Closed Bug 329044 Opened 18 years ago Closed 18 years ago

Crash [@ nsCSSFrameConstructor::WipeContainingBlock]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 291902

People

(Reporter: jay, Assigned: sicking)

References

Details

(Keywords: crash, testcase)

Crash Data

Despite the crash fixes in Bug 309120 and Bug 317549, I am still seeing a crash with the latest 1.8.0 builds: v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1

I am seeing what appears to be a new crash when loading the testcases in both of the bugs mentioned above:

Incident ID: 15807551
Stack Signature	nsCSSFrameConstructor::WipeContainingBlock ea37d85e
Email Address	jay@mozilla.org
Product ID	Firefox15
Build ID	2006030105
Trigger Time	2006-03-01 17:23:39.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (001862f0)
URL visited	bug 309120
User Comments	testcase 1: 1 nsCSSFrameConstructor ContentAppended
Since Last Crash	845 sec
Total Uptime	2750 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462
Stack Trace 	
nsCSSFrameConstructor::WipeContainingBlock  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462]
nsCSSFrameConstructor::ContentInserted  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471]
PresShell::ContentInserted  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487]
doInsertChildAt  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780]
nsGenericElement::InsertChildAt  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719]
nsGenericElement::InsertBefore  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360]
nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

---------------------

Incident ID: 15807086
Stack Signature	nsCSSFrameConstructor::WipeContainingBlock ea37d85e
Email Address	jay@mozilla.org
Product ID	Firefox15
Build ID	2006030105
Trigger Time	2006-03-01 17:05:58.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (001862f0)
URL visited	https://bugzilla.mozilla.org/show_bug.cgi?id=317549
User Comments	
Since Last Crash	1859 sec
Total Uptime	1859 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462
Stack Trace 	
nsCSSFrameConstructor::WipeContainingBlock  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462]
nsCSSFrameConstructor::ContentInserted  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471]
PresShell::ContentInserted  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487]
doInsertChildAt  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780]
nsGenericElement::InsertChildAt  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719]
nsGenericElement::InsertBefore  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360]
nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

I think Jonas knows about this from the comments from DaveL in those bugs, but the bug that he refers to showed a different stack, so just wanted to make sure we knew about this.

I have not had a chance to reproduce on the Trunk or 1.0.x branches, but we need to look into this.
The bug for the other resulting crash is bug 317544, but the stack is different from the notably identical stacktraces below (from 2 different testcases?).
Nominating blocking1.8.0.2 so we can get to the bottom of this crash trail.
Flags: blocking1.8.0.2?
That looks to me like bug 291902 (fixed trunk only).  It's a null-deref crash; not exploitable.

I suppose we could land that patch on the branches; the fix is pretty safe, imo.  Nominate as needed, please?
Depends on: 291902
If this crash is not exploitable, I'm tempted to recommend we push this to 1.5.0.3.  Jay, can you please check this on the trunk?
v.fixed on Trunk with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060302 Firefox/1.6a1.  No crashes with any of the testcases from the bugs I mentioned before (unpacked testcases locally):

bug 309120 (https://bugzilla.mozilla.org/attachment.cgi?id=197691) - opened all 3 test pages,  they did their thing and no crash by the time they were done.
bug 317549 (https://bugzilla.mozilla.org/attachment.cgi?id=205811) - no crash with the test page

Since this is a safe patch (according to bz), I think it would be good to get it checked in to get rid of this crasher on the 1.8.0 branch as well.
null deref, too late in 1.8.0.2 for a non-critical fix.
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-

*** This bug has been marked as a duplicate of 291902 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.8.0.3?
Crash Signature: [@ nsCSSFrameConstructor::WipeContainingBlock]
You need to log in before you can comment on or make changes to this bug.