Closed Bug 346405 Opened 18 years ago Closed 17 years ago

[columns] crash [@ nsColumnSetFrame::GetContentInsertionFrame] and [@ nsLineLayout::TrimTrailingWhiteSpaceIn]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: MatsPalmgren_bugz, Assigned: roc)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(7 files, 3 obsolete files)

stack, nsColumnSetFrame::GetContentInsertionFrame
23.96 KB, text/plain
Details
stack #2, nsLineLayout::TrimTrailingWhiteSpaceIn
40.62 KB, text/plain
Details
not reduced testcase2
20.62 KB, text/html
Details
fix
1.33 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
testcase3
610 bytes, text/html
Details
testcase4
649 bytes, text/html
Details
better wallpaper
2.77 KB, patch
dbaron
: review+
dbaron
: superreview+
dveditz
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
This is a followup to bug 344557 comment 14.
(Sensitive because I got a crash using freed memory)

In my tree I have bug 344557 fixed and also Boris' patch for bug 334602

STEPS TO REPRODUCE
1. load URL (which is the "Original testcase" from bug 344557).
2. repeatedly type CTRL++ CTRL+0 ... while it is loading

ACTUAL RESULTS
###!!! ASSERTION: overflow list w/o frames: 'mFrames.NotEmpty()',
      file nsInlineFrame.cpp, line 362
###!!! ASSERTION: reflow dirty lines failed: 'NS_SUCCEEDED(rv)',
      file nsBlockFrame.cpp, line 916
###!!! ASSERTION: next in flow should have been deleted: '!kidNextInFlow',
      file nsColumnSetFrame.cpp, line 503
WARNING: Content has no document.: 
      file nsTextFrame.cpp, line 5948
WARNING: Reflow of frame failed in nsLineLayout:
      file nsLineLayout.cpp, line 997
###!!! ASSERTION: forget-word-frame: '(void*)aFrame == mWordFrames->PeekFront()', file nsLineLayout.cpp, line 3069

and then a couple of crashes:  [@ nsColumnSetFrame::GetContentInsertionFrame]
and [@ nsLineLayout::TrimTrailingWhiteSpaceIn]
Attached file fairly reduced testcase (obsolete) — 
Yeah, I already had a file at 'stock' with this type of crash. I wasn't sure it was the same crash as bug 346405 and while minimising, I think I was hitting that bug anyhow, so I wanted to wait before that bug gets fixed before I eventually would file a bug on this.
Attached file original testcase (obsolete) — 

    
    

    
  
The "fairly reduced testcase" also triggers bug 337412.
I'm fixing that bit over there...
Depends on: 337412
Whiteboard: [sg:critical] uses freed memory
Flags: blocking1.9a1?

    
    

    
  
Loading "fairly reduced testcase" also triggers this assertion:

###!!! ASSERTION: continuing frame had more severe impact than first-in-flow: '!frame->GetPrevContinuation()', file nsFrameManager.cpp, line 1374
Keywords: assertion
Flags: blocking1.9a1? → blocking1.9?

    
    

    
  
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → mats.palmgren

    
    

    
  
any ideas on a fix? does it look like this might be an easy one?

Flags: blocking1.9? → blocking1.9+

    
    

    
  
Robert: please fix this column-related security bug (or assign to one of your minions).
Assignee: mats.palmgren → roc

    
    

    
  

      
      
      
      

        Attached file
          
        not reduced testcase2
      

    


  
The partly reduced and original testcase seem to be worksforme in the latest nightly trunk build.
However, this is an unreduced testcase that still crashes with the same stacktrace, I think.
Talkback ID: TB31479230E

    
  

        Attachment #231217 -
        Attachment is obsolete: true

    
  

        Attachment #231216 -
        Attachment is obsolete: true

    
    

    
  
I can reproduce with the newest attachment (and only the newest attachment) on Mac.

Martijn, do you want me to try to reduce it?

    
    

    
  
(In reply to comment #11)
> Martijn, do you want me to try to reduce it?

Yes, sure, thanks.

Target Milestone: --- → mozilla1.9beta1

    
    

    
  

      
      
      
      

        Attached file
          
        reduced testcase
      

    


  
I reduced this from 262587. It crashes every time on my Mac build.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
This fixes the reduced testcase (#265625). We can call this function to destroy sibling chains, and sometimes we destroy an empty list.

This *doesn't* fix 262587 though, so I need to reduce that *again*. Could really use some testcase reduction love :-)

        Attachment #265632 -
        Flags: superreview?(dbaron)

        Attachment #265632 -
        Flags: review?(dbaron)

    
    

    
  

      
      
      
      

        Attached file
          
        testcase3
      

    


  
This is a testcase that's reasonably minimised and that still crashes in my build that has roc's fix in.

    
    

    
  
roc says testcase3 (in comment 15) is likely to require an orthogonal fix.  dbaron, it would be great if you could review the patch in comment 14.

    
    

    
  
testcase3 doesn't crash for me :-(

    
    

    
  

      
      
      
      

        Attached file
          
        testcase4
      

    


  
Yuck, I guess testcase3 is font dependent or something.
Does this testcase4 crash for you?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+
Whiteboard: [sg:critical] uses freed memory → [sg:critical] uses freed memory, needs r=dbaron

    
    

    
  
I need review here ... the patch is small.

    
    

    
  
Comment on attachment 265632 [details] [diff] [review]
fix

r+sr=dbaron.  Sorry for the delay.

        Attachment #265632 -
        Flags: superreview?(dbaron)

        Attachment #265632 -
        Flags: superreview+

        Attachment #265632 -
        Flags: review?(dbaron)

        Attachment #265632 -
        Flags: review+

    
    

    
  
I assume this is the right patch for the 1.8 branch too?
Whiteboard: [sg:critical] uses freed memory, needs r=dbaron → [sg:critical] uses freed memory, need trunk landing, branch approval
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.6+
Flags: blocking1.8.1.5+

    
    

    
  
As I mentioned in comment #14, there is an underlying problem here that I haven't got a fix for. I'll have to minimize the testcase myself since Martijn's minimized testcases don't crash for me. The patch I have here fixes a real issue (stops the testcase in comment #13 from crashing).

    
    

    
  
That's the testcase it didn't stop crashing on the branch, although it was not a crash-on-load before or after the patch so could be a different crash entirely. In both cases I had to do a lot of quick font-size fiddling (many ctrl-+, occasional Ctrl-0). The crashes seemed to happen on the larger sizes.

In any case, this isn't done enough for the now-truncated 1.8.1.5 release

    
    

    
  
I checked in that patch.
Flags: blocking1.8.0.13+ → blocking1.8.0.14+

    
    

    
  
All of these testcases no longer crash on trunk, for me. How about you, Martijn? They do take a long time to load and assert like crazy, mostly "ResolveBidi called on non-first continuation".

    
    

    
  
I'm still crashing with https://bugzilla.mozilla.org/attachment.cgi?id=231217
which is "original testcase" on current trunk build.

http://crash-stats.mozilla.com/report/index/8b35811c-6699-11dc-a846-001a4bd43e5c
0  	nsFloatCacheList::Tail()  	 mozilla/layout/generic/nsLineBox.cpp:849
1 	nsFloatCacheFreeList::Append(nsFloatCacheList&) 	mozilla/layout/generic/nsLineBox.cpp:936
2 	nsLineBox::FreeFloats(nsFloatCacheFreeList&) 	mozilla/layout/generic/nsLineBox.cpp:481
3 	nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, int*, LineReflowStatus*, int) 	mozilla/layout/generic/nsBlockFrame.cpp:3271
4 	nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, int*) 	mozilla/layout/generic/nsBlockFrame.cpp:3188
5 	nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*)
etc..

Also, a lot of the testcases are crashing on branch.

Not sure what to do, should I file a new bug for that crasher and morph this bug into a 1.8 branch bug?
Version: Trunk → 1.8 Branch

    
    

    
  
Ok, I filed bug 396750 for the crash in comment 28.
This bug is now about the fact that the testcase(s) is (are) crashing on branch.

    
    

    
  
Clearing blocking 1.9 since this is now a branch bug.
Flags: blocking1.9+
Flags: in-testsuite?
Flags: blocking1.9?

    
    

    
  
Oops: didn't read comment 31, just saw the whiteboard "need trunk landing" and lack of a blocking flag and "fixed" it. Now I'll fix it the other way.
Flags: blocking1.9?
Whiteboard: [sg:critical] uses freed memory, need trunk landing, branch approval → [sg:critical?] wfm on trunk, need  branch patch

    
    

    
  
Roc: what's the status of this one for the branch? Looks like the 1.8.1.8 freeze on Oct 3 might not be realistic at this point.

    
    

    
  
I haven't looked at it at all.

    
    

    
  
Year old+ security hole, pushed off for another 8 wks. Yay us.
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Flags: blocking1.8.0.14+ → blocking1.8.0.15+

    
    

    
  
Current state of the branch:
"not reduced testcase2": we assert and crash in nsColumnSetFrame because it has no child
"reduced testcase", "testcase 3": we assert but don't crash "wrong float parent", not good but not immediately critical)
"testcase 4": no crash or assert

    
    

    
  

      
      
      
      

        Attached patch
          
          
        wallpaper fix (obsolete)
        — Splinter Review
      

    


  
This is a total wallpaper fix, but it's zero risk and fixes the crash and is good for branch IMHO, since trunk already has "the right fix" (or rather, combination of fixes).

        Attachment #298354 -
        Flags: superreview?(dbaron)

        Attachment #298354 -
        Flags: review?(dbaron)

    
    

    
  
We're crashing because nsBlockFrame::RenumberLists is calling nsColumnSetFrame::GetContentInsertionFrame during reflow, which can't cope with having no children. It should always have at least one child, of course, but temporarily it doesn't on branch.

    
    

    
  
But if this is actually called while mFirstChild is null, couldn't this lead to a mangled frame tree?  It seems like this could potentially replace a "safe" null-pointer dereference with something worse.  How do you know it won't?

    
    

    
  
The RenumberLists call site won't cause a problem because it QIs the result to nsBlockFrame.

if this worries you, I'll rewrite it to return null when there's no child, and make sure RenumberLists doesn't crash on a null result. OK?

    
    

    
  
I think that does sound safer, yes.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        better wallpaperSplinter Review
      

    


  

        Attachment #298354 -
        Attachment is obsolete: true

        Attachment #298420 -
        Flags: superreview?(dbaron)

        Attachment #298420 -
        Flags: review?(dbaron)

        Attachment #298354 -
        Flags: superreview?(dbaron)

        Attachment #298354 -
        Flags: review?(dbaron)

    
    

    
  
Comment on attachment 298420 [details] [diff] [review]
better wallpaper

ok, r+sr=dbaron for branch

        Attachment #298420 -
        Flags: superreview?(dbaron)

        Attachment #298420 -
        Flags: superreview+

        Attachment #298420 -
        Flags: review?(dbaron)

        Attachment #298420 -
        Flags: review+

    
    

    
  
Comment on attachment 298420 [details] [diff] [review]
better wallpaper

approved for 1.8.1.12, a=dveditz for release-drivers

        Attachment #298420 -
        Flags: approval1.8.1.12+
Whiteboard: [sg:critical?] wfm on trunk, need  branch patch → [sg:critical?] need  branch patch landing

    
    

    
  
checked in
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Whiteboard: [sg:critical?] need  branch patch landing → [sg:critical?]

    
    

    
  
This is marked as fixed1.8.1.12 but I cannot get any of the test cases to crash in 2.0.0.11 builds. Is there some trick here to doing so?

    
    

    
  
"not reduced testcase2" and "reduced testcase" crashes Firefox 2.0.0.11
on Linux if I resize the window.  "testcase3" and "testcase4" does
not crash for me, but comment 18 says they are font/platform(?) dependent.

    
    

    
  
I can crash with a 2.0.0.11 build, when I load https://bugzilla.mozilla.org/attachment.cgi?id=265682 (testcase 3) and then zoom 3 times in and then 1 time out.
I don't crash with a 1.8 branch build of 2008-01-28, in that way.
I guess that is as good a verification as it gets.

Note that comment 46 still mentions that a crash on current branch is there, but I guess a new bug should be filed on that.
Keywords: fixed1.8.1.12verified1.8.1.12

    
    

    
  
I finally got it to crash in 2.0.0.11. I'm not sure why it wasn't before. Using the same test case as Martijn.

In 2.0.0.12, it does not crash: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/2008020121 Firefox/2.0.0.12.

Bug 415827 opened for comment 46.
Status: RESOLVED → VERIFIED
Group: security
Blocks: 415827

    
    

    
  
Comment on attachment 298420 [details] [diff] [review]
better wallpaper

a=asac for 1.8.0.15

        Attachment #298420 -
        Flags: approval1.8.0.15+

    
    

    
  
MOZILLA_1_8_0_BRANCH:

Checking in layout/generic/nsBlockFrame.cpp;
/cvsroot/mozilla/layout/generic/nsBlockFrame.cpp,v  <--  nsBlockFrame.cpp
new revision: 3.729.4.7.2.16; previous revision: 3.729.4.7.2.15
done
Checking in layout/generic/nsColumnSetFrame.cpp;
/cvsroot/mozilla/layout/generic/nsColumnSetFrame.cpp,v  <--  nsColumnSetFrame.cpp
new revision: 3.13.10.1; previous revision: 3.13
done
Keywords: fixed1.8.0.15
Crash Signature: [@ nsColumnSetFrame::GetContentInsertionFrame]
[@ nsLineLayout::TrimTrailingWhiteSpaceIn]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: