Closed
Bug 345071
Opened 18 years ago
Closed 18 years ago
Crash [@ nsTextFrame::PrepareUnicodeText]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jwatt, Assigned: roc)
References
()
Details
(Keywords: crash, verified1.8.0.7, verified1.8.1, Whiteboard: [sg:critical])
Crash Data
Attachments
(3 files)
228.34 KB,
application/octet-stream
|
Details | |
256.19 KB,
application/zip
|
Details | |
2.98 KB,
patch
|
smontagu
:
review+
rbs
:
superreview+
dveditz
:
approval1.8.0.7+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
I've encountered an html page that will crash ff1.5 (downloaded from mozilla.org way back when) and current trunk (a debug build I've built myself using vc8). The page is very large, and only crashes if you keep hitting the End key on your keyboard while the page is loading. Testing on the debug trunk build, most of the time the firefox process just disappears. There's no warning, no prompt to open the debugger. Nothing. Sometimes I get the exception:
###!!! ASSERTION: yikes - we just overwrote memory: 'indexp <= aIndexBuffer->mBuffer + aIndexBuffer->mBufferLen', file c:/mozilla/trees/trunk/mozilla/layout/generic/nsTextFrame.cpp, line 2375
occuring at:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsTextFrame.cpp&rev=1.582&mark=2366,2367,2374,2375#2361
and on entering the debugger from there the stack is:
> nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2375 + 0x2f bytes C++
nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03d16820, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x045e5b78, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932 C++
nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++
nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 2011 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 671 C++
nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 903 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x03d0d89c, nsIFrame * aFrame=0x045c9e0c, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++
PresShell::Paint(nsIView * aView=0x045b7c88, nsIRenderingContext * aRenderingContext=0x03d0d89c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++
nsViewManager::RenderViews(nsView * aView=0x04611cf0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++
nsViewManager::Refresh(nsView * aView=0x04611cf0, nsIRenderingContext * aContext=0x03d0d89c, nsIRegion * aRegion=0x03cf0888, unsigned int aUpdateFlags=1) Line 580 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++
HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++
nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++
nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x00440668, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++
77d48734
77d48816
77d4b4c0
77d4b50c
7c90eae3
77d4d83f
77d4d82a
nsWindow::Scroll(int aDx=0, int aDy=-3808, nsRect * aClipRect=0x00000000) Line 3121 C++
nsScrollPortView::Scroll(nsView * aScrolledView=0x0460e6d0, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++
nsScrollPortView::ScrollToImpl(int aX=0, int aY=2294610, unsigned int aUpdateFlags=0) Line 653 C++
nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=2299290, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++
nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++
PresShell::CompleteScroll(int aForward=1) Line 3406 C++
nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x045c907c) Line 354 + 0x10 bytes C++
nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x02de1398) Line 271 + 0x15 bytes C++
nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x02de13c4) Line 188 + 0x1a bytes C++
nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x02de13c4) Line 191 + 0x21 bytes C++
nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff06a8, nsIDOMEvent * aEvent=0x03eb7f40) Line 361 C++
nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8eef0) Line 322 + 0x15 bytes C++
nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640) Line 199 C++
nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x03eb7f40) Line 254 C++
DispatchToInterface(nsIDOMEvent * aEvent=0x03eb7f40, nsIDOMEventListener * aListener=0x02ffbf20, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++
nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff06b4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++
nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++
nsEventDispatcher::Dispatch(nsISupports * aTarget=0x0459fc90, nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++
PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x045b7c88, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++
PresShell::HandleEvent(nsIView * aView=0x045b7c88, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++
nsViewManager::HandleEvent(nsView * aView=0x045b7c88, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++
HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++
nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++
nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++
nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x0036067e, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++
77d48734
77d48816
77d489cd
77d48a10
nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++
nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++
nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes C++
nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++
NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++
nsBaseAppShell::Run() Line 153 + 0xc bytes C++
nsAppStartup::Run() Line 171 + 0x1c bytes C++
XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++
main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++
__tmainCRTStartup() Line 586 + 0x19 bytes C
mainCRTStartup() Line 403 C
7c816d4f
7c8399f3
I then get a considerable number (~50) of these assertions:
###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505
before I get a VS window that says something about heap corruption and buffer overflow/overrun. Continuing from that I get a crash. The times I've managed to get the debugger up *and* get to this VS window I've had to kill VS because I keep running out of memory. Therefore I haven't got a stack from a the crash that follows this series of events, but some of the time I get a crash without any assertions and VS window. One such stack is below. The message I got with this stack was "an unhandled win32 exception occured in firefox.exe [5152]".
> memcpy(unsigned char * dst=0x0000072c, unsigned char * src=0x0012d854, unsigned long count=256) Line 188 Asm
nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2367 + 0x24 bytes C++
nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03cfb088, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x044f62d0, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932 C++
nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++
nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 2011 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 671 C++
nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 903 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x044f1c3c, nsIFrame * aFrame=0x03ec8264, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++
PresShell::Paint(nsIView * aView=0x044d8688, nsIRenderingContext * aRenderingContext=0x044f1c3c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++
nsViewManager::RenderViews(nsView * aView=0x04507ea0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++
nsViewManager::Refresh(nsView * aView=0x04507ea0, nsIRenderingContext * aContext=0x044f1c3c, nsIRegion * aRegion=0x0445a0b0, unsigned int aUpdateFlags=1) Line 580 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++
HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++
nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++
nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x003802c4, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++
77d48734
[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
77d48816
77d4b4c0
77d4b50c
7c90eae3
77d4d83f
77d4d82a
nsWindow::Scroll(int aDx=0, int aDy=-7408, nsRect * aClipRect=0x00000000) Line 3121 C++
nsScrollPortView::Scroll(nsView * aScrolledView=0x04504ed8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++
nsScrollPortView::ScrollToImpl(int aX=0, int aY=716370, unsigned int aUpdateFlags=0) Line 653 C++
nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=721050, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++
nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++
PresShell::CompleteScroll(int aForward=1) Line 3406 C++
nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x044cdd8c) Line 354 + 0x10 bytes C++
nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03907340) Line 271 + 0x15 bytes C++
nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x0390736c) Line 188 + 0x1a bytes C++
nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x0390736c) Line 191 + 0x21 bytes C++
nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff10b0, nsIDOMEvent * aEvent=0x04529658) Line 361 C++
nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04529658, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8f320) Line 322 + 0x15 bytes C++
nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04529658, nsIAtom * aEventType=0x02cea640) Line 199 C++
nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04529658) Line 254 C++
DispatchToInterface(nsIDOMEvent * aEvent=0x04529658, nsIDOMEventListener * aListener=0x02ffc918, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++
nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff10bc, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++
nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++
nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03ee3a20, nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++
PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x044d8688, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++
PresShell::HandleEvent(nsIView * aView=0x044d8688, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++
nsViewManager::HandleEvent(nsView * aView=0x044d8688, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++
HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++
nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++
nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++
nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x001602fa, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++
77d48734
77d48816
77d489cd
77d48a10
nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++
nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++
nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 222 C++
nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++
NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++
nsBaseAppShell::Run() Line 153 + 0xc bytes C++
nsAppStartup::Run() Line 171 + 0x1c bytes C++
XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++
main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++
__tmainCRTStartup() Line 586 + 0x19 bytes C
mainCRTStartup() Line 403 C
7c816d4f
7c8399f3
Comment 1•18 years ago
|
||
> ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file
> c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505
What's the stack to this?
ccing some folks who know textframe code...
Comment 2•18 years ago
|
||
Could you attach the page causing this? (compress it if it's too big)
Or put it up on a web server somewhere?
Reporter | ||
Comment 3•18 years ago
|
||
Forgot. I also got a heap of these in the console:
++DOMWINDOW == 7
nsLineLayout: Text(1)@0454DD60 metrics=624240,240!
nsLineLayout: Inline(span)(129)@04561A28 metrics=653040,240!
Block(pre)(4)@043DBE20: line=04561A60 xmost=653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:653040
nsLineLayout: Text(1)@045CFF04 metrics=613680,240!
nsLineLayout: Inline(span)(163)@045CFF48 metrics=613680,240!
Block(pre)(4)@043DBE20: line=045CFF80 xmost=670680
nsLineLayout: Inline(span)(165)@045CFFF4 metrics=671160,240!
Block(pre)(4)@043DBE20: line=045D002C xmost=671160
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
--DOMWINDOW == 6
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
Block(pre)(4)@043DBE20: WARNING: xmost:809280
Block(pre)(4)@043DBE20: WARNING: xmost:653040
Block(pre)(4)@043DBE20: WARNING: xmost:670680
Block(pre)(4)@043DBE20: WARNING: xmost:671160
[snip]
Reporter | ||
Comment 4•18 years ago
|
||
Mats: sorry, I forgot to mention that the file isn't something I can share at this point - hence why I'm trying to provide as much info as possible. I'm seeking permission from my boss to give access to at least some people, and I'll do some more testing to see if I can't reproduce on a modified or alternative file tomorrow.
Reporter | ||
Comment 5•18 years ago
|
||
> > ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file
> > c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505
>
> What's the stack to this?
It's (appologies for likely pasting too much):
> nsViewManager::Refresh(nsView * aView=0x05d5e310, nsIRenderingContext * aContext=0x04a9295c, nsIRegion * aRegion=0x0575edc8, unsigned int aUpdateFlags=1) Line 505 + 0x2b bytes C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x001265c4, nsEventStatus * aStatus=0x00126470) Line 1422 C++
HandleEvent(nsGUIEvent * aEvent=0x001265c4) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++
nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++
nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x00126aa0) Line 4246 + 0x15 bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++
77d48734
77d48816
74730e71
77d4b4c0
77d4ebf3
77d4ec03
77d4b50c
7c90eae3
77d494d2
77d4b530
77d485a4
77d5e04a
77d48a10
77d5e2b9
77d561c6
77d6a92e
_output_s_l(_iobuf * stream=0x00620314, const char * format=0x00152370, localeinfo_struct * plocinfo=0x0017c0e8, char * argptr=0x00012012) Line 1164 + 0x17 bytes C++
77d96060
77d80577
77d8052f
__crtMessageBoxA(const char * lpText=0x00127320, const char * lpCaption=0x102d1174, unsigned int uType=73746) Line 145 C
__crtMessageWindowA(int nRptType=1, const char * szFile=0x00000000, const char * szLine=0x00000000, const char * szModule=0x00000000, const char * szUserMessage=0x00128394) Line 420 + 0x16 bytes C
_VCrtDbgReportA(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 417 + 0x28 bytes C
_CrtDbgReportV(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 300 + 0x1d bytes C
_CrtDbgReport(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, ...) Line 317 + 0x1d bytes C
_free_dbg_nolock(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1276 + 0x33 bytes C++
_free_dbg(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1194 + 0xd bytes C++
operator delete(void * pUserData=0x0462ba30) Line 54 + 0x10 bytes C++
operator delete[](void * p=0x0462ba30) Line 21 + 0x9 bytes C++
nsAutoIndexBuffer::~nsAutoIndexBuffer() Line 663 + 0x11 bytes C++
nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x04396c78, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x046958b8, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 3153 + 0x16 bytes C++
nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++
nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 2011 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 671 C++
nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 903 C++
nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++
nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x056a7e24, nsIFrame * aFrame=0x04c6f4b4, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++
PresShell::Paint(nsIView * aView=0x05d5e310, nsIRenderingContext * aRenderingContext=0x056a7e24, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++
nsViewManager::RenderViews(nsView * aView=0x04bfe300, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++
nsViewManager::Refresh(nsView * aView=0x04bfe300, nsIRenderingContext * aContext=0x056a7e24, nsIRegion * aRegion=0x04b4c088, unsigned int aUpdateFlags=1) Line 580 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++
HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++
nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++
nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x004706e6, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++
77d48734
77d48816
77d4b4c0
77d4b50c
7c90eae3
77d4d83f
77d4d82a
nsWindow::Scroll(int aDx=0, int aDy=-96, nsRect * aClipRect=0x00000000) Line 3121 C++
nsScrollPortView::Scroll(nsView * aScrolledView=0x046848c8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++
nsScrollPortView::ScrollToImpl(int aX=0, int aY=6519810, unsigned int aUpdateFlags=0) Line 653 C++
nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=6524490, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++
nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++
PresShell::CompleteScroll(int aForward=1) Line 3406 C++
nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x0519d0b4) Line 354 + 0x10 bytes C++
nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03badd00) Line 271 + 0x15 bytes C++
nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x03badd2c) Line 188 + 0x1a bytes C++
nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x03badd2c) Line 191 + 0x21 bytes C++
nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ffe3e8, nsIDOMEvent * aEvent=0x04ebfe40) Line 361 C++
nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x02e9dac0) Line 322 + 0x15 bytes C++
nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640) Line 199 C++
nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04ebfe40) Line 254 C++
DispatchToInterface(nsIDOMEvent * aEvent=0x04ebfe40, nsIDOMEventListener * aListener=0x03709c88, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++
nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ffe3f4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++
nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++
nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03e233d0, nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++
PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x05d5e310, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++
PresShell::HandleEvent(nsIView * aView=0x05d5e310, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++
nsViewManager::HandleEvent(nsView * aView=0x05d5e310, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++
nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++
HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++
nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++
nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++
nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++
nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++
nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++
nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++
77d48734
77d48816
77d489cd
77d48a10
nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++
nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++
nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes C++
nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++
NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++
nsBaseAppShell::Run() Line 153 + 0xc bytes C++
nsAppStartup::Run() Line 171 + 0x1c bytes C++
XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++
main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++
__tmainCRTStartup() Line 586 + 0x19 bytes C
mainCRTStartup() Line 403 C
7c816d4f
7c8399f3
Comment 6•18 years ago
|
||
Ah, that seems to be the dialog for an assertion or some such coming up... OK.
Comment 7•18 years ago
|
||
When you hit that "yikes - we just overwrote memory" assertion, could
dump the members of 'this' and the local variables please?
Reporter | ||
Comment 8•18 years ago
|
||
Sure. Still working on permission to make the log available.
- this 0x04d5e754 {mPrevContinuation=0x04d5e6a8 } nsTextFrame * const
- [nsContinuingTextFrame] {mPrevContinuation=0x04d5e6a8 } nsContinuingTextFrame
+ nsTextFrame {mNextContinuation=0x00000000 mContentOffset=4181 mContentLength=114 ...} nsTextFrame
+ mPrevContinuation 0x04d5e6a8 {mPrevContinuation=0x04d5e5fc } nsIFrame *
- nsFrame {...} nsFrame
+ nsBox {gGotTheme=1 gTheme=0x02e8df50 } nsBox
+ nsIFrameDebug {...} nsIFrameDebug
- mNextContinuation 0x00000000 {mRect={...} mContent=??? mStyleContext=??? ...} nsIFrame *
+ nsISupports {...} nsISupports
+ mRect {x=??? y=??? width=??? ...} nsRect
mContent CXX0017: Error: symbol "" not found
mStyleContext CXX0017: Error: symbol "" not found
mParent CXX0030: Error: expression cannot be evaluated
mNextSibling CXX0030: Error: expression cannot be evaluated
mState CXX0030: Error: expression cannot be evaluated
mContentOffset 4181 int
mContentLength 114 int
mColumn 0 int
mAscent 180 int
- aTX {mFrag=0x03dd8e00 mOffset=4806 mMode=ePreformatted ...} nsTextTransformer &
+ mFrag 0x03dd8e00 {m2b=0x04d6ede8 "lite3/src/delete.c
experimental.c
gcc -o experimental.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DT" m1b=0x04d6ede8 "l" mAllBits=46891 ...} const nsTextFragment *
mOffset 4806 int
mMode ePreformatted nsTextTransformer::<unnamed-tag>
mLanguageSpecificTransformType eLanguageSpecificTransformType_None nsLanguageSpecificTransformType
+ mPresContext 0x03bae410 {mRefCnt={...} _mOwningThread={...} mType=eContext_Galley ...} nsPresContext *
mCharType 51643704 nsCharType
+ mTransformBuf {mBuffer=0x03dca230 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=1228 mAutoBuffer=0x0012d854 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -D?" } nsAutoTextBuffer
mBufferPos 625 int
mTextTransform 0 unsigned char
mFlags 0 unsigned char
sWordSelectListenerPrefChecked 1 int
sWordSelectEatSpaceAfter 1 int
sWordSelectStopAtPunctuation 1 int
- aIndexBuffer 0x0012d58c {mBuffer=0x03d2ce38 mBufferLen=315 mAutoBuffer=0x0012d594 } nsAutoIndexBuffer *
+ mBuffer 0x03d2ce38 int *
mBufferLen 315 int
+ mAutoBuffer 0x0012d594 int [100]
- aTextBuffer 0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" } nsAutoTextBuffer *
+ mBuffer 0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" unsigned short *
mBufferLen 853 int
+ mAutoBuffer 0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" unsigned short [128]
- aTextLen 0x0012d964 int *
2579181 int
aForceArabicShaping 0 int
- aJustifiableCharCount 0x00000000 int *
CXX0030: Error: expression cannot be evaluated
aRemoveMultipleTrimmedWS 0 int
textTransform 0 unsigned char
textLength 625 int
dstOffset 625 int
- tmpTextBuffer {mBuffer=0x0012d390 "???????" mBufferLen=128 mAutoBuffer=0x0012d390 "???????" } nsAutoTextBuffer
+ mBuffer 0x0012d390 "???????" unsigned short *
mBufferLen 128 int
+ mAutoBuffer 0x0012d390 "???????" unsigned short [128]
- textBuffer 0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" } nsAutoTextBuffer *
+ mBuffer 0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" unsigned short *
mBufferLen 853 int
+ mAutoBuffer 0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" unsigned short [128]
- indexp 0x03d2d7fc int *
-572662307 int
inWord 0 int
strInx 4806 int
n -511 int
column 625 int
Updated•18 years ago
|
Flags: blocking1.9a2?
Reporter | ||
Comment 9•18 years ago
|
||
Here's the offending log. We believe all potentially sensitive lines have been removed, but please still treat this as confidential and limited to the security group.
The crash seems like it may be slightly harder to reproduce now that there are fewer lines in the log, but the pattern to reproduce it is still the same: as soon as the page starts loading hit the End button rapidly and it will crash. The faster you hit the End button, the more likely it is to crash and the more likely it is that the process will die without you even being asked if you want to open a debugger. Slightly slower and you are more likely to be asked if you want to open a debugger. Too slow and it will load without crashing.
Comment 10•18 years ago
|
||
This testcase 'automatically hits' the End key, and I've made the text more unreadable by replacing a lot of characters with 'x'.
Maybe this is useful, it only works locally (and current trunk build), because of the use of enhanced privileges.
Assignee | ||
Comment 11•18 years ago
|
||
That testcase is moz-log.zip and wants me to download it.
Comment 12•18 years ago
|
||
(In reply to comment #11)
> That testcase is moz-log.zip and wants me to download it.
Yes, that's correct, it's a very large html file, I'm not sure if it can be made much smaller and still crash.
Assignee | ||
Comment 13•18 years ago
|
||
This is an overflow of nsAutoIndexBuffer. We get into PaintUnicodeText with the frame mapping 55 characters starting at offset 1796 (the entire textnode is 5947 characters). I'm not sure how we get into this state, something to do with incremental parsing/reflow or something. Anyway, it's not necessarily wrong.
The problem is that PaintUnicodeText sets up the nsAutoIndexBuffer to have enough entries for mContentLen, 55 characters. But PrepareUnicodeText calls nsTextTransformer::GetNextWord starting at offset 1796 and finds a word 582 characters long. It then proceeds to fill the nsAutoIndexBuffer with 582 entries which wipes out the stack.
Assignee | ||
Comment 14•18 years ago
|
||
We just need to extend these checks that already exist.
I'm not 100% sure about this, there could be some unexpected situation where we rely on going past the frame bounds, perhaps. I doubt it. This needs to bake on trunk before we think about branches, although it is needed on branches.
Assignee: nobody → roc
Status: NEW → ASSIGNED
Attachment #232648 -
Flags: superreview?(rbs)
Attachment #232648 -
Flags: review?(smontagu)
Comment 15•18 years ago
|
||
jar:https://bugzilla.mozilla.org/attachment.cgi?id=232543!/moz-log.html
fwiw, except that i don't understand what it means by automatic, i had to manually press end repeatedly to get it to crash.
note that trunk builds will let you build these urls youself just do
jar:{url}/ and browse to the file you like.
Comment 16•18 years ago
|
||
Comment on attachment 232648 [details] [diff] [review]
fix
(In reply to comment #14)
> I'm not 100% sure about this, there could be some unexpected situation where we
> rely on going past the frame bounds, perhaps.
That bothers me too. Or maybe we don't rely on going past the frame bounds but we really should, e.g. if there are combining characters split between two frames, which we tend to mess up.
As you say, let's bake this on the trunk with the intention of getting it on the branches as a bandaid and doing something smarter on the trunk in the long term.
Attachment #232648 -
Flags: review?(smontagu) → review+
Comment 17•18 years ago
|
||
Comment on attachment 232648 [details] [diff] [review]
fix
sr=rbs
Attachment #232648 -
Flags: superreview?(rbs) → superreview+
Assignee | ||
Comment 18•18 years ago
|
||
checked in.
This needs to bake for a while, then we need to think about branch landing.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 19•18 years ago
|
||
How much of a while do you think it need baking? 1.8.0.7 material? or wait for 1.8.0.8 in a couple months?
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7?
Whiteboard: [sg:critical]
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Assignee | ||
Comment 20•18 years ago
|
||
Comment on attachment 232648 [details] [diff] [review]
fix
This fixes a serious maybe-potentially-exploitable stack overflow.
See comment #16; we're not 100% confident of the correctness. If it does cause problems, they should only occur in very rare cases where this would already have overflowed with unpredictable results.
Attachment #232648 -
Flags: approval1.8.1?
Attachment #232648 -
Flags: approval1.8.0.8?
Updated•18 years ago
|
Blocks: CVE-2006-4253
Comment 21•18 years ago
|
||
The reason I ask about the 1.8.0 branch is because this patch appears to fix bug 348514, reported to Bugtraq/Full-Disclosure by Michal Zalewski. It would be really nice to get it into 1.8.0.7 if it's not unduly risky.
Comment 22•18 years ago
|
||
Comment on attachment 232648 [details] [diff] [review]
fix
a=schrep for drivers.
Attachment #232648 -
Flags: approval1.8.1? → approval1.8.1+
Updated•18 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Updated•18 years ago
|
Attachment #232648 -
Flags: approval1.8.0.8? → approval1.8.0.7?
Comment 23•18 years ago
|
||
Comment on attachment 232648 [details] [diff] [review]
fix
approved for 1.8.0 branch, a=dveditz for drivers
Updated•18 years ago
|
Flags: blocking1.8.0.8?
Updated•18 years ago
|
Attachment #232648 -
Flags: approval1.8.0.7? → approval1.8.0.7+
Comment 24•18 years ago
|
||
i am not sure this is effective - race conditions are difficult to debug and timing dependent.
modification of lcamtuf's bug crashed trunk only once with this patch, so i may have the timings wrong.
what about checking that |indexp| doesn't overflow and if tries to overflow just return - probably will be easy with 2 macros - one conditional and one warning and returning?
just warning about overflow and continuing execution is quite strange coding practice.
Comment 25•18 years ago
|
||
There are legitimate cases where the condition happens -- where we deliberate want to chop the text. The catch-22 is to identify the illegimate cases (of real overflow).
Comment 26•18 years ago
|
||
(In reply to comment #25)
> There are legitimate cases where the condition happens -- where we deliberate
> want to chop the text.
is there a testcase where the condition happens, i.e. the romantic assertion is hit?
Comment 27•18 years ago
|
||
You seem to be referring to something else (the painting?). I was referring to the patch (and its vicinity -- see also comment 13).
It seems unlikely to hit the 'yikes' assertion at this point (with this patch), if we do, it would mean that there is a bad caller who didn't .Grow() a large enough buffer. Looking a the call sites, they seemed to be fine to me. But we can add a further protection:
PRInt32 n = mContentLength;
+ if (aIndexBuffer) {
+ NS_ASSERTION(n < aIndexBuffer->mBufferLen, "bad caller");
+ n = PR_MAX(n, aIndexBuffer->mBufferLen-1);
+ }
Comment 28•18 years ago
|
||
(In reply to comment #27)
> You seem to be referring to something else (the painting?). I was referring to
> the patch (and its vicinity -- see also comment 13).
>
> It seems unlikely to hit the 'yikes' assertion at this point (with this patch),
> if we do, it would mean that there is a bad caller who didn't .Grow() a large
> enough buffer. Looking a the call sites, they seemed to be fine to me. But we
> can add a further protection:
yes, i meant the 'yikes' assertion - believe that if it is hit, memory is overwritten - exploitable state.
to clarify what i meant - add the condition of the 'yikes' assertion in the loops where indexp is written to. after the loop check if it exited due to indexp too large, warn and return() - probably via macros.
note that just abort()ing on the assertion leaves another race and may not be safe for other reasons.
Comment 29•18 years ago
|
||
+ n = PR_MAX(n, aIndexBuffer->mBufferLen-1);
s/PR_MAX/PR_MIN/
If we still hit the assertion, that code should really be re-audited to see it is scanning pass the maximum given length (n).
Comment 30•18 years ago
|
||
(In reply to comment #29)
>
> If we still hit the assertion, that code should really be re-audited to see it
> is scanning pass the maximum given length (n).
>
asynchronous events make auditing really difficult. both testcases (this one and lcamtuf's bug) that trigger the assertion relied on timing afaik.
though the problem may be somewhere else, not in nsTextFrame.
Comment 32•18 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060829 Firefox/1.5.0.7
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060830 BonEcho/2.0b2
I can see the crash with the testcase, using Firefox1.5.0.6.
Status: RESOLVED → VERIFIED
Flags: blocking1.9a2?
Comment 33•18 years ago
|
||
Can't see a crash on 1.0.x .... is that sane/expected?
Comment 34•18 years ago
|
||
*** Bug 347304 has been marked as a duplicate of this bug. ***
Comment 35•18 years ago
|
||
on 1.0.x I don't see a crash on attachment 232543 [details] (automatic testcase) ... further I only see a deep recursion crash in bug 348514 attachment 233470 [details] and no crash at all for the other testcase 2.
Updated•18 years ago
|
Group: security
Comment 36•18 years ago
|
||
NOT FIXED in FIREFOX 2.0 RC3 and FINAL
Reporter | ||
Comment 37•18 years ago
|
||
What makes you say that? The patch was included in Firefox 2, it was verified as fixed in Firefox 2 by Martijn, and I can't get Firefox 2 to crash either.
Comment 38•18 years ago
|
||
He's probably meaning the comments in Bug 348514, see Bug 348514 Comment 66 and below.
Updated•13 years ago
|
Crash Signature: [@ nsTextFrame::PrepareUnicodeText]
You need to log in
before you can comment on or make changes to this bug.
Description
•