Closed Bug 317285 Opened 18 years ago Closed 14 years ago

mangle.php crashes in various ntdll.dll locations, multiple stack traces including [@ nsTextFrame::PaintUnicodeText] and [@ nsAutoIndexBuffer::~nsAutoIndexBuffer]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: nstrom, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

While playing with this page - http://bcheck.scanit.be/bcheck/mangle.php - I managed to get a page that can reliably crash my Firefox on this PC. (See bug URL above.)

Crash traces are not all identical, but seem to be MSVCRT.DLL -> ntdll.dll.

I tried reproducing this on:

Firefox 1.0.7 / Windows 2000 Server
Firefox 1.5 RC3 / Windows Vista build 5112
Firefox 1.5 RC3 / Windows XP Professional SP2

and could not reproduce the crash, so this could be something specific to the machine I'm using.

Reproducible: Always

Steps to Reproduce:
1. Load target URL
2. Firefox doesn't seem to crash until I click on the page, use a dropdown menu, browse away... doesn't seem to crash if I just leave the page open.
Actual Results:  
Crash, see various talkback IDs.

Expected Results:  
No crash

Talkback IDs:

TB12006175Z
TB12006323Q
TB12006449Y
TB12006475K
TB12006489M
TB12007189Z
TB12095375X
Url, doesn't crash for me, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051115 Firefox/1.6a1
Component: General → Layout
Keywords: crash
Product: Firefox → Core
QA Contact: general → layout
Version: unspecified → Trunk
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051120 Firefox/1.6a1 ID:2005112006

Did the crash test a few days ago and Firefox froze on one test after a loong time.
TB12006175Z has three windows offsets only, TB12095375X is a typo, number too big.

TB12006323Q

identical: TB12006449Y, TB12006475K, TB12007189Z similar: TB12006489M
ntdll.dll + 0x4d989 (0x77fcd989)
ntdll.dll + 0x4b80c (0x77fcb80c)
MSVCRT.DLL + 0x1e00 (0x78001e00)
nsAutoIndexBuffer::~nsAutoIndexBuffer  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsTextFrame.cpp, line 175]
nsTextFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsTextFrame.cpp, line 1614]
nsContainerFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsBlockFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/tables/../generic\nsBlockFrame.h, line 287]
nsBlockFrame::PaintChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 6441]
nsHTMLContainerFrame::PaintDecorationsAndChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 138]
nsBlockFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 6268]
nsContainerFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsBlockFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/tables/../generic\nsBlockFrame.h, line 287]
nsBlockFrame::PaintChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 6441]
nsHTMLContainerFrame::PaintDecorationsAndChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 138]
nsBlockFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 6268]
nsContainerFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsContainerFrame::PaintChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228]
nsHTMLContainerFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84]
CanvasFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 385]
PresShell::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5810]
nsView::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 316]
nsViewManager::RenderDisplayListElement  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1460]
nsViewManager::RenderViews  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1375]
nsViewManager::Refresh  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4362]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x2c19d (0x77e3c19d)
USER32.dll + 0x2c1ca (0x77e3c1ca)
ntdll.dll + 0x11baf (0x77f91baf)
USER32.dll + 0x1142c (0x77e2142c)
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4627]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x31dc9 (0x77e41dc9)
USER32.dll + 0x31e7e (0x77e41e7e)
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
KERNEL32.dll + 0x28989 (0x7c598989)


istr purify complaining about these classes:
nsAutoIndexBuffer::~nsAutoIndexBuffer 
nsTextFrame::Paint
Blocks: Zalewski
Summary: mangle.php crashes in various ntdll.dll locations, multiple stack traces → mangle.php crashes in various ntdll.dll locations, multiple stack traces including [@ nsTextFrame::PaintUnicodeText] and [@ nsAutoIndexBuffer::~nsAutoIndexBuffer]
Assignee: nobody → dveditz
I can't get this to crash on a debug or purify build (arg!) but it crashes right away on a release 1.5
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → critical
Version: Trunk → 1.8 Branch
iirc i've filed purify based bugs about the frames mentioned in this bug...
WFM, latest Firefox 2, 3.0, 3.1 debug builds on Linux.  valgrind was silent.
(In reply to comment #7)
> WFM, latest Firefox 2, 3.0, 3.1 debug builds on Linux.  valgrind was silent.

Perhaps some resolution on this bug then?
Assignee: dveditz → nobody
Well, ntdll would be a Windows-specific thing, so testing on Linux doesn't mean much.  But this WFM on Vista too.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
I'll add this particular mangleme testcase as a crashtest, so if Serge ever gets around to running unit tests on Windows 2000, we'll know if this bug still exists.
Crash Signature: [@ nsTextFrame::PaintUnicodeText] [@ nsAutoIndexBuffer::~nsAutoIndexBuffer]
You need to log in before you can comment on or make changes to this bug.