316639 - Crash [@ nsStyleContext::FindChildWithRules() line 182]

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Hrm, with this testcase the first thing I hit was bug 311457.  I should retest once that's fixed.

Comment 2

[Daniel Veditz [:dveditz]]

On a ff1.5 debug build I didn't crash (this time, maybe neopets changed slightly) but did eventually go brain-dead (not quite a hang, but useless; corrupted memory?). Lots and lots of assertions, eventually including like these:

###!!! ASSERTION: Don't call me!: 'Error', file c:/dev/ff15/mozilla/dom/src/base/nsDOMClassInfo.cpp, line 3100

###!!! ASSERTION: running past end: 'mCurrent != mListLink', file c:\dev\ff15\mozilla\layout\generic\nsLineBox.h, line 5
89

Comment 3

[Mats Palmgren (inactive)]

(In reply to comment #1)
> Hrm, with this testcase the first thing I hit was bug 311457.  I should retest
> once that's fixed.
> 

Still crashes SeaMonkey 2005-12-27-00 trunk Linux.

In a local debug build I get crashes in DeletingFrameSubtree().
With the proposed fix for bug 310638 it seems more stable -
it runs for 15-20 minutes but crashes eventually,
example crash (view->mParent == 0x5):

(gdb) bt
#0  0xe80cec83 in ?? ()
#1  0x4101f76c in nsIFrame::Invalidate(nsRect const&, int) const (this=0x8925f3c, aDamageRect=@0x8d44ea8, aImmediate=0) at nsFrame.cpp:2654
#2  0x4104288e in nsImageFrame::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8925f3c, aContainer=0x8914878,
    aNewFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageFrame.cpp:670
#3  0x4104604e in nsImageListener::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0xbfffe3b0, aContainer=0x8914878,
    newframe=0x89132b8, dirtyRect=0xbfffe590) at nsImageFrame.cpp:2046
#4  0x411e7781 in nsImageLoadingContent::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8918804, aContainer=0x8914878,
    aFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageLoadingContent.cpp:147
#5  0x41b5ee6c in imgRequestProxy::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8919b90, container=0x8914878,
    newframe=0x89132b8, dirtyRect=0xbfffe590) at imgRequestProxy.cpp:392
#6  0x41b5b29a in imgRequest::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x89190b0, container=0x8914878, newframe=0x89132b8,
    dirtyRect=0xbfffe590) at imgRequest.cpp:401
#7  0x41b641cb in imgContainerGIF::Notify(nsITimer*) (this=0x8914878, timer=0x8918000) at imgContainerGIF.cpp:455
#8  0x4016e2ed in nsTimerImpl::Fire() (this=0x8918000) at nsTimerImpl.cpp:403
#9  0x4016e462 in handleTimerEvent (aEvent=0x88e2498) at nsTimerImpl.cpp:467
#10 0x40167551 in PL_HandleEvent (self=0x88e2498) at plevent.c:688
#11 0x4016742a in PL_ProcessPendingEvents (self=0x80d48a8) at plevent.c:623
#12 0x40169faa in nsEventQueueImpl::ProcessPendingEvents() (this=0x80daa28) at nsEventQueue.cpp:417
#13 0x41d19faa in event_processor_callback (source=0x8348d90, condition=G_IO_IN, data=0xbfffe3b0) at nsAppShell.cpp:67
#14 0x40686def in g_io_unix_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#15 0x40664148 in g_main_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#16 0x406651a8 in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#17 0x406655a8 in g_main_context_iterate () from /opt/gnome/lib/libglib-2.0.so.0
#18 0x40665bf7 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0
#19 0x403896ff in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#20 0x41d1a554 in nsAppShell::Run() (this=0x8164b18) at nsAppShell.cpp:139
#21 0x41c896ed in nsAppStartup::Run() (this=0x8163728) at nsAppStartup.cpp:207
#22 0x08051663 in main1 (argc=2, argv=0xbfffeae4, nativeApp=0x80b5380) at nsAppRunner.cpp:1248
#23 0x08051fe0 in main (argc=2, argv=0xbfffeae4) at nsAppRunner.cpp:1736
(gdb) fr 2
#2  0x4104288e in nsImageFrame::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8925f3c, aContainer=0x8914878,
    aNewFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageFrame.cpp:670
670       Invalidate(r, PR_FALSE);
(gdb) p *this
$1 = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = {_vptr.nsISupports = 0x415a65e8}, mRect = {x = 0, y = 0,
            width = 0, height = 0}, mContent = 0x89187e8, mStyleContext = 0x8c88050, mParent = 0x89214ec, mNextSibling = 0x0, mState = 9506},
        static gGotTheme = 1, static gTheme = 0x8313a08}, <nsIFrameDebug> = {<nsISupports> = {
          _vptr.nsISupports = 0x415a6810}, <No data fields>}, <No data fields>}, mPrevInFlow = 0x0,
    mNextInFlow = 0x0}, <nsIImageFrame> = {<nsISupports> = {_vptr.nsISupports = 0x415a6838}, <No data fields>}, mImageMap = 0x0, mListener = {
    mRawPtr = 0x8bc6cb0}, mComputedSize = {width = 0, height = 0}, mIntrinsicSize = {width = 0, height = 0}, mTransform = {m00 = 1, m11 = 1,
    m20 = 0, m21 = 0, type = 0}, mBorderPadding = {top = 0, right = 0, bottom = 0, left = 0}, static sIOService = 0x813b828,
  static gIconLoad = 0x88ef310}
(gdb) fr 1
#1  0x4101f76c in nsIFrame::Invalidate(nsRect const&, int) const (this=0x8925f3c, aDamageRect=@0x8d44ea8, aImmediate=0) at nsFrame.cpp:2654
2654        view->GetViewManager()->UpdateView(view, damageRect, flags);
(gdb) p view
$2 = (class nsIView *) 0x8d44ea8
(gdb) p *view
$3 = {_vptr.nsIView = 0x1, mViewManager = 0x40b98f00, mParent = 0x5, mWindow = 0x4, mNextSibling = 0x8d0cdb8, mFirstChild = 0x1c00,
  mClientData = 0x0, mZIndex = 0, mVis = nsViewVisibility_kHide, mPosX = 0, mPosY = 142381560, mDimBounds = {x = 0, y = 0, width = 0,
    height = 0}, mOpacity = 0, mVFlags = 0}
(gdb)

Comment 4

[Daniel Veditz [:dveditz]]

No sign of a fix, not realistic for 1.8.0.1

Comment 6

[Jesse Ruderman]

Neopets isn't a good site for getting reproducible fuzz crashes, and I don't see problems, so marking WFM.

Comment 7

[Jeff Walden [:Waldo]]

in-testsuite- since it sounds like it's not worth the effort here given reproducibility concerns.