Closed Bug 345139 Opened 15 years ago Closed 15 years ago

Crash [@ nsHTMLReflowState::InitAbsoluteConstraints] [@ nsLineLayout::ReflowFrame] [@ nsInlineFrame::ReflowInlineFrame]

Categories

(Core :: Layout, defect)

PowerPC
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060718 Minefield/3.0a1

This testcase makes Firefox crash, with a random address on top, and on of the following just below:
* nsHTMLReflowState::InitAbsoluteConstraints
* nsLineLayout::ReflowFrame
* nsInlineFrame::ReflowInlineFrame

Since there are random addresses on top, this is [sg:critical].

I wish I could make the testcase smaller :/
Attached file 1.2KB testcase
Flags: blocking1.9a1?
Whiteboard: [sg:critical]
I'm crashing here:

#5  <signal handler called>
#6  0x03dfab3c in nsContainerFrame::DeleteNextInFlowChild (this=0x9ecb6e4,
    aPresContext=0xa032488, aNextInFlow=0x9ecb6ac)
    at /builds/trunk/mozilla/layout/generic/nsContainerFrame.cpp:885
#7  0x03e435d6 in nsLineLayout::ReflowFrame (this=0xbfd4e700,
    aFrame=0xa2519dc, aReflowStatus=@0xbfd4e604, aMetrics=0x0,
    aPushedFrame=@0xbfd4e2f8)
    at /builds/trunk/mozilla/layout/generic/nsLineLayout.cpp:1166

where delFrame is an ok-looking nsInlineFrame but its parent frame pointer is a pointer to memory that's not a frame (i.e., probably deleted already).

(gdb) p aNextInFlow
$7 = (class nsIFrame *) 0x9ecb6ac
(gdb) p aNextInFlow->mParent
$8 = (nsIFrame *) 0x9ecb6e4
(gdb) x/wa aNextInFlow
0x9ecb6ac:      0x4495fc8 <_ZTV13nsInlineFrame+8>
(gdb) p *(nsInlineFrame*)$7
$9 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = {
                _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0,
                width = 0, height = 0}, mContent = 0xa2acea8,
              mStyleContext = 0x9ecb4bc, mParent = 0x9ecb6e4,
              mNextSibling = 0x0, mState = 1030}, static gGotTheme = 1,
            static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = {
              _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0xa2519dc, mNextContinuation = 0xa24dffc}, mFrames = {
        mFirstChild = 0x0}}, <No data fields>}, <No data fields>}
(gdb) p $9->mNextInFlow
There is no member or method named mNextInFlow.
(gdb) p $9->mNextContinuation
$10 = (class nsIFrame *) 0xa24dffc
(gdb) x/wa $10
0xa24dffc:      0x4495fc8 <_ZTV13nsInlineFrame+8>
(gdb) p *(nsInlineFrame*)$
$11 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = {
                _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0,
                width = 0, height = 0}, mContent = 0xa2acea8,
              mStyleContext = 0xa250dd0, mParent = 0xa24e7e4,
              mNextSibling = 0xa24dac8, mState = 1030}, static gGotTheme = 1,
            static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = {
              _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0x9ecb6ac, mNextContinuation = 0x0}, mFrames = {
        mFirstChild = 0x0}}, <No data fields>}, <No data fields>}
(gdb) x/wa $9.mParent
0x9ecb6e4:      0x4495fc8 <_ZTV13nsInlineFrame+8>
(gdb) x/wa $11.mParent
0xa24e7e4:      0x0
(gdb) p frames.mImpl.mArray[0]
$12 = (void *) 0xa24dffc

Judging by $10 and the contents of the frames array ($12), delFrame is $11.
Iirc, I had cases which crashed with nsHTMLReflowState::InitAbsoluteConstraints stack, but when I tried to minimise further, I got a different stack.
I think that was bug 330981 (that was in the time I didn't add the unminimised testcase to the bug).
I still had a testcase with a nsHTMLReflowState::InitAbsoluteConstraints stack in 'stock', I filed bug 345199 for it.
Maybe this bug depends on a fix for bug 330909?
WFM with a Mac nightly.  Still crashes in a Mac debug build.
WFM on Mac trunk (opt and debug).
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Group: core-security
Flags: wanted1.8.1.x-
Flags: in-testsuite+
Crash Signature: [@ nsHTMLReflowState::InitAbsoluteConstraints] [@ nsLineLayout::ReflowFrame] [@ nsInlineFrame::ReflowInlineFrame]
You need to log in before you can comment on or make changes to this bug.