comment 4

12 years ago
The testcase in comment 0 currently (with the other fixes in my tree) gives me a crash related to XUL menus doing attribute changes during frame construction.
(Assignee)

Comment 5

12 years ago
... and I see the same problem for the testcase in comment 1.
(Assignee)

Comment 6

12 years ago
...and the testcase in comment 2 now crashes in something that's probably related to XUL menus setting attributes when they shouldn't.
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-

Updated

12 years ago
Summary: Crash [@ nsIFrame::GetStyleData() line 607] → Crash [@ nsIFrame::GetStyleData() line 607] involving XUL menus

Comment 7

12 years ago
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060205 Firefox/1.6a1

Comment 0, opt:   After 20703 or 20847, it crashes [@ nsTreeBodyFrame::InvalidateScrollbars] with PresShell::Thaw on the stack

Comment 0, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent]

Comment 1, opt:   After 6015 or 8751, it stops drawing.

Comment 1, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent].

Comment 2, opt:   Passes 25000 without problems.

Comment 2, debug: Passes 25000 without problems.

dbaron, do any of the problems I see correspond to the XUL menu problems you saw?  If not, do you still see the XUL menu problems?  Do you have a good enough understanding of those problems that you don't need simplified testcases?
Not blocking 1.8.0.2: it's not exploitable and we're having trouble getting resources the more important exploitable flaws fixed in this timeframe. If this is blocking further testing we can reconsider.
Flags: blocking1.8.0.2? → blocking1.8.0.2-

Updated

12 years ago
Summary: Crash [@ nsIFrame::GetStyleData() line 607] involving XUL menus → Crash [@ nsIFrame::GetStyleData() line 607] (called by CalculateHypotheticalBox) involving XUL menus
(Reporter)

Comment 9

7 years ago
update crash bugs to critical per guidelines.
Severity: major → critical
Crash Signature: [@ nsIFrame::GetStyleData() line 607]

Comment 10

6 years ago
Opening based on comment 8.
Group: core-security

Updated

2 years ago
Crash Signature: [@ nsIFrame::GetStyleData() line 607] → [@ nsIFrame::GetStyleData() line 607] [@ nsIFrame::GetStyleData line 607]
Site no longer loads and no testcases attached.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.