Closed Bug 330486 Opened 18 years ago Closed 17 years ago

Crash [@ firefox.exe!nsIView::GetPosition() Line 166] on deleted view

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:critical?] uses freed memory)

Crash Data

with a winxp trunk debug build from 20060310 
random styles (20,227,251,196)

+		this	0x051f2a28 {mViewManager=0xdddddddd mParent=0xdddddddd mWindow=0xdddddddd ...}	const nsIView * const

>	firefox.exe!nsIView::GetPosition()  Line 166 + 0x8 bytes	C++
 	firefox.exe!ApplyClipRect(const nsView * aView=0x051f2a28, nsRect * aRect=0x0012f6f8, int aFollowPlaceholders=0x00000000, nsIView * aStopAtView=0x00000000)  Line 896	C++
 	firefox.exe!nsView::GetClippedRect(nsIView * aStopAtView=0x00000000)  Line 970 + 0x13 bytes	C++
 	firefox.exe!nsViewManager::UpdateView(nsIView * aView=0x051f2a28, const nsRect & aRect={...}, unsigned int aUpdateFlags=0x00000000)  Line 1262	C++
 	firefox.exe!nsViewManager::UpdateView(nsIView * aView=0x051f2a28, unsigned int aUpdateFlags=0x00000000)  Line 1058 + 0x1a bytes	C++
 	firefox.exe!UpdateViewsForTree(nsIFrame * aFrame=0x03f4f6fc, nsIViewManager * aViewManager=0x03cb6990, nsFrameManager * aFrameManager=0x03ae4444, nsRect & aBoundsRect={...}, nsChangeHint aChange=0x00000005)  Line 10194	C++
 	firefox.exe!DoApplyRenderingChangeToTree(nsIFrame * aFrame=0x03f4f6fc, nsIViewManager * aViewManager=0x03cb6990, nsFrameManager * aFrameManager=0x03ae4444, nsChangeHint aChange=0x00000005)  Line 10251 + 0x19 bytes	C++
 	firefox.exe!ApplyRenderingChangeToTree(nsPresContext * aPresContext=0x03b6dd60, nsIFrame * aFrame=0x03f4f6fc, nsChangeHint aChange=0x00000005)  Line 10302 + 0x1a bytes	C++
 	firefox.exe!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList & aChangeList={...})  Line 10553 + 0x19 bytes	C++
 	firefox.exe!nsCSSFrameConstructor::RestyleElement(nsIContent * aContent=0x03cb62b0, nsIFrame * aPrimaryFrame=0x04c83060, nsChangeHint aMinHint=0x00000000)  Line 10617	C++
 	firefox.exe!nsCSSFrameConstructor::ProcessOneRestyle(nsIContent * aContent=0x03cb62b0, nsReStyleHint aRestyleHint=eReStyle_Self, nsChangeHint aChangeHint=0x00000000)  Line 13436	C++
 	firefox.exe!nsCSSFrameConstructor::ProcessPendingRestyles()  Line 13489	C++
 	firefox.exe!nsCSSFrameConstructor::RestyleEvent::HandleEvent()  Line 13555	C++
 	firefox.exe!HandleRestyleEvent(PLEvent * aEvent=0x04ec5348)  Line 13564	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x04ec5348)  Line 688 + 0xc bytes	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x02742b80)  Line 623 + 0x9 bytes	C
 	xpcom_core.dll!_md_TimerProc(HWND__ * hwnd=0x00110612, unsigned int uMsg=0x00000113, unsigned int idEvent=0x00000000, unsigned long dwTime=0x009e0fcf)  Line 1013 + 0x9 bytes	C
 	user32.dll!77d48734() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!77d49857() 	
 	user32.dll!77d49791() 	
 	user32.dll!77d48a10() 	
 	firefox.exe!nsAppShell::Run()  Line 135	C++
 	firefox.exe!nsAppStartup::Run()  Line 161 + 0x1c bytes	C++
 	firefox.exe!XRE_main(int argc=0x00000004, char * * argv=0x021480e0, const nsXREAppData * aAppData=0x0139cf20)  Line 2364 + 0x25 bytes	C++
 	firefox.exe!main(int argc=0x00000004, char * * argv=0x021480e0)  Line 61 + 0x13 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes	


The deleted view first appeared in 

>	firefox.exe!UpdateViewsForTree(nsIFrame * aFrame=0x03f4f6fc, nsIViewManager * aViewManager=0x03cb6990, nsFrameManager * aFrameManager=0x03ae4444, nsRect & aBoundsRect={...}, nsChangeHint aChange=0x00000005)  Line 10194	C++

where

+		aFrame	0x03f4f6fc	nsIFrame *
+		aViewManager	0x03cb6990 {mRefCnt={...} _mOwningThread={...} mContext=0x03aed468 ...}	nsIViewManager *
+		aFrameManager	0x03ae4444	nsFrameManager *
+		aBoundsRect	{x=0x00000000 y=0x00000000 width=0x00000000 ...}	nsRect &
		aChange	0x00000005	nsChangeHint
		listIndex	0x002f7eeb	int
+		childList	0x00000001	nsIAtom *
+		view	0x051f2a28 {mViewManager=0xdddddddd mParent=0xdddddddd mWindow=0xdddddddd ...}	nsIView *
+		bounds	{x=0x03f6dd68 y=0x02fe0730 width=0x0012f870 ...}	nsRect
+		parentOffset	{x=0x8f39e606 y=0x0012f868 }	nsPoint

Linux also crashes but with a different stack. See TB16124816

Another crash on shutdown with a dead widget

+		this	0x054c2b90 {mRawPtr=0x04e32af4 }	nsCOMPtr<nsIWidget> * const
+		newPtr	0x04e32af4	nsIWidget *
+		oldPtr	0xdddddddd {mFirstChild={...} mLastChild=??? mNextSibling={...} ...}	nsIWidget *

>	firefox.exe!nsCOMPtr<nsIWidget>::assign_assuming_AddRef(nsIWidget * newPtr=0x04e32af4)  Line 568 + 0x3 bytes	C++
 	firefox.exe!nsCOMPtr<nsIWidget>::assign_with_AddRef(nsISupports * rawPtr=0x04e32af4)  Line 1225	C++
 	firefox.exe!nsCOMPtr<nsIWidget>::operator=(nsIWidget * rhs=0x04e32af4)  Line 714	C++
 	firefox.exe!nsIWidget::SetNextSibling(nsIWidget * aSibling=0x04e32af4)  Line 402	C++
 	firefox.exe!nsBaseWidget::RemoveChild(nsIWidget * aChild=0x0559bc94)  Line 327	C++
 	firefox.exe!nsBaseWidget::Destroy()  Line 247	C++
 	firefox.exe!nsWindow::Destroy()  Line 1526	C++
 	firefox.exe!nsView::~nsView()  Line 267	C++
 	firefox.exe!nsScrollPortView::~nsScrollPortView()  Line 109 + 0x8 bytes	C++
 	firefox.exe!nsScrollPortView::`scalar deleting destructor'()  + 0xf bytes	C++
 	firefox.exe!nsIView::Destroy()  Line 304 + 0x21 bytes	C++
 	firefox.exe!nsView::~nsView()  Line 214	C++
 	firefox.exe!nsView::`scalar deleting destructor'()  + 0xf bytes	C++
 	firefox.exe!nsIView::Destroy()  Line 304 + 0x21 bytes	C++
 	firefox.exe!nsFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 655	C++
 	firefox.exe!nsSplittableFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 71	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 167 + 0xd bytes	C++
 	firefox.exe!nsHTMLScrollFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 168	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x03d9d870)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 163	C++
 	firefox.exe!nsTableFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 310	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x03d9d870)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 163	C++
 	firefox.exe!nsTableOuterFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 79	C++
 	firefox.exe!nsLineBox::DeleteLineList(nsPresContext * aPresContext=0x03d9d870, nsLineList & aLines={...})  Line 346	C++
 	firefox.exe!nsBlockFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 298 + 0x10 bytes	C++
 	firefox.exe!nsAreaFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 146	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x03d9d870)  Line 58	C++
 	firefox.exe!nsAbsoluteContainingBlock::DestroyFrames(nsIFrame * aDelegatingFrame=0x03dae9f0, nsPresContext * aPresContext=0x03d9d870)  Line 418	C++
 	firefox.exe!ViewportFrame::Destroy(nsPresContext * aPresContext=0x03d9d870)  Line 58	C++
 	firefox.exe!nsFrameManager::Destroy()  Line 297	C++
 	firefox.exe!PresShell::Destroy()  Line 1904	C++
 	firefox.exe!DocumentViewerImpl::Hide()  Line 2020	C++
 	firefox.exe!nsDocShell::SetVisibility(int aVisibility=0x00000000)  Line 3733	C++
 	firefox.exe!nsSubDocumentFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 617	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 1082	C++
 	firefox.exe!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x0356a058)  Line 58	C++
 	firefox.exe!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 163	C++
 	firefox.exe!ViewportFrame::Destroy(nsPresContext * aPresContext=0x0356a058)  Line 59	C++
 	firefox.exe!nsFrameManager::Destroy()  Line 297	C++
 	firefox.exe!PresShell::Destroy()  Line 1904	C++
 	firefox.exe!DocumentViewerImpl::Destroy()  Line 1560	C++
 	firefox.exe!nsDocShell::Destroy()  Line 3479	C++
 	firefox.exe!nsXULWindow::Destroy()  Line 513	C++
 	firefox.exe!nsWebShellWindow::Destroy()  Line 836 + 0x9 bytes	C++
 	firefox.exe!nsWebShellWindow::HandleEvent(nsGUIEvent * aEvent=0x0012ef70)  Line 395	C++
 	firefox.exe!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012ef70, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1053 + 0xc bytes	C++
 	firefox.exe!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012ef70)  Line 1074	C++
 	firefox.exe!nsWindow::DispatchStandardEvent(unsigned int aMsg=0x00000065)  Line 1093 + 0x11 bytes	C++
 	firefox.exe!nsWindow::ProcessMessage(unsigned int msg=0x00000010, unsigned int wParam=0x00000000, long lParam=0x00000000, long * aRetValue=0x0012f448)  Line 4167	C++
 	firefox.exe!nsWindow::WindowProc(HWND__ * hWnd=0x004f0644, unsigned int msg=0x00000010, unsigned int wParam=0x00000000, long lParam=0x00000000)  Line 1242 + 0x1d bytes	C++
 	user32.dll!77d48734() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!77d48816() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4b50c() 	
 	ntdll.dll!_KiUserCallbackDispatcher@12()  + 0x13 bytes	
 	user32.dll!77d494be() 	
 	user32.dll!77d4b42d() 	
 	xpcom_core.dll!nsEventQueueImpl::Release()  Line 202 + 0x5c bytes	C++
 	xpcom_core.dll!nsEventQueueImpl::ProcessPendingEvents()  Line 428 + 0xb bytes	C++
 	0000f060()	
 	user32.dll!77d4b393() 	
 	firefox.exe!nsWindow::DefaultWindowProc(HWND__ * hWnd=0x004f0644, unsigned int msg=0x00000112, unsigned int wParam=0x0000f060, long lParam=0x002903fa)  Line 1268	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d4c63f() 	
 	user32.dll!77d4c665() 	
 	firefox.exe!nsWindow::WindowProc(HWND__ * hWnd=0x004f0644, unsigned int msg=0x00000112, unsigned int wParam=0x0000f060, long lParam=0x002903fa)  Line 1249 + 0x1f bytes	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4b50c() 	
 	ntdll.dll!_KiUserCallbackDispatcher@12()  + 0x13 bytes	
 	user32.dll!77d494be() 	
 	user32.dll!77d4b42d() 	
 	user32.dll!77d48734() 	
 	user32.dll!77d484fc() 	
 	user32.dll!77d485a4() 	
 	user32.dll!77d4b3f9() 	
 	user32.dll!77d4b393() 	
 	firefox.exe!nsWindow::DefaultWindowProc(HWND__ * hWnd=0x004f0644, unsigned int msg=0x000000a1, unsigned int wParam=0x00000014, long lParam=0x002903fa)  Line 1268	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d4c63f() 	
 	user32.dll!77d4c665() 	
 	firefox.exe!nsWindow::WindowProc(HWND__ * hWnd=0x004f0644, unsigned int msg=0x000000a1, unsigned int wParam=0x00000014, long lParam=0x002903fa)  Line 1249 + 0x1f bytes	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d489cd() 	
 	user32.dll!77d49402() 	
 	user32.dll!77d48a10() 	
 	firefox.exe!nsAppShell::Run()  Line 135	C++
 	firefox.exe!nsAppStartup::Run()  Line 161 + 0x1c bytes	C++
 	firefox.exe!XRE_main(int argc=0x00000004, char * * argv=0x021480e0, const nsXREAppData * aAppData=0x0139cf20)  Line 2364 + 0x25 bytes	C++
 	firefox.exe!main(int argc=0x00000004, char * * argv=0x021480e0)  Line 61 + 0x13 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes	

Note that farther up the stack from the crash point in frame

>	firefox.exe!nsIWidget::SetNextSibling(nsIWidget * aSibling=0x04e32af4)  Line 402	C++

SetNextSibling is called on a dead widget

-		this	0x054c2b84 {mFirstChild={...} mLastChild=0xdddddddd mNextSibling={...} ...}	nsIWidget * const
+		nsISupports	{...}	nsISupports
+		mFirstChild	{mRawPtr=0xdddddddd }	nsCOMPtr<nsIWidget>
+		mLastChild	0xdddddddd {mFirstChild={...} mLastChild=??? mNextSibling={...} ...}	nsIWidget *
+		mNextSibling	{mRawPtr=0x04e32af4 }	nsCOMPtr<nsIWidget>
+		mPrevSibling	0xdddddddd {mFirstChild={...} mLastChild=??? mNextSibling={...} ...}	nsIWidget *
-		aSibling	0x04e32af4	nsIWidget *
+		[ChildWindow]	{...}	ChildWindow
+		nsISupports	{...}	nsISupports
+		mFirstChild	{mRawPtr=0x00000000 }	nsCOMPtr<nsIWidget>
+		mLastChild	0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...}	nsIWidget *
-		mNextSibling	{mRawPtr=0x051f3f54 }	nsCOMPtr<nsIWidget>
+		mRawPtr	0x051f3f54	nsIWidget *
-		mPrevSibling	0x0559bc94	nsIWidget *
+		[ChildWindow]	{...}	ChildWindow
+		nsISupports	{...}	nsISupports
+		mFirstChild	{mRawPtr=0x00000000 }	nsCOMPtr<nsIWidget>
+		mLastChild	0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...}	nsIWidget *
+		mNextSibling	{mRawPtr=0x04e32af4 }	nsCOMPtr<nsIWidget>
+		mPrevSibling	0x054c2b84 {mFirstChild={...} mLastChild=0xdddddddd mNextSibling={...} ...}	nsIWidget *
Whiteboard: [sg:critical?] uses freed memory
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → roc
roc/dbaron, any ideas on on a fix?

This particular crash is no longer reproducible although there are plenty of assertions being fired. -> WFM.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ firefox.exe!nsIView::GetPosition() Line 166]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.