316608 - Crash [@ nsIFrame::GetStyleData() line 607] (called by CalculateHypotheticalBox) involving XUL menus

Status: RESOLVED INCOMPLETE

(Core :: Layout: Positioned, defect)

Description

[Bob Clary [:bc] (inactive)]

Automated RandomStyles testing on WiNXP with today's FF trunk:

http://php5.akbkhome.com:81/svn.php
seed=140;skip=255;changesPerInterval=144;interval=246;

nsIFrame::GetStyleData(nsStyleStructID eStyleStruct_Visibility) line 607 + 3 bytes
nsIFrame::GetStyleVisibility() line 98 + 17 bytes
nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext * 0x030da0b8, nsIFrame * 0x0446ebd4, nsIFrame * 0x00000000, nsMargin & {...}, const nsHTMLReflowState * 0x0012e4a0, nsHypotheticalBox & {...}) line 893 + 8 bytes
nsHTMLReflowState::InitAbsoluteConstraints(nsPresContext * 0x030da0b8, const nsHTMLReflowState * 0x0012e4a0, int 0x00004b00, int 0x00003237) line 1066
nsHTMLReflowState::InitConstraints(nsPresContext * 0x030da0b8, int 0x00004b00, int 0x00003237, nsMargin * 0x00000000, nsMargin * 0x00000000) line 1965
nsHTMLReflowState::Init(nsPresContext * 0x030da0b8, int 0xffffffff, int 0xffffffff, nsMargin * 0x00000000, nsMargin * 0x00000000) line 343
nsHTMLReflowState::nsHTMLReflowState(nsPresContext * 0x030da0b8, const nsHTMLReflowState & {...}, nsIFrame * 0x04670550, const nsSize & {...}, nsReflowReason eReflowReason_Resize, int 0x00000001) line 217
nsFrame::BoxReflow(nsBoxLayoutState & {...}, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000000, int 0x00000001) line 5233
nsFrame::RefreshSizeCache(nsFrame * const 0x04670550, nsBoxLayoutState & {...}) line 4812 + 70 bytes
nsFrame::GetAscent(nsFrame * const 0x04670550, nsBoxLayoutState & {...}, int & 0x00000000) line 5019
nsSprocketLayout::GetAscent(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 1563
nsBoxFrame::GetAscent(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}, int & 0x000000e1) line 971 + 38 bytes
nsSprocketLayout::Layout(nsSprocketLayout * const 0x029d90c0, nsIFrame * 0x040a79fc, nsBoxLayoutState & {...}) line 257
nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a79fc, nsBoxLayoutState & {...}) line 1089 + 34 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 802
nsStackLayout::Layout(nsStackLayout * const 0x028d14c0, nsIFrame * 0x040a7680, nsBoxLayoutState & {...}) line 321
nsBoxFrame::DoLayout(nsBoxFrame * const 0x040a7680, nsBoxLayoutState & {...}) line 1089 + 34 bytes
nsIFrame::Layout(nsBoxLayoutState & {...}) line 802
nsBoxFrame::Reflow(nsBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 840
nsRootBoxFrame::Reflow(nsRootBoxFrame * const 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 215
nsContainerFrame::ReflowChild(nsIFrame * 0x040a7680, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) line 891 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x040a75ec, nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 229 + 43 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x030da0b8, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 857
PresShell::ProcessReflowCommands(int 0x00000001) line 6484
PresShell::WillPaint(PresShell * const 0x030dfd80) line 6143
nsViewManager::DispatchEvent(nsViewManager * const 0x030da5c0, nsGUIEvent * 0x0012f040, nsEventStatus * 0x0012ef24) line 2036
HandleEvent(nsGUIEvent * 0x0012f040) line 176
nsWindow::DispatchEvent(nsWindow * const 0x030da6b4, nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1140 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f040, nsEventStatus & nsEventStatus_eIgnore) line 1166
nsWindow::OnPaint(HDC__ * 0x00000000) line 5717 + 28 bytes
nsWindow::ProcessMessage(unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000, long * 0x0012f554) line 4257 + 19 bytes
nsWindow::WindowProc(HWND__ * 0x002e0126, unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000) line 1329 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
nsWindow::DispatchStarvedPaints(HWND__ * 0x002e0126, long 0x00000000) line 4075 + 10 bytes
USER32! 77d4ccd1()
USER32! 77d4da57()
nsWindow::DispatchPendingEvents() line 4116
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156, long * 0x0012fb88) line 4488
nsWindow::WindowProc(HWND__ * 0x002b00f2, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00c30156) line 1329 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x00baa870) line 135
nsAppStartup::Run(nsAppStartup * const 0x00baa7d0) line 161 + 26 bytes
XRE_main(int 0x00000001, char * * 0x003f6ed0, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes
main(int 0x00000001, char * * 0x003f6ed0) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

Comment 1

[Bob Clary [:bc] (inactive)]

Similar stack:
http://www.faser.net/mab/chrome/content/mab.xul
seed=140;skip=255;changesPerInterval=144;interval=246

Comment 2

[Bob Clary [:bc] (inactive)]

Similar stack:
http://www.croczilla.com/svg/samples/xulsvg1/xulsvg1.xul
seed=140;skip=255;changesPerInterval=144;interval=246

Comment 3

[Boris Zbarsky [:bzbarsky]]

Probably bug 253479

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

The testcase in comment 0 currently (with the other fixes in my tree) gives me a crash related to XUL menus doing attribute changes during frame construction.

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

... and I see the same problem for the testcase in comment 1.

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

...and the testcase in comment 2 now crashes in something that's probably related to XUL menus setting attributes when they shouldn't.

Comment 7

[Jesse Ruderman]

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060205 Firefox/1.6a1

Comment 0, opt:   After 20703 or 20847, it crashes [@ nsTreeBodyFrame::InvalidateScrollbars] with PresShell::Thaw on the stack

Comment 0, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent]

Comment 1, opt:   After 6015 or 8751, it stops drawing.

Comment 1, debug: Around 3000, it crashes [@ nsCSSFrameConstructor::FindFrameWithContent].

Comment 2, opt:   Passes 25000 without problems.

Comment 2, debug: Passes 25000 without problems.

dbaron, do any of the problems I see correspond to the XUL menu problems you saw?  If not, do you still see the XUL menu problems?  Do you have a good enough understanding of those problems that you don't need simplified testcases?

Comment 8

[Daniel Veditz [:dveditz]]

Not blocking 1.8.0.2: it's not exploitable and we're having trouble getting resources the more important exploitable flaws fixed in this timeframe. If this is blocking further testing we can reconsider.

Comment 9

[Bob Clary [:bc] (inactive)]

update crash bugs to critical per guidelines.

Comment 10

[Josh Aas]

Opening based on comment 8.

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Site no longer loads and no testcases attached.