Last Comment Bug 345071 - Crash [@ nsTextFrame::PrepareUnicodeText]
: Crash [@ nsTextFrame::PrepareUnicodeText]
Status: VERIFIED FIXED
[sg:critical]
: crash, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
:
Mentors:
http://bonsai.mozilla.org/cvsblame.cg...
: 347304 (view as bug list)
Depends on: 354451
Blocks: CVE-2006-4253
  Show dependency treegraph
 
Reported: 2006-07-18 10:23 PDT by Jonathan Watt [:jwatt]
Modified: 2011-06-13 10:01 PDT (History)
11 users (show)
mtschrep: blocking1.8.1+
jaymoz: blocking1.8.0.7+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
reduced build log that causes crash (7-zipped) (228.34 KB, application/octet-stream)
2006-07-27 16:10 PDT, Jonathan Watt [:jwatt]
no flags Details
automatic testcase (256.19 KB, application/zip)
2006-08-07 07:17 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
fix (2.98 KB, patch)
2006-08-07 18:27 PDT, Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
smontagu: review+
rbs: superreview+
dveditz: approval1.8.0.7+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review

Description Jonathan Watt [:jwatt] 2006-07-18 10:23:29 PDT
I've encountered an html page that will crash ff1.5 (downloaded from mozilla.org way back when) and current trunk (a debug build I've built myself using vc8). The page is very large, and only crashes if you keep hitting the End key on your keyboard while the page is loading. Testing on the debug trunk build, most of the time the firefox process just disappears. There's no warning, no prompt to open the debugger. Nothing. Sometimes I get the exception:

###!!! ASSERTION: yikes - we just overwrote memory: 'indexp <= aIndexBuffer->mBuffer + aIndexBuffer->mBufferLen', file c:/mozilla/trees/trunk/mozilla/layout/generic/nsTextFrame.cpp, line 2375

occuring at:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsTextFrame.cpp&rev=1.582&mark=2366,2367,2374,2375#2361

and on entering the debugger from there the stack is:

>	nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2375 + 0x2f bytes	C++
 	nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03d16820, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x045e5b78, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932	C++
 	nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080	C++
 	nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 2011	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 671	C++
 	nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 903	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x03d0d89c, nsIFrame * aFrame=0x045c9e0c, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720	C++
 	PresShell::Paint(nsIView * aView=0x045b7c88, nsIRenderingContext * aRenderingContext=0x03d0d89c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes	C++
 	nsViewManager::RenderViews(nsView * aView=0x04611cf0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816	C++
 	nsViewManager::Refresh(nsView * aView=0x04611cf0, nsIRenderingContext * aContext=0x03d0d89c, nsIRegion * aRegion=0x03cf0888, unsigned int aUpdateFlags=1) Line 580	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128	C++
 	nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes	C++
 	nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x00440668, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	77d4b4c0	
 	77d4b50c	
 	7c90eae3	
 	77d4d83f	
 	77d4d82a	
 	nsWindow::Scroll(int aDx=0, int aDy=-3808, nsRect * aClipRect=0x00000000) Line 3121	C++
 	nsScrollPortView::Scroll(nsView * aScrolledView=0x0460e6d0, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577	C++
 	nsScrollPortView::ScrollToImpl(int aX=0, int aY=2294610, unsigned int aUpdateFlags=0) Line 653	C++
 	nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=2299290, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes	C++
 	nsScrollPortView::ScrollByWhole(int aTop=0) Line 468	C++
 	PresShell::CompleteScroll(int aForward=1) Line 3406	C++
 	nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x045c907c) Line 354 + 0x10 bytes	C++
 	nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x02de1398) Line 271 + 0x15 bytes	C++
 	nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x02de13c4) Line 188 + 0x1a bytes	C++
 	nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x02de13c4) Line 191 + 0x21 bytes	C++
 	nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes	C++
 	nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff06a8, nsIDOMEvent * aEvent=0x03eb7f40) Line 361	C++
 	nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8eef0) Line 322 + 0x15 bytes	C++
 	nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640) Line 199	C++
 	nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x03eb7f40) Line 254	C++
 	DispatchToInterface(nsIDOMEvent * aEvent=0x03eb7f40, nsIDOMEventListener * aListener=0x02ffbf20, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes	C++
 	nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff06b4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes	C++
 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486	C++
 	nsEventDispatcher::Dispatch(nsISupports * aTarget=0x0459fc90, nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes	C++
 	PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x045b7c88, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes	C++
 	PresShell::HandleEvent(nsIView * aView=0x045b7c88, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes	C++
 	nsViewManager::HandleEvent(nsView * aView=0x045b7c88, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123	C++
 	nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes	C++
 	nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503	C++
 	nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x0036067e, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	77d489cd	
 	77d48a10	
 	nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149	C++
 	nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes	C++
 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes	C++
 	nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472	C++
 	NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes	C++
 	nsBaseAppShell::Run() Line 153 + 0xc bytes	C++
 	nsAppStartup::Run() Line 171 + 0x1c bytes	C++
 	XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes	C++
 	main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes	C++
 	__tmainCRTStartup() Line 586 + 0x19 bytes	C
 	mainCRTStartup() Line 403	C
 	7c816d4f	
 	7c8399f3	



I then get a considerable number (~50) of these assertions:

###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505

before I get a VS window that says something about heap corruption and buffer overflow/overrun. Continuing from that I get a crash. The times I've managed to get the debugger up *and* get to this VS window I've had to kill VS because I keep running out of memory. Therefore I haven't got a stack from a the crash that follows this series of events, but some of the time I get a crash without any assertions and VS window. One such stack is below. The message I got with this stack was "an unhandled win32 exception occured in firefox.exe [5152]".  


>	memcpy(unsigned char * dst=0x0000072c, unsigned char * src=0x0012d854, unsigned long count=256) Line 188	Asm
 	nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2367 + 0x24 bytes	C++
 	nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03cfb088, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x044f62d0, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932	C++
 	nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080	C++
 	nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 2011	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 671	C++
 	nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 903	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x044f1c3c, nsIFrame * aFrame=0x03ec8264, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720	C++
 	PresShell::Paint(nsIView * aView=0x044d8688, nsIRenderingContext * aRenderingContext=0x044f1c3c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes	C++
 	nsViewManager::RenderViews(nsView * aView=0x04507ea0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816	C++
 	nsViewManager::Refresh(nsView * aView=0x04507ea0, nsIRenderingContext * aContext=0x044f1c3c, nsIRegion * aRegion=0x0445a0b0, unsigned int aUpdateFlags=1) Line 580	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128	C++
 	nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes	C++
 	nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x003802c4, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	77d48816	
 	77d4b4c0	
 	77d4b50c	
 	7c90eae3	
 	77d4d83f	
 	77d4d82a	
 	nsWindow::Scroll(int aDx=0, int aDy=-7408, nsRect * aClipRect=0x00000000) Line 3121	C++
 	nsScrollPortView::Scroll(nsView * aScrolledView=0x04504ed8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577	C++
 	nsScrollPortView::ScrollToImpl(int aX=0, int aY=716370, unsigned int aUpdateFlags=0) Line 653	C++
 	nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=721050, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes	C++
 	nsScrollPortView::ScrollByWhole(int aTop=0) Line 468	C++
 	PresShell::CompleteScroll(int aForward=1) Line 3406	C++
 	nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x044cdd8c) Line 354 + 0x10 bytes	C++
 	nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03907340) Line 271 + 0x15 bytes	C++
 	nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x0390736c) Line 188 + 0x1a bytes	C++
 	nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x0390736c) Line 191 + 0x21 bytes	C++
 	nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes	C++
 	nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff10b0, nsIDOMEvent * aEvent=0x04529658) Line 361	C++
 	nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04529658, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8f320) Line 322 + 0x15 bytes	C++
 	nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04529658, nsIAtom * aEventType=0x02cea640) Line 199	C++
 	nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04529658) Line 254	C++
 	DispatchToInterface(nsIDOMEvent * aEvent=0x04529658, nsIDOMEventListener * aListener=0x02ffc918, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes	C++
 	nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff10bc, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes	C++
 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486	C++
 	nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03ee3a20, nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes	C++
 	PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x044d8688, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes	C++
 	PresShell::HandleEvent(nsIView * aView=0x044d8688, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes	C++
 	nsViewManager::HandleEvent(nsView * aView=0x044d8688, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123	C++
 	nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes	C++
 	nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503	C++
 	nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x001602fa, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	77d489cd	
 	77d48a10	
 	nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149	C++
 	nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes	C++
 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 222	C++
 	nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472	C++
 	NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes	C++
 	nsBaseAppShell::Run() Line 153 + 0xc bytes	C++
 	nsAppStartup::Run() Line 171 + 0x1c bytes	C++
 	XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes	C++
 	main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes	C++
 	__tmainCRTStartup() Line 586 + 0x19 bytes	C
 	mainCRTStartup() Line 403	C
 	7c816d4f	
 	7c8399f3
Comment 1 Boris Zbarsky [:bz] 2006-07-18 10:37:56 PDT
> ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file
> c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505

What's the stack to this?

ccing some folks who know textframe code...
Comment 2 Mats Palmgren (vacation) 2006-07-18 10:58:35 PDT
Could you attach the page causing this? (compress it if it's too big)
Or put it up on a web server somewhere?
Comment 3 Jonathan Watt [:jwatt] 2006-07-18 11:05:58 PDT
Forgot. I also got a heap of these in the console:

++DOMWINDOW == 7
nsLineLayout: Text(1)@0454DD60 metrics=624240,240!
nsLineLayout: Inline(span)(129)@04561A28 metrics=653040,240!
Block(pre)(4)@043DBE20: line=04561A60 xmost=653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
nsLineLayout: Text(1)@045CFF04 metrics=613680,240!
nsLineLayout: Inline(span)(163)@045CFF48 metrics=613680,240!
Block(pre)(4)@043DBE20: line=045CFF80 xmost=670680
nsLineLayout: Inline(span)(165)@045CFFF4 metrics=671160,240!
Block(pre)(4)@043DBE20: line=045D002C xmost=671160
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
--DOMWINDOW == 6
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
[snip]
Comment 4 Jonathan Watt [:jwatt] 2006-07-18 11:10:23 PDT
Mats: sorry, I forgot to mention that the file isn't something I can share at this point - hence why I'm trying to provide as much info as possible. I'm seeking permission from my boss to give access to at least some people, and I'll do some more testing to see if I can't reproduce on a modified or alternative file tomorrow.
Comment 5 Jonathan Watt [:jwatt] 2006-07-18 12:48:36 PDT
> > ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file
> > c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505
> 
> What's the stack to this?

It's (appologies for likely pasting too much):

>	nsViewManager::Refresh(nsView * aView=0x05d5e310, nsIRenderingContext * aContext=0x04a9295c, nsIRegion * aRegion=0x0575edc8, unsigned int aUpdateFlags=1) Line 505 + 0x2b bytes	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x001265c4, nsEventStatus * aStatus=0x00126470) Line 1422	C++
 	HandleEvent(nsGUIEvent * aEvent=0x001265c4) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128	C++
 	nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes	C++
 	nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x00126aa0) Line 4246 + 0x15 bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	74730e71	
 	77d4b4c0	
 	77d4ebf3	
 	77d4ec03	
 	77d4b50c	
 	7c90eae3	
 	77d494d2	
 	77d4b530	
 	77d485a4	
 	77d5e04a	
 	77d48a10	
 	77d5e2b9	
 	77d561c6	
 	77d6a92e	
 	_output_s_l(_iobuf * stream=0x00620314, const char * format=0x00152370, localeinfo_struct * plocinfo=0x0017c0e8, char * argptr=0x00012012) Line 1164 + 0x17 bytes	C++
 	77d96060	
 	77d80577	
 	77d8052f	
 	__crtMessageBoxA(const char * lpText=0x00127320, const char * lpCaption=0x102d1174, unsigned int uType=73746) Line 145	C
 	__crtMessageWindowA(int nRptType=1, const char * szFile=0x00000000, const char * szLine=0x00000000, const char * szModule=0x00000000, const char * szUserMessage=0x00128394) Line 420 + 0x16 bytes	C
 	_VCrtDbgReportA(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 417 + 0x28 bytes	C
 	_CrtDbgReportV(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 300 + 0x1d bytes	C
 	_CrtDbgReport(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, ...) Line 317 + 0x1d bytes	C
 	_free_dbg_nolock(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1276 + 0x33 bytes	C++
 	_free_dbg(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1194 + 0xd bytes	C++
 	operator delete(void * pUserData=0x0462ba30) Line 54 + 0x10 bytes	C++
 	operator delete[](void * p=0x0462ba30) Line 21 + 0x9 bytes	C++
 	nsAutoIndexBuffer::~nsAutoIndexBuffer() Line 663 + 0x11 bytes	C++
 	nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x04396c78, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x046958b8, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 3153 + 0x16 bytes	C++
 	nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080	C++
 	nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 2011	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 671	C++
 	nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 903	C++
 	nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes	C++
 	nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x056a7e24, nsIFrame * aFrame=0x04c6f4b4, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720	C++
 	PresShell::Paint(nsIView * aView=0x05d5e310, nsIRenderingContext * aRenderingContext=0x056a7e24, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes	C++
 	nsViewManager::RenderViews(nsView * aView=0x04bfe300, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816	C++
 	nsViewManager::Refresh(nsView * aView=0x04bfe300, nsIRenderingContext * aContext=0x056a7e24, nsIRegion * aRegion=0x04b4c088, unsigned int aUpdateFlags=1) Line 580	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128	C++
 	nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes	C++
 	nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x004706e6, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	77d4b4c0	
 	77d4b50c	
 	7c90eae3	
 	77d4d83f	
 	77d4d82a	
 	nsWindow::Scroll(int aDx=0, int aDy=-96, nsRect * aClipRect=0x00000000) Line 3121	C++
 	nsScrollPortView::Scroll(nsView * aScrolledView=0x046848c8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577	C++
 	nsScrollPortView::ScrollToImpl(int aX=0, int aY=6519810, unsigned int aUpdateFlags=0) Line 653	C++
 	nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=6524490, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes	C++
 	nsScrollPortView::ScrollByWhole(int aTop=0) Line 468	C++
 	PresShell::CompleteScroll(int aForward=1) Line 3406	C++
 	nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x0519d0b4) Line 354 + 0x10 bytes	C++
 	nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03badd00) Line 271 + 0x15 bytes	C++
 	nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x03badd2c) Line 188 + 0x1a bytes	C++
 	nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x03badd2c) Line 191 + 0x21 bytes	C++
 	nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes	C++
 	nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ffe3e8, nsIDOMEvent * aEvent=0x04ebfe40) Line 361	C++
 	nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x02e9dac0) Line 322 + 0x15 bytes	C++
 	nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640) Line 199	C++
 	nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04ebfe40) Line 254	C++
 	DispatchToInterface(nsIDOMEvent * aEvent=0x04ebfe40, nsIDOMEventListener * aListener=0x03709c88, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes	C++
 	nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ffe3f4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes	C++
 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456	C++
 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486	C++
 	nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03e233d0, nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes	C++
 	PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x05d5e310, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes	C++
 	PresShell::HandleEvent(nsIView * aView=0x05d5e310, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes	C++
 	nsViewManager::HandleEvent(nsView * aView=0x05d5e310, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123	C++
 	nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes	C++
 	nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503	C++
 	nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes	C++
 	77d48734	
 	77d48816	
 	77d489cd	
 	77d48a10	
 	nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149	C++
 	nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes	C++
 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes	C++
 	nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472	C++
 	NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes	C++
 	nsBaseAppShell::Run() Line 153 + 0xc bytes	C++
 	nsAppStartup::Run() Line 171 + 0x1c bytes	C++
 	XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes	C++
 	main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes	C++
 	__tmainCRTStartup() Line 586 + 0x19 bytes	C
 	mainCRTStartup() Line 403	C
 	7c816d4f	
 	7c8399f3	
Comment 6 Boris Zbarsky [:bz] 2006-07-18 12:53:37 PDT
Ah, that seems to be the dialog for an assertion or some such coming up... OK.
Comment 7 Mats Palmgren (vacation) 2006-07-20 21:39:58 PDT
When you hit that "yikes - we just overwrote memory" assertion, could
dump the members of 'this' and the local variables please?
Comment 8 Jonathan Watt [:jwatt] 2006-07-21 03:45:56 PDT
Sure. Still working on permission to make the log available.


-	this	0x04d5e754 {mPrevContinuation=0x04d5e6a8 }	nsTextFrame * const
-		[nsContinuingTextFrame]	{mPrevContinuation=0x04d5e6a8 }	nsContinuingTextFrame
+			nsTextFrame	{mNextContinuation=0x00000000 mContentOffset=4181 mContentLength=114 ...}	nsTextFrame
+			mPrevContinuation	0x04d5e6a8 {mPrevContinuation=0x04d5e5fc }	nsIFrame *
-		nsFrame	{...}	nsFrame
+			nsBox	{gGotTheme=1 gTheme=0x02e8df50 }	nsBox
+			nsIFrameDebug	{...}	nsIFrameDebug
-		mNextContinuation	0x00000000 {mRect={...} mContent=??? mStyleContext=??? ...}	nsIFrame *
+			nsISupports	{...}	nsISupports
+			mRect	{x=??? y=??? width=??? ...}	nsRect
			mContent	CXX0017: Error: symbol "" not found	
			mStyleContext	CXX0017: Error: symbol "" not found	
			mParent	CXX0030: Error: expression cannot be evaluated	
			mNextSibling	CXX0030: Error: expression cannot be evaluated	
			mState	CXX0030: Error: expression cannot be evaluated	
		mContentOffset	4181	int
		mContentLength	114	int
		mColumn	0	int
		mAscent	180	int
-	aTX	{mFrag=0x03dd8e00 mOffset=4806 mMode=ePreformatted ...}	nsTextTransformer &
+		mFrag	0x03dd8e00 {m2b=0x04d6ede8 "lite3/src/delete.c
experimental.c
gcc -o experimental.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DT" m1b=0x04d6ede8 "l" mAllBits=46891 ...}	const nsTextFragment *
		mOffset	4806	int
		mMode	ePreformatted	nsTextTransformer::<unnamed-tag>
		mLanguageSpecificTransformType	eLanguageSpecificTransformType_None	nsLanguageSpecificTransformType
+		mPresContext	0x03bae410 {mRefCnt={...} _mOwningThread={...} mType=eContext_Galley ...}	nsPresContext *
		mCharType	51643704	nsCharType
+		mTransformBuf	{mBuffer=0x03dca230 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DTRIMMED -O   -include ../../../mozilla-co" mBufferLen=1228 mAutoBuffer=0x0012d854 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -D?" }	nsAutoTextBuffer
		mBufferPos	625	int
		mTextTransform	0	unsigned char
		mFlags	0	unsigned char
		sWordSelectListenerPrefChecked	1	int
		sWordSelectEatSpaceAfter	1	int
		sWordSelectStopAtPunctuation	1	int
-	aIndexBuffer	0x0012d58c {mBuffer=0x03d2ce38 mBufferLen=315 mAutoBuffer=0x0012d594 }	nsAutoIndexBuffer *
+		mBuffer	0x03d2ce38	int *
		mBufferLen	315	int
+		mAutoBuffer	0x0012d594	int [100]
-	aTextBuffer	0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DTRIMMED -O   -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" }	nsAutoTextBuffer *
+		mBuffer	0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DTRIMMED -O   -include ../../../mozilla-co"	unsigned short *
		mBufferLen	853	int
+		mAutoBuffer	0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????"	unsigned short [128]
-	aTextLen	0x0012d964	int *
		2579181	int
	aForceArabicShaping	0	int
-	aJustifiableCharCount	0x00000000	int *
		CXX0030: Error: expression cannot be evaluated	
	aRemoveMultipleTrimmedWS	0	int
	textTransform	0	unsigned char
	textLength	625	int
	dstOffset	625	int
-	tmpTextBuffer	{mBuffer=0x0012d390 "???????" mBufferLen=128 mAutoBuffer=0x0012d390 "???????" }	nsAutoTextBuffer
+		mBuffer	0x0012d390 "???????"	unsigned short *
		mBufferLen	128	int
+		mAutoBuffer	0x0012d390 "???????"	unsigned short [128]
-	textBuffer	0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DTRIMMED -O   -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" }	nsAutoTextBuffer *
+		mBuffer	0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src  -I../../../dist/include   -I../../../dist/include/sqlite3 -I../../../dist/include/nspr    -I../../../dist/sdk/include    -fPIC  -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe  -DNDEBUG -DTRIMMED -O   -include ../../../mozilla-co"	unsigned short *
		mBufferLen	853	int
+		mAutoBuffer	0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????"	unsigned short [128]
-	indexp	0x03d2d7fc	int *
		-572662307	int
	inWord	0	int
	strInx	4806	int
	n	-511	int
	column	625	int
Comment 9 Jonathan Watt [:jwatt] 2006-07-27 16:10:31 PDT
Created attachment 231017 [details]
reduced build log that causes crash (7-zipped)

Here's the offending log. We believe all potentially sensitive lines have been removed, but please still treat this as confidential and limited to the security group.

The crash seems like it may be slightly harder to reproduce now that there are fewer lines in the log, but the pattern to reproduce it is still the same: as soon as the page starts loading hit the End button rapidly and it will crash. The faster you hit the End button, the more likely it is to crash and the more likely it is that the process will die without you even being asked if you want to open a debugger. Slightly slower and you are more likely to be asked if you want to open a debugger. Too slow and it will load without crashing.
Comment 10 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-07 07:17:17 PDT
Created attachment 232543 [details]
automatic testcase

This testcase 'automatically hits' the End key, and I've made the text more unreadable by replacing a lot of characters with 'x'.
Maybe this is useful, it only works locally (and current trunk build), because of the use of enhanced privileges.
Comment 11 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-07 15:52:17 PDT
That testcase is moz-log.zip and wants me to download it.
Comment 12 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-07 15:54:08 PDT
(In reply to comment #11)
> That testcase is moz-log.zip and wants me to download it.

Yes, that's correct, it's a very large html file, I'm not sure if it can be made much smaller and still crash.

Comment 13 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-07 17:52:40 PDT
This is an overflow of nsAutoIndexBuffer. We get into PaintUnicodeText with the frame mapping 55 characters starting at offset 1796 (the entire textnode is 5947 characters). I'm not sure how we get into this state, something to do with incremental parsing/reflow or something. Anyway, it's not necessarily wrong.

The problem is that PaintUnicodeText sets up the nsAutoIndexBuffer to have enough entries for mContentLen, 55 characters. But PrepareUnicodeText calls nsTextTransformer::GetNextWord starting at offset 1796 and finds a word 582 characters long. It then proceeds to fill the nsAutoIndexBuffer with 582 entries which wipes out the stack.
Comment 14 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-07 18:27:07 PDT
Created attachment 232648 [details] [diff] [review]
fix

We just need to extend these checks that already exist.

I'm not 100% sure about this, there could be some unexpected situation where we rely on going past the frame bounds, perhaps. I doubt it. This needs to bake on trunk before we think about branches, although it is needed on branches.
Comment 15 timeless 2006-08-07 22:00:44 PDT
jar:https://bugzilla.mozilla.org/attachment.cgi?id=232543!/moz-log.html

fwiw, except that i don't understand what it means by automatic, i had to manually press end repeatedly to get it to crash.

note that trunk builds will let you build these urls youself just do

jar:{url}/ and browse to the file you like.
Comment 16 Simon Montagu :smontagu 2006-08-07 22:32:33 PDT
Comment on attachment 232648 [details] [diff] [review]
fix

(In reply to comment #14)
> I'm not 100% sure about this, there could be some unexpected situation where we
> rely on going past the frame bounds, perhaps.

That bothers me too. Or maybe we don't rely on going past the frame bounds but we really should, e.g. if there are combining characters split between two frames, which we tend to mess up.

As you say, let's bake this on the trunk with the intention of getting it on the branches as a bandaid and doing something smarter on the trunk in the long term.
Comment 17 rbs 2006-08-07 23:09:36 PDT
Comment on attachment 232648 [details] [diff] [review]
fix

sr=rbs
Comment 18 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-15 18:57:54 PDT
checked in.

This needs to bake for a while, then we need to think about branch landing.
Comment 19 Daniel Veditz [:dveditz] 2006-08-23 01:33:52 PDT
How much of a while do you think it need baking? 1.8.0.7 material? or wait for 1.8.0.8 in a couple months?
Comment 20 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-24 00:51:26 PDT
Comment on attachment 232648 [details] [diff] [review]
fix

This fixes a serious maybe-potentially-exploitable stack overflow.

See comment #16; we're not 100% confident of the correctness. If it does cause problems, they should only occur in very rare cases where this would already have overflowed with unpredictable results.
Comment 21 Daniel Veditz [:dveditz] 2006-08-24 01:19:08 PDT
The reason I ask about the 1.8.0 branch is because this patch appears to fix bug 348514, reported to Bugtraq/Full-Disclosure by Michal Zalewski. It would be really nice to get it into 1.8.0.7 if it's not unduly risky.
Comment 22 Mike Schroepfer 2006-08-24 10:37:03 PDT
Comment on attachment 232648 [details] [diff] [review]
fix

a=schrep for drivers.
Comment 23 Daniel Veditz [:dveditz] 2006-08-24 11:30:22 PDT
Comment on attachment 232648 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 24 georgi - hopefully not receiving bugspam 2006-08-25 00:41:19 PDT
i am not sure this is effective - race conditions are difficult to debug and timing dependent.

modification of lcamtuf's bug crashed trunk only once with this patch, so i may have the timings wrong.

what about checking that |indexp| doesn't overflow and if tries to overflow just return - probably will be easy with 2 macros - one conditional and one warning and returning?

just warning about overflow and continuing execution is quite strange coding practice.

Comment 25 rbs 2006-08-25 01:02:58 PDT
There are legitimate cases where the condition happens -- where we deliberate want to chop the text. The catch-22 is to identify the illegimate cases (of real overflow).
Comment 26 georgi - hopefully not receiving bugspam 2006-08-25 02:33:15 PDT
(In reply to comment #25)
> There are legitimate cases where the condition happens -- where we deliberate
> want to chop the text. 

is there a testcase where the condition happens, i.e. the romantic assertion is hit?

Comment 27 rbs 2006-08-25 03:37:09 PDT
You seem to be referring to something else (the painting?). I was referring to the patch (and its vicinity -- see also comment 13).

It seems unlikely to hit the 'yikes' assertion at this point (with this patch), if we do, it would mean that there is a bad caller who didn't .Grow() a large enough buffer. Looking a the call sites, they seemed to be fine to me. But we can add a further protection:

   PRInt32 n = mContentLength;
+  if (aIndexBuffer) {
+     NS_ASSERTION(n < aIndexBuffer->mBufferLen, "bad caller");
+     n = PR_MAX(n, aIndexBuffer->mBufferLen-1);
+   }
Comment 28 georgi - hopefully not receiving bugspam 2006-08-25 04:21:13 PDT
(In reply to comment #27)
> You seem to be referring to something else (the painting?). I was referring to
> the patch (and its vicinity -- see also comment 13).
> 
> It seems unlikely to hit the 'yikes' assertion at this point (with this patch),
> if we do, it would mean that there is a bad caller who didn't .Grow() a large
> enough buffer. Looking a the call sites, they seemed to be fine to me. But we
> can add a further protection:

yes, i meant the 'yikes' assertion - believe that if it is hit, memory is overwritten - exploitable state.

to clarify what i meant - add the condition of the 'yikes' assertion in the loops where indexp is written to. after the loop check if it exited due to indexp too large, warn and return() - probably via macros.

note that just abort()ing on the assertion leaves another race and may not be safe for other reasons.
Comment 29 rbs 2006-08-25 04:40:48 PDT
+     n = PR_MAX(n, aIndexBuffer->mBufferLen-1);
s/PR_MAX/PR_MIN/

If we still hit the assertion, that code should really be re-audited to see it is scanning pass the maximum given length (n).
Comment 30 georgi - hopefully not receiving bugspam 2006-08-25 06:43:16 PDT
(In reply to comment #29)
> 
> If we still hit the assertion, that code should really be re-audited to see it
> is scanning pass the maximum given length (n).
> 

asynchronous events make auditing really difficult. both testcases (this one and lcamtuf's bug) that trigger the assertion relied on timing afaik.

though the problem may be somewhere else, not in nsTextFrame.

Comment 31 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2006-08-25 21:35:59 PDT
Fixed on branches
Comment 32 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-30 15:27:39 PDT
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060829 Firefox/1.5.0.7
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060830 BonEcho/2.0b2

I can see the crash with the testcase, using Firefox1.5.0.6.
Comment 33 Alexander Sack 2006-09-08 02:10:13 PDT
Can't see a crash on 1.0.x .... is that sane/expected?
Comment 34 Daniel Veditz [:dveditz] 2006-09-10 19:15:14 PDT
*** Bug 347304 has been marked as a duplicate of this bug. ***
Comment 35 Alexander Sack 2006-09-15 11:39:14 PDT
on 1.0.x I don't see a crash on attachment 232543 [details] (automatic testcase) ... further I only see a deep recursion crash in bug 348514 attachment 233470 [details] and no crash at all for the other testcase 2.

Comment 36 Marco Sousa 2006-10-25 07:48:39 PDT
NOT FIXED in FIREFOX 2.0 RC3 and FINAL
Comment 37 Jonathan Watt [:jwatt] 2006-10-25 08:11:31 PDT
What makes you say that? The patch was included in Firefox 2, it was verified as fixed in Firefox 2 by Martijn, and I can't get Firefox 2 to crash either.
Comment 38 Frank Wein [:mcsmurf] 2006-10-27 01:19:24 PDT
He's probably meaning the comments in Bug 348514, see Bug 348514 Comment 66 and below.

Note You need to log in before you can comment on or make changes to this bug.