Closed Bug 317547 Opened 19 years ago Closed 19 years ago

Crash [@ 035db954()] called from nsHTMLReflowState::ComputePadding() line 2444

Categories

(Core :: Layout, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: sicking)

References

Details

(Keywords: crash, Whiteboard: [sg:dupe?] mentions stirdom)

Crash Data

Automated StirDOM testing on WinXP with today's FF trunk:

stirdom: http://golem.ph.utexas.edu/~distler/blog/archives/000635.html 
parameters: 187,217,44,181

This is a duplicate stack from nsHTMLReflowState::ComputePadding and up to Bug 305386. Filing separate and marking confidential since it is stirdom related.

035db954()
nsHTMLReflowState::ComputePadding(int 0x00002913, const nsHTMLReflowState * 0x001298e8) line 2444 + 20 bytes
nsHTMLReflowState::InitConstraints(nsPresContext * 0x033d7b70, int 0x00002913, int 0x40000000, nsMargin * 0x00000000, nsMargin * 0x00000000) line 1763
nsHTMLReflowState::Init(nsPresContext * 0x033d7b70, int 0xffffffff, int 0xffffffff, nsMargin * 0x00000000, nsMargin * 0x00000000) line 343
nsHTMLReflowState::nsHTMLReflowState(nsPresContext * 0x033d7b70, const nsHTMLReflowState & {...}, nsIFrame * 0x035d0fac, const nsSize & {...}, nsReflowReason eReflowReason_Incremental, int 0x00000001) line 217
nsLineLayout::ReflowFrame(nsIFrame * 0x035d0fac, unsigned int & 0x00000000, nsHTMLReflowMetrics * 0x00000000, int & 0x00000000) line 912
nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, nsIFrame * 0x035d0fac, unsigned char * 0x00128d37) line 4028 + 22 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, int * 0x001290f0, unsigned char * 0x00128e3b, int 0x00000000, int 0x00000001) line 3867 + 32 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001290f0, int 0x00000001, int 0x00000000) line 3740 + 46 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x001290f0, int 0x00000001) line 2735 + 33 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x03640018, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000001, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000000, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00129d3c) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x00129d3c, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x034d6210, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000001, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a988) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a988, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354f5a0, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000000, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012b5d4) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012b5d4, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354f410, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000000, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c220) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c220, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354f280, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000000, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012ce6c) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012ce6c, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354f010, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000000, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012dab8) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012dab8, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354eee0, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0x00000001, nsCollapsingMargin & {...}, int 0x00000000, int 0x00000001, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 605 + 42 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012e704) line 3455 + 66 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012e704, int 0x00000001) line 2617 + 27 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}, int 0x00000001) line 2269 + 31 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x0354ec8c, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 902 + 17 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x0354ec8c, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) line 891 + 31 bytes
CanvasFrame::Reflow(CanvasFrame * const 0x034d2dc8, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 525
nsContainerFrame::ReflowChild(nsIFrame * 0x034d2dc8, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000003, unsigned int & 0x00000000) line 891 + 31 bytes
nsHTMLScrollFrame::ReflowScrolledFrame(const ScrollReflowState & {...}, int 0x00000000, int 0x00000001, nsHTMLReflowMetrics * 0x0012efe4, int 0x00000001) line 513 + 54 bytes
nsHTMLScrollFrame::ReflowContents(ScrollReflowState * 0x0012f18c, const nsHTMLReflowMetrics & {...}) line 583 + 27 bytes
nsHTMLScrollFrame::Reflow(nsHTMLScrollFrame * const 0x034d2f14, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 780 + 16 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x034d2f14, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000) line 891 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x034d2d34, nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 229 + 43 bytes
IncrementalReflow::Dispatch(nsPresContext * 0x033d7b70, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 857
PresShell::ProcessReflowCommands(int 0x00000001) line 6484
ReflowEvent::HandleEvent() line 6308
HandlePLEvent(PLEvent * 0x03750e50) line 6326
PL_HandleEvent(PLEvent * 0x03750e50) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f512d8) line 623 + 9 bytes
nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00f293f0) line 417 + 12 bytes
nsWindow::DispatchPendingEvents() line 4114
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x021f025a, long * 0x0012fb88) line 4495
nsWindow::WindowProc(HWND__ * 0x000c03d4, unsigned int 0x00000200, unsigned int 0x00000000, long 0x021f025a) line 1330 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x00f72a08) line 135
nsAppStartup::Run(nsAppStartup * const 0x00f72968) line 161 + 26 bytes
XRE_main(int 0x00000004, char * * 0x003f6d28, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes
main(int 0x00000004, char * * 0x003f6d28) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
On the 1.5 branch I got a completely different stack, VerifyContextParent() in nsFrameManager.cpp is passed a deleted aFrame object.
Whiteboard: [sg:fix]
Flags: blocking1.8.0.1?
Assignee: nobody → bugmail
I'm seeing the top of the stack be:

#5  <signal handler called>
#6  0x013d8a2d in nsMathMLContainerFrame::GetType (this=0xa033d54)
    at /builds/trunk/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp:1167
#7  0x01010618 in nsHTMLReflowState::ComputePadding (this=0xbf864870,
    aContainingBlockWidth=10515, aContainingBlockRS=0xbf8655e8)
    at /builds/trunk/mozilla/layout/generic/nsHTMLReflowState.cpp:2444
#8  0x010129d3 in nsHTMLReflowState::InitConstraints (this=0xbf864870,
    aPresContext=0x9dd62d8, aContainingBlockWidth=10515,
    aContainingBlockHeight=1073741824, aBorder=0x0, aPadding=0x0)
    at /builds/trunk/mozilla/layout/generic/nsHTMLReflowState.cpp:1761
#9  0x01012c71 in nsHTMLReflowState::Init (this=0xbf864870,
    aPresContext=0x9dd62d8, aContainingBlockWidth=-1,
    aContainingBlockHeight=-1, aBorder=0x0, aPadding=0x0)
    at /builds/trunk/mozilla/layout/generic/nsHTMLReflowState.cpp:342
#10 0x01013428 in nsHTMLReflowState (this=0xbf864870, aPresContext=0x9dd62d8,
    aParentReflowState=@0xbf8655e8, aFrame=0xa033d54,
    aAvailableSpace=@0xbf864978, aReason=eReflowReason_Incremental, aInit=1)
    at /builds/trunk/mozilla/layout/generic/nsHTMLReflowState.cpp:212
#11 0x01024a93 in nsLineLayout::ReflowFrame (this=0xbf864b30,
    aFrame=0xa033d54, aReflowStatus=@0xbf864a34, aMetrics=0x0,
    aPushedFrame=@0xbf864a30)
    at /builds/trunk/mozilla/layout/generic/nsLineLayout.cpp:911

(gdb) frame 6
#6  0x013d8a2d in nsMathMLContainerFrame::GetType (this=0xa033d54)
    at /builds/trunk/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp:1167
1167        return mPresentationData.baseFrame->GetType();
(gdb) p mPresentatioinData
No symbol "mPresentatioinData" in current context.
(gdb) p mPresentationData
$1 = {flags = 0, baseFrame = 0xa077d48, mstyle = 0x0, scriptLevel = 0}
(gdb) p mPresentationData.baseFrame
$2 = (class nsIFrame *) 0xa077d48
(gdb) x/wa *(void**) mPresentationData.baseFrame
0xa07747c:      0xa042f3c

which makes it look a bit MathML-related.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix] → [sg:critical?]
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
WFM on WinXP with today's Firefox trunk build (on the QA machine closest to where Marcia sits).  The status bar counter gets past 5000 without a crash.  Several MathML StirDOM bugs have been fixed recently, so I'm guessing it got fixed through one of them.

dbaron or bc, please reopen if you can still reproduce.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Flags: blocking1.8.0.2? → blocking1.8.0.2-
Whiteboard: [sg:critical?] → [sg:dupe?] mentions stirdom
Crash Signature: [@ 035db954()]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.