339249 - [FIX]Crash with iExploder test 281619 [@ nsSubDocumentFrame::Reflow]

Status: VERIFIED FIXED

(Core :: Layout, defect, P1)

Description

[Joonas]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060524 Minefield/3.0a1

If you visit the url in the URL field (iExploder test 281619), the browser
crashes.

Found using http://toadstool.se/software/iexploder/

TB19114840H

Comment 1

[Joonas]

Attachment: Reduced test case (iExploder test 281619)

The source is:
<table>
<a>
<link>
<iframe src=javascript:

Comment 2

[Joonas]

TB19114869G, TB19115744Q for attachment 223354 [details]

Comment 3

[Jesse Ruderman]

Confirmed with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060521 Minefield/3.0a1.

The Mac OS X crash reporter says the top line of the stack is nsSubDocumentFrame::Reflow.

Comment 4

[Joonas]

Attachment: Another example

<iframe src=javascript:

This doesn't crash, but opens the JavaScript Console with this error message:

Security Error: Content at moz-nullprincipal:{ae009a68-a130-4952-baa7-39486984bf14} may not load or link to http://fxfeeds.mozilla.com/rss20.xml.

Comment 5

[Jesse Ruderman]

The fact that <iframe src="javascript:"> opens the JavaScript console is a bug, but the error message involving the feed is bug 338657.

Comment 6

[Jesse Ruderman]

That might be bug 243170, "Page can open JavaScript console even when are popup disabled".

Comment 7

[Jesse Ruderman]

This also crashes if I replace "javascript:" with "javascript:void 0" or "javascript:5".  So the crash here does not depend on "javascript:" opening the JavaScript console.

The crash does go away if I use "data:text/plain,5" or "http://www.google.com/" for the iframe src.

Comment 8

[Martijn Wargers (dead)]

Sorry, I should have added the top of the stack in the summary. This is probably related to bug 336718.

Comment 9

[Mats Palmgren (inactive)]

FWIW, the proposed patch for bug 336718 (dated 2006-05-05) did not help here...

Comment 10

[Mats Palmgren (inactive)]

Attachment: Frame dump (from Reflow), with call stacks of frame creation

Comment 11

[Mats Palmgren (inactive)]

The problem is that we insert two frames for the same <iframe> content,
the second call have a 'presShell' on line 706 so we return without
doing CreateViewAndWidget on line 746, which is the method that sets up
'mInnerView' so it's null when we Reflow this frame...
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/generic/nsFrameFrame.cpp&rev=3.304&root=/cvsroot&mark=706-709,746#696

The source of the two calls to nsSubDocumentFrame::Init is in
SinkContext::CloseContainer, the first through mSink->NotifyAppend()
and the second through DidAddContent():
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/html/document/src/nsHTMLContentSink.cpp&rev=3.755&root=/cvsroot&mark=1369,1380#1321

See the call stacks in the attached frame dump.

It isn't too hard to avoid crashing in nsFrameFrame.cpp but it
leads to two frames being displayed which is probably not right.

It seems this is a parser/sink problem?

Comment 12

[Boris Zbarsky [:bzbarsky]]

This is a regression from bug 332644.  Looking into it now.

Comment 13

[Boris Zbarsky [:bzbarsky]]

Attachment: Non-crashing testcase that demonstrates content doubling

Comment 14

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed patch

So what happens in those testcase is that when we handle the <link> we open a head context for it, which makes us flush tags on the <body> context.  As a result, we notify on the <a>.  Then when we close the <a> we notify on its kids (which makes sense) and call DidAddContent on the <a>.  But <body> has an insertion point, and DidAddContent doesn't check what's already been flushed and just goes ahead and notifies on the <a> a second time, which notifies on all its kids a second time.

So the part of this patch that fixes this bug is adding the 

>+      mStack[mStackPos - 1].mNumFlushed <
>+      mStack[mStackPos - 1].mContent->GetChildCount()) {

part in the patch.  The change to remove the unused second arg to DidAddContent is just window dressing.  The change to SinkContext::CloseContainer just makes sure we maintain our mNumFlushed for the container we're closing, though it probably doesn't matter since we'll never notify under it again...

Comment 15

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 224153 [details] [diff] [review]
Proposed patch

>Index: content/html/document/src/nsHTMLContentSink.cpp
>+  if (0 < mStackPos &&
>+      mStack[mStackPos - 1].mInsertionPoint != -1 &&
>+      mStack[mStackPos - 1].mNumFlushed <
>+      mStack[mStackPos - 1].mContent->GetChildCount()) {

Want to indent the last line to be explictly clear that it's the continuation of the previous line?

Comment 16

[Boris Zbarsky [:bzbarsky]]

Fixed.

Comment 17

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED; all testcases no longer crash for me, and the testcase https://bugzilla.mozilla.org/attachment.cgi?id=224152 which uses to demonstrate the content doubling is now working fine for me.

Build 2006-06-19-10 of SeaMonkey trunk under Windows XP.