Closed Bug 345071 Opened 18 years ago Closed 18 years ago

Crash [@ nsTextFrame::PrepareUnicodeText]

Categories

(Core :: Layout, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jwatt, Assigned: roc)

References

()

Details

(Keywords: crash, verified1.8.0.7, verified1.8.1, Whiteboard: [sg:critical])

Crash Data

Attachments

(3 files)

I've encountered an html page that will crash ff1.5 (downloaded from mozilla.org way back when) and current trunk (a debug build I've built myself using vc8). The page is very large, and only crashes if you keep hitting the End key on your keyboard while the page is loading. Testing on the debug trunk build, most of the time the firefox process just disappears. There's no warning, no prompt to open the debugger. Nothing. Sometimes I get the exception: ###!!! ASSERTION: yikes - we just overwrote memory: 'indexp <= aIndexBuffer->mBuffer + aIndexBuffer->mBufferLen', file c:/mozilla/trees/trunk/mozilla/layout/generic/nsTextFrame.cpp, line 2375 occuring at: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsTextFrame.cpp&rev=1.582&mark=2366,2367,2374,2375#2361 and on entering the debugger from there the stack is: > nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2375 + 0x2f bytes C++ nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03d16820, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x045e5b78, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932 C++ nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++ nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 2011 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 671 C++ nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 903 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x03d0d89c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x03d0d89c, nsIFrame * aFrame=0x045c9e0c, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++ PresShell::Paint(nsIView * aView=0x045b7c88, nsIRenderingContext * aRenderingContext=0x03d0d89c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++ nsViewManager::RenderViews(nsView * aView=0x04611cf0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++ nsViewManager::Refresh(nsView * aView=0x04611cf0, nsIRenderingContext * aContext=0x03d0d89c, nsIRegion * aRegion=0x03cf0888, unsigned int aUpdateFlags=1) Line 580 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++ HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++ nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++ nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x00440668, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 77d4b4c0 77d4b50c 7c90eae3 77d4d83f 77d4d82a nsWindow::Scroll(int aDx=0, int aDy=-3808, nsRect * aClipRect=0x00000000) Line 3121 C++ nsScrollPortView::Scroll(nsView * aScrolledView=0x0460e6d0, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++ nsScrollPortView::ScrollToImpl(int aX=0, int aY=2294610, unsigned int aUpdateFlags=0) Line 653 C++ nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=2299290, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++ nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++ PresShell::CompleteScroll(int aForward=1) Line 3406 C++ nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x045c907c) Line 354 + 0x10 bytes C++ nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x02de1398) Line 271 + 0x15 bytes C++ nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x02de13c4) Line 188 + 0x1a bytes C++ nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x02de13c4) Line 191 + 0x21 bytes C++ nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++ nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff06a8, nsIDOMEvent * aEvent=0x03eb7f40) Line 361 C++ nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8eef0) Line 322 + 0x15 bytes C++ nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x03eb7f40, nsIAtom * aEventType=0x02cea640) Line 199 C++ nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x03eb7f40) Line 254 C++ DispatchToInterface(nsIDOMEvent * aEvent=0x03eb7f40, nsIDOMEventListener * aListener=0x02ffbf20, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++ nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff06b4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++ nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++ nsEventDispatcher::Dispatch(nsISupports * aTarget=0x0459fc90, nsPresContext * aPresContext=0x03d16820, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++ PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x045b7c88, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++ PresShell::HandleEvent(nsIView * aView=0x045b7c88, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++ nsViewManager::HandleEvent(nsView * aView=0x045b7c88, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++ HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++ nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++ nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++ nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x0036067e, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 77d489cd 77d48a10 nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++ nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++ nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes C++ nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++ NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++ nsBaseAppShell::Run() Line 153 + 0xc bytes C++ nsAppStartup::Run() Line 171 + 0x1c bytes C++ XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++ __tmainCRTStartup() Line 586 + 0x19 bytes C mainCRTStartup() Line 403 C 7c816d4f 7c8399f3 I then get a considerable number (~50) of these assertions: ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505 before I get a VS window that says something about heap corruption and buffer overflow/overrun. Continuing from that I get a crash. The times I've managed to get the debugger up *and* get to this VS window I've had to kill VS because I keep running out of memory. Therefore I haven't got a stack from a the crash that follows this series of events, but some of the time I get a crash without any assertions and VS window. One such stack is below. The message I got with this stack was "an unhandled win32 exception occured in firefox.exe [5152]". > memcpy(unsigned char * dst=0x0000072c, unsigned char * src=0x0012d854, unsigned long count=256) Line 188 Asm nsTextFrame::PrepareUnicodeText(nsTextTransformer & aTX={...}, nsAutoIndexBuffer * aIndexBuffer=0x0012d58c, nsAutoTextBuffer * aTextBuffer=0x0012d72c, int * aTextLen=0x0012d964, int aForceArabicShaping=0, int * aJustifiableCharCount=0x00000000, int aRemoveMultipleTrimmedWS=0) Line 2367 + 0x24 bytes C++ nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x03cfb088, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x044f62d0, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 2932 C++ nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++ nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 2011 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 671 C++ nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 903 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x044f1c3c, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x044f1c3c, nsIFrame * aFrame=0x03ec8264, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++ PresShell::Paint(nsIView * aView=0x044d8688, nsIRenderingContext * aRenderingContext=0x044f1c3c, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++ nsViewManager::RenderViews(nsView * aView=0x04507ea0, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++ nsViewManager::Refresh(nsView * aView=0x04507ea0, nsIRenderingContext * aContext=0x044f1c3c, nsIRegion * aRegion=0x0445a0b0, unsigned int aUpdateFlags=1) Line 580 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++ HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++ nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++ nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x003802c4, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++ 77d48734 [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] 77d48816 77d4b4c0 77d4b50c 7c90eae3 77d4d83f 77d4d82a nsWindow::Scroll(int aDx=0, int aDy=-7408, nsRect * aClipRect=0x00000000) Line 3121 C++ nsScrollPortView::Scroll(nsView * aScrolledView=0x04504ed8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++ nsScrollPortView::ScrollToImpl(int aX=0, int aY=716370, unsigned int aUpdateFlags=0) Line 653 C++ nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=721050, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++ nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++ PresShell::CompleteScroll(int aForward=1) Line 3406 C++ nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x044cdd8c) Line 354 + 0x10 bytes C++ nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03907340) Line 271 + 0x15 bytes C++ nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x0390736c) Line 188 + 0x1a bytes C++ nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x0390736c) Line 191 + 0x21 bytes C++ nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++ nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ff10b0, nsIDOMEvent * aEvent=0x04529658) Line 361 C++ nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04529658, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x03c8f320) Line 322 + 0x15 bytes C++ nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04529658, nsIAtom * aEventType=0x02cea640) Line 199 C++ nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04529658) Line 254 C++ DispatchToInterface(nsIDOMEvent * aEvent=0x04529658, nsIDOMEventListener * aListener=0x02ffc918, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++ nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ff10bc, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++ nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++ nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03ee3a20, nsPresContext * aPresContext=0x03cfb088, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++ PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x044d8688, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++ PresShell::HandleEvent(nsIView * aView=0x044d8688, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++ nsViewManager::HandleEvent(nsView * aView=0x044d8688, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++ HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++ nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++ nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++ nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x001602fa, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 77d489cd 77d48a10 nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++ nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++ nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 222 C++ nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++ NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++ nsBaseAppShell::Run() Line 153 + 0xc bytes C++ nsAppStartup::Run() Line 171 + 0x1c bytes C++ XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++ __tmainCRTStartup() Line 586 + 0x19 bytes C mainCRTStartup() Line 403 C 7c816d4f 7c8399f3
> ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file > c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505 What's the stack to this? ccing some folks who know textframe code...
Could you attach the page causing this? (compress it if it's too big) Or put it up on a web server somewhere?
Forgot. I also got a heap of these in the console: ++DOMWINDOW == 7 nsLineLayout: Text(1)@0454DD60 metrics=624240,240! nsLineLayout: Inline(span)(129)@04561A28 metrics=653040,240! Block(pre)(4)@043DBE20: line=04561A60 xmost=653040 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:653040 nsLineLayout: Text(1)@045CFF04 metrics=613680,240! nsLineLayout: Inline(span)(163)@045CFF48 metrics=613680,240! Block(pre)(4)@043DBE20: line=045CFF80 xmost=670680 nsLineLayout: Inline(span)(165)@045CFFF4 metrics=671160,240! Block(pre)(4)@043DBE20: line=045D002C xmost=671160 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: line=045F9E20 xmost=809280 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: WARNING: xmost:809280 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: WARNING: xmost:809280 --DOMWINDOW == 6 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: WARNING: xmost:809280 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 Block(pre)(4)@043DBE20: WARNING: xmost:809280 Block(pre)(4)@043DBE20: WARNING: xmost:653040 Block(pre)(4)@043DBE20: WARNING: xmost:670680 Block(pre)(4)@043DBE20: WARNING: xmost:671160 [snip]
Mats: sorry, I forgot to mention that the file isn't something I can share at this point - hence why I'm trying to provide as much info as possible. I'm seeking permission from my boss to give access to at least some people, and I'll do some more testing to see if I can't reproduce on a modified or alternative file tomorrow.
> > ###!!! ASSERTION: recursive painting not permitted: '!IsPainting()', file > > c:/mozilla/trees/trunk/mozilla/view/src/nsViewManager.cpp, line 505 > > What's the stack to this? It's (appologies for likely pasting too much): > nsViewManager::Refresh(nsView * aView=0x05d5e310, nsIRenderingContext * aContext=0x04a9295c, nsIRegion * aRegion=0x0575edc8, unsigned int aUpdateFlags=1) Line 505 + 0x2b bytes C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x001265c4, nsEventStatus * aStatus=0x00126470) Line 1422 C++ HandleEvent(nsGUIEvent * aEvent=0x001265c4) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x001265c4, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++ nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++ nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x00126aa0) Line 4246 + 0x15 bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 74730e71 77d4b4c0 77d4ebf3 77d4ec03 77d4b50c 7c90eae3 77d494d2 77d4b530 77d485a4 77d5e04a 77d48a10 77d5e2b9 77d561c6 77d6a92e _output_s_l(_iobuf * stream=0x00620314, const char * format=0x00152370, localeinfo_struct * plocinfo=0x0017c0e8, char * argptr=0x00012012) Line 1164 + 0x17 bytes C++ 77d96060 77d80577 77d8052f __crtMessageBoxA(const char * lpText=0x00127320, const char * lpCaption=0x102d1174, unsigned int uType=73746) Line 145 C __crtMessageWindowA(int nRptType=1, const char * szFile=0x00000000, const char * szLine=0x00000000, const char * szModule=0x00000000, const char * szUserMessage=0x00128394) Line 420 + 0x16 bytes C _VCrtDbgReportA(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 417 + 0x28 bytes C _CrtDbgReportV(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, char * arglist=0x0012d428) Line 300 + 0x1d bytes C _CrtDbgReport(int nRptType=1, const char * szFile=0x00000000, int nLine=0, const char * szModule=0x00000000, const char * szFormat=0x102d0398, ...) Line 317 + 0x1d bytes C _free_dbg_nolock(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1276 + 0x33 bytes C++ _free_dbg(void * pUserData=0x0462ba30, int nBlockUse=1) Line 1194 + 0xd bytes C++ operator delete(void * pUserData=0x0462ba30) Line 54 + 0x10 bytes C++ operator delete[](void * p=0x0462ba30) Line 21 + 0x9 bytes C++ nsAutoIndexBuffer::~nsAutoIndexBuffer() Line 663 + 0x11 bytes C++ nsTextFrame::PaintUnicodeText(nsPresContext * aPresContext=0x04396c78, nsIRenderingContext & aRenderingContext={...}, nsStyleContext * aStyleContext=0x046958b8, nsTextPaintStyle & aTextStyle={...}, int dx=120, int dy=4245) Line 3153 + 0x16 bytes C++ nsTextFrame::PaintText(nsIRenderingContext & aRenderingContext={...}, nsPoint aPt={...}) Line 2080 C++ nsDisplayText::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 2011 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsDisplayWrapList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 671 C++ nsDisplayClip::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 903 C++ nsDisplayList::Paint(nsDisplayListBuilder * aBuilder=0x0012db94, nsIRenderingContext * aCtx=0x056a7e24, const nsRect & aDirtyRect={...}) Line 304 + 0x19 bytes C++ nsLayoutUtils::PaintFrame(nsIRenderingContext * aRenderingContext=0x056a7e24, nsIFrame * aFrame=0x04c6f4b4, const nsRegion & aDirtyRegion={...}, unsigned int aBackground=4294967295) Line 720 C++ PresShell::Paint(nsIView * aView=0x05d5e310, nsIRenderingContext * aRenderingContext=0x056a7e24, const nsRegion & aDirtyRegion={...}) Line 5718 + 0x15 bytes C++ nsViewManager::RenderViews(nsView * aView=0x04bfe300, nsIRenderingContext & aRC={...}, const nsRegion & aRegion={...}, nsIDrawingSurface * aRCSurface=0x00000000) Line 816 C++ nsViewManager::Refresh(nsView * aView=0x04bfe300, nsIRenderingContext * aContext=0x056a7e24, nsIRegion * aRegion=0x04b4c088, unsigned int aUpdateFlags=1) Line 580 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012e020, nsEventStatus * aStatus=0x0012decc) Line 1422 C++ HandleEvent(nsGUIEvent * aEvent=0x0012e020) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012e020, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1128 C++ nsWindow::OnPaint(HDC__ * aDC=0x00000000) Line 5683 + 0x1e bytes C++ nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012e4fc) Line 4246 + 0x15 bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x004706e6, unsigned int msg=15, unsigned int wParam=0, long lParam=0) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 77d4b4c0 77d4b50c 7c90eae3 77d4d83f 77d4d82a nsWindow::Scroll(int aDx=0, int aDy=-96, nsRect * aClipRect=0x00000000) Line 3121 C++ nsScrollPortView::Scroll(nsView * aScrolledView=0x046848c8, nsPoint aTwipsDelta={...}, nsPoint aPixDelta={...}, float aT2P=0.066666670) Line 577 C++ nsScrollPortView::ScrollToImpl(int aX=0, int aY=6519810, unsigned int aUpdateFlags=0) Line 653 C++ nsScrollPortView::ScrollTo(int aDestinationX=0, int aDestinationY=6524490, unsigned int aUpdateFlags=0) Line 271 + 0x1e bytes C++ nsScrollPortView::ScrollByWhole(int aTop=0) Line 468 C++ PresShell::CompleteScroll(int aForward=1) Line 3406 C++ nsSelectMoveScrollCommand::DoCommandBrowseWithCaretOff(const char * aCommandName=0x0012eb94, nsISelectionController * aSelectionController=0x0519d0b4) Line 354 + 0x10 bytes C++ nsSelectMoveScrollCommand::DoSelectCommand(const char * aCommandName=0x0012eb94, nsIDOMWindow * aWindow=0x03badd00) Line 271 + 0x15 bytes C++ nsSelectionCommandsBase::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandContext=0x03badd2c) Line 188 + 0x1a bytes C++ nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012eb94, nsISupports * aCommandRefCon=0x03badd2c) Line 191 + 0x21 bytes C++ nsBaseCommandController::DoCommand(const char * aCommand=0x0012eb94) Line 169 + 0x24 bytes C++ nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ffe3e8, nsIDOMEvent * aEvent=0x04ebfe40) Line 361 C++ nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640, nsXBLPrototypeHandler * aHandler=0x02e9dac0) Line 322 + 0x15 bytes C++ nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04ebfe40, nsIAtom * aEventType=0x02cea640) Line 199 C++ nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04ebfe40) Line 254 C++ DispatchToInterface(nsIDOMEvent * aEvent=0x04ebfe40, nsIDOMEventListener * aListener=0x03709c88, unsigned int (nsIDOMEvent *)* aMethod=0x01f199f0, const nsID & aIID={...}, int * aHasInterface=0x0012f08c) Line 145 + 0xb bytes C++ nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * * aDOMEvent=0x0012f1a4, nsISupports * aCurrentTarget=0x02ffe3f4, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a8) Line 1742 + 0x26 bytes C++ nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514) Line 356 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f260) Line 456 C++ nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f260) Line 486 C++ nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03e233d0, nsPresContext * aPresContext=0x04396c78, nsEvent * aEvent=0x0012f51c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f330, nsDispatchingCallback * aCallback=0x0012f260, int aTargetIsChromeHandler=0) Line 639 + 0x12 bytes C++ PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f51c, nsIView * aView=0x05d5e310, nsEventStatus * aStatus=0x0012f330) Line 6275 + 0x2b bytes C++ PresShell::HandleEvent(nsIView * aView=0x05d5e310, nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aEventStatus=0x0012f330) Line 6046 + 0x17 bytes C++ nsViewManager::HandleEvent(nsView * aView=0x05d5e310, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f51c, int aCaptured=0) Line 1665 C++ nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f51c, nsEventStatus * aStatus=0x0012f458) Line 1618 + 0x22 bytes C++ HandleEvent(nsGUIEvent * aEvent=0x0012f51c) Line 174 C++ nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f51c, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1102 + 0xc bytes C++ nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f51c) Line 1123 C++ nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=0, unsigned int aVirtualCharCode=35, long aKeyData=21954561, unsigned int aFlags=0) Line 3312 + 0x11 bytes C++ nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=35, unsigned int aScanCode=335, long aKeyData=21954561) Line 3503 C++ nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=35, long lParam=21954561, long * aRetValue=0x0012fa48) Line 4420 + 0x1d bytes C++ nsWindow::WindowProc(HWND__ * hWnd=0x00270706, unsigned int msg=256, unsigned int wParam=35, long lParam=21954561) Line 1291 + 0x1d bytes C++ 77d48734 77d48816 77d489cd 77d48a10 nsAppShell::ProcessNextNativeEvent(int mayWait=0) Line 149 C++ nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0) Line 136 + 0x11 bytes C++ nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b38d20, int mayWait=1, unsigned int recursionDepth=0) Line 209 + 0xd bytes C++ nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 472 C++ NS_ProcessNextEvent_P(nsIThread * thread=0x00b38d20, int mayWait=1) Line 225 + 0x16 bytes C++ nsBaseAppShell::Run() Line 153 + 0xc bytes C++ nsAppStartup::Run() Line 171 + 0x1c bytes C++ XRE_main(int argc=4, char * * argv=0x00b37e48, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ main(int argc=4, char * * argv=0x00b37e48) Line 61 + 0x13 bytes C++ __tmainCRTStartup() Line 586 + 0x19 bytes C mainCRTStartup() Line 403 C 7c816d4f 7c8399f3
Ah, that seems to be the dialog for an assertion or some such coming up... OK.
When you hit that "yikes - we just overwrote memory" assertion, could dump the members of 'this' and the local variables please?
Sure. Still working on permission to make the log available. - this 0x04d5e754 {mPrevContinuation=0x04d5e6a8 } nsTextFrame * const - [nsContinuingTextFrame] {mPrevContinuation=0x04d5e6a8 } nsContinuingTextFrame + nsTextFrame {mNextContinuation=0x00000000 mContentOffset=4181 mContentLength=114 ...} nsTextFrame + mPrevContinuation 0x04d5e6a8 {mPrevContinuation=0x04d5e5fc } nsIFrame * - nsFrame {...} nsFrame + nsBox {gGotTheme=1 gTheme=0x02e8df50 } nsBox + nsIFrameDebug {...} nsIFrameDebug - mNextContinuation 0x00000000 {mRect={...} mContent=??? mStyleContext=??? ...} nsIFrame * + nsISupports {...} nsISupports + mRect {x=??? y=??? width=??? ...} nsRect mContent CXX0017: Error: symbol "" not found mStyleContext CXX0017: Error: symbol "" not found mParent CXX0030: Error: expression cannot be evaluated mNextSibling CXX0030: Error: expression cannot be evaluated mState CXX0030: Error: expression cannot be evaluated mContentOffset 4181 int mContentLength 114 int mColumn 0 int mAscent 180 int - aTX {mFrag=0x03dd8e00 mOffset=4806 mMode=ePreformatted ...} nsTextTransformer & + mFrag 0x03dd8e00 {m2b=0x04d6ede8 "lite3/src/delete.c experimental.c gcc -o experimental.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DT" m1b=0x04d6ede8 "l" mAllBits=46891 ...} const nsTextFragment * mOffset 4806 int mMode ePreformatted nsTextTransformer::<unnamed-tag> mLanguageSpecificTransformType eLanguageSpecificTransformType_None nsLanguageSpecificTransformType + mPresContext 0x03bae410 {mRefCnt={...} _mOwningThread={...} mType=eContext_Galley ...} nsPresContext * mCharType 51643704 nsCharType + mTransformBuf {mBuffer=0x03dca230 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=1228 mAutoBuffer=0x0012d854 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -D?" } nsAutoTextBuffer mBufferPos 625 int mTextTransform 0 unsigned char mFlags 0 unsigned char sWordSelectListenerPrefChecked 1 int sWordSelectEatSpaceAfter 1 int sWordSelectStopAtPunctuation 1 int - aIndexBuffer 0x0012d58c {mBuffer=0x03d2ce38 mBufferLen=315 mAutoBuffer=0x0012d594 } nsAutoIndexBuffer * + mBuffer 0x03d2ce38 int * mBufferLen 315 int + mAutoBuffer 0x0012d594 int [100] - aTextBuffer 0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" } nsAutoTextBuffer * + mBuffer 0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" unsigned short * mBufferLen 853 int + mAutoBuffer 0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" unsigned short [128] - aTextLen 0x0012d964 int * 2579181 int aForceArabicShaping 0 int - aJustifiableCharCount 0x00000000 int * CXX0030: Error: expression cannot be evaluated aRemoveMultipleTrimmedWS 0 int textTransform 0 unsigned char textLength 625 int dstOffset 625 int - tmpTextBuffer {mBuffer=0x0012d390 "???????" mBufferLen=128 mAutoBuffer=0x0012d390 "???????" } nsAutoTextBuffer + mBuffer 0x0012d390 "???????" unsigned short * mBufferLen 128 int + mAutoBuffer 0x0012d390 "???????" unsigned short [128] - textBuffer 0x0012d72c {mBuffer=0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" mBufferLen=853 mAutoBuffer=0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" } nsAutoTextBuffer * + mBuffer 0x03ba5148 "gcc -o legacy.o -c -fvisibility=hidden -DSQLITE_ENABLE_REDEF_IO -DSQLITE_SECURE_DELETE=1 -DTHREADSAFE=1 -DOSTYPE=\"Linux2.6\" -DOSARCH=\"Linux\" -DBUILD_ID=0000000000 -I/home/buildbot/slave/linux-staging/build/mozilla/db/sqlite3/src -I../../../dist/include -I../../../dist/include/sqlite3 -I../../../dist/include/nspr -I../../../dist/sdk/include -fPIC -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe -DNDEBUG -DTRIMMED -O -include ../../../mozilla-co" unsigned short * mBufferLen 853 int + mAutoBuffer 0x0012d734 "legacy.cildbot/slave/linux-staging/build?=?5?5??=?5?5??????" unsigned short [128] - indexp 0x03d2d7fc int * -572662307 int inWord 0 int strInx 4806 int n -511 int column 625 int
Flags: blocking1.9a2?
Here's the offending log. We believe all potentially sensitive lines have been removed, but please still treat this as confidential and limited to the security group. The crash seems like it may be slightly harder to reproduce now that there are fewer lines in the log, but the pattern to reproduce it is still the same: as soon as the page starts loading hit the End button rapidly and it will crash. The faster you hit the End button, the more likely it is to crash and the more likely it is that the process will die without you even being asked if you want to open a debugger. Slightly slower and you are more likely to be asked if you want to open a debugger. Too slow and it will load without crashing.
Attached file automatic testcase —
This testcase 'automatically hits' the End key, and I've made the text more unreadable by replacing a lot of characters with 'x'. Maybe this is useful, it only works locally (and current trunk build), because of the use of enhanced privileges.
That testcase is moz-log.zip and wants me to download it.
(In reply to comment #11) > That testcase is moz-log.zip and wants me to download it. Yes, that's correct, it's a very large html file, I'm not sure if it can be made much smaller and still crash.
This is an overflow of nsAutoIndexBuffer. We get into PaintUnicodeText with the frame mapping 55 characters starting at offset 1796 (the entire textnode is 5947 characters). I'm not sure how we get into this state, something to do with incremental parsing/reflow or something. Anyway, it's not necessarily wrong. The problem is that PaintUnicodeText sets up the nsAutoIndexBuffer to have enough entries for mContentLen, 55 characters. But PrepareUnicodeText calls nsTextTransformer::GetNextWord starting at offset 1796 and finds a word 582 characters long. It then proceeds to fill the nsAutoIndexBuffer with 582 entries which wipes out the stack.
Attached patch fix — — Splinter Review
We just need to extend these checks that already exist. I'm not 100% sure about this, there could be some unexpected situation where we rely on going past the frame bounds, perhaps. I doubt it. This needs to bake on trunk before we think about branches, although it is needed on branches.
Assignee: nobody → roc
Status: NEW → ASSIGNED
Attachment #232648 - Flags: superreview?(rbs)
Attachment #232648 - Flags: review?(smontagu)
jar:https://bugzilla.mozilla.org/attachment.cgi?id=232543!/moz-log.html fwiw, except that i don't understand what it means by automatic, i had to manually press end repeatedly to get it to crash. note that trunk builds will let you build these urls youself just do jar:{url}/ and browse to the file you like.
Comment on attachment 232648 [details] [diff] [review] fix (In reply to comment #14) > I'm not 100% sure about this, there could be some unexpected situation where we > rely on going past the frame bounds, perhaps. That bothers me too. Or maybe we don't rely on going past the frame bounds but we really should, e.g. if there are combining characters split between two frames, which we tend to mess up. As you say, let's bake this on the trunk with the intention of getting it on the branches as a bandaid and doing something smarter on the trunk in the long term.
Attachment #232648 - Flags: review?(smontagu) → review+
Attachment #232648 - Flags: superreview?(rbs) → superreview+
checked in. This needs to bake for a while, then we need to think about branch landing.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
How much of a while do you think it need baking? 1.8.0.7 material? or wait for 1.8.0.8 in a couple months?
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7?
Whiteboard: [sg:critical]
Flags: blocking1.8.1? → blocking1.8.1+
Comment on attachment 232648 [details] [diff] [review] fix This fixes a serious maybe-potentially-exploitable stack overflow. See comment #16; we're not 100% confident of the correctness. If it does cause problems, they should only occur in very rare cases where this would already have overflowed with unpredictable results.
Attachment #232648 - Flags: approval1.8.1?
Attachment #232648 - Flags: approval1.8.0.8?
The reason I ask about the 1.8.0 branch is because this patch appears to fix bug 348514, reported to Bugtraq/Full-Disclosure by Michal Zalewski. It would be really nice to get it into 1.8.0.7 if it's not unduly risky.
Comment on attachment 232648 [details] [diff] [review] fix a=schrep for drivers.
Attachment #232648 - Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Attachment #232648 - Flags: approval1.8.0.8? → approval1.8.0.7?
Comment on attachment 232648 [details] [diff] [review] fix approved for 1.8.0 branch, a=dveditz for drivers
Flags: blocking1.8.0.8?
Attachment #232648 - Flags: approval1.8.0.7? → approval1.8.0.7+
i am not sure this is effective - race conditions are difficult to debug and timing dependent. modification of lcamtuf's bug crashed trunk only once with this patch, so i may have the timings wrong. what about checking that |indexp| doesn't overflow and if tries to overflow just return - probably will be easy with 2 macros - one conditional and one warning and returning? just warning about overflow and continuing execution is quite strange coding practice.
There are legitimate cases where the condition happens -- where we deliberate want to chop the text. The catch-22 is to identify the illegimate cases (of real overflow).
(In reply to comment #25) > There are legitimate cases where the condition happens -- where we deliberate > want to chop the text. is there a testcase where the condition happens, i.e. the romantic assertion is hit?
You seem to be referring to something else (the painting?). I was referring to the patch (and its vicinity -- see also comment 13). It seems unlikely to hit the 'yikes' assertion at this point (with this patch), if we do, it would mean that there is a bad caller who didn't .Grow() a large enough buffer. Looking a the call sites, they seemed to be fine to me. But we can add a further protection: PRInt32 n = mContentLength; + if (aIndexBuffer) { + NS_ASSERTION(n < aIndexBuffer->mBufferLen, "bad caller"); + n = PR_MAX(n, aIndexBuffer->mBufferLen-1); + }
(In reply to comment #27) > You seem to be referring to something else (the painting?). I was referring to > the patch (and its vicinity -- see also comment 13). > > It seems unlikely to hit the 'yikes' assertion at this point (with this patch), > if we do, it would mean that there is a bad caller who didn't .Grow() a large > enough buffer. Looking a the call sites, they seemed to be fine to me. But we > can add a further protection: yes, i meant the 'yikes' assertion - believe that if it is hit, memory is overwritten - exploitable state. to clarify what i meant - add the condition of the 'yikes' assertion in the loops where indexp is written to. after the loop check if it exited due to indexp too large, warn and return() - probably via macros. note that just abort()ing on the assertion leaves another race and may not be safe for other reasons.
+ n = PR_MAX(n, aIndexBuffer->mBufferLen-1); s/PR_MAX/PR_MIN/ If we still hit the assertion, that code should really be re-audited to see it is scanning pass the maximum given length (n).
(In reply to comment #29) > > If we still hit the assertion, that code should really be re-audited to see it > is scanning pass the maximum given length (n). > asynchronous events make auditing really difficult. both testcases (this one and lcamtuf's bug) that trigger the assertion relied on timing afaik. though the problem may be somewhere else, not in nsTextFrame.
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060829 Firefox/1.5.0.7 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060830 BonEcho/2.0b2 I can see the crash with the testcase, using Firefox1.5.0.6.
Status: RESOLVED → VERIFIED
Flags: blocking1.9a2?
Can't see a crash on 1.0.x .... is that sane/expected?
*** Bug 347304 has been marked as a duplicate of this bug. ***
Keywords: crash
on 1.0.x I don't see a crash on attachment 232543 [details] (automatic testcase) ... further I only see a deep recursion crash in bug 348514 attachment 233470 [details] and no crash at all for the other testcase 2.
Group: security
Depends on: 354451
NOT FIXED in FIREFOX 2.0 RC3 and FINAL
What makes you say that? The patch was included in Firefox 2, it was verified as fixed in Firefox 2 by Martijn, and I can't get Firefox 2 to crash either.
He's probably meaning the comments in Bug 348514, see Bug 348514 Comment 66 and below.
Crash Signature: [@ nsTextFrame::PrepareUnicodeText]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: