366891 - crash in [@ ComputePlaceholderContainment]

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Nicholas Miell]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.1) Gecko/20061222 Firefox/2.0.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.1) Gecko/20061222 Firefox/2.0.0.1

Visiting the URL causes a reproducible crash with the following stack trace:

#0  0x00000035df20dcbd in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:41
#1  0x0000000000410b03 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:206
#2  <signal handler called>
#3  0xffffffff00000050 in ?? ()
#4  0x00002aaab12addfd in ComputePlaceholderContainment (aView=0x2aaab4cc8aa0) at nsViewManager.cpp:2335
#5  0x00002aaab12b026e in nsViewManager::BuildDisplayList (this=0x481b390, aView=0x2aaab4cc8aa0, aRect=@0x7fff277e07a0, aEventProcessing=0, 
    aCaptured=<value optimized out>, aSuppressScrolling=0x0, aDisplayList=0x7fff277e08a0, aPool=@0x7fff277e07b0) at nsViewManager.cpp:2423
#6  0x00002aaab12b0a66 in nsViewManager::BuildRenderingDisplayList (this=0x2aaab4cc8aa0, aRootView=0x0, aRegion=@0x7fff277e0770, 
    aDisplayList=0x7fff277e08a0, aPool=<value optimized out>, aIgnoreCoveringWidgets=0, aIgnoreOutsideClipping=0, aSuppressScrolling=0x0)
    at nsViewManager.cpp:1285
#7  0x00002aaab12b1d4f in nsViewManager::Refresh (this=0x481b390, aView=0x2aaab4cc8aa0, aContext=0x4edecc0, aRegion=0x4fa68f0, 
    aUpdateFlags=<value optimized out>) at nsViewManager.cpp:872
#8  0x00002aaab12b4090 in nsViewManager::DispatchEvent (this=0x481b390, aEvent=0x7fff277e0a60, aStatus=0x7fff277e0a2c) at nsViewManager.cpp:2045
#9  0x00002aaab12ab82a in HandleEvent (aEvent=0x7fff277e0a60) at nsView.cpp:171
#10 0x00002aaaafd01d52 in nsCommonWidget::DispatchEvent (this=0x2aaab4cc8b30, aEvent=0x7fff277e0a60, aStatus=@0x7fff277e0b08) at nsCommonWidget.cpp:219
#11 0x00002aaaafcfdb1e in nsWindow::OnExposeEvent (this=0x2aaab4cc8b30, aWidget=<value optimized out>, aEvent=0x7fff277e1220) at nsWindow.cpp:1433
#12 0x00002aaaafcfdbb4 in expose_event_cb (widget=0x7896a0, event=0x7fff277e1220) at nsWindow.cpp:3744
#13 0x00000035e6f3017d in _gtk_marshal_BOOLEAN__BOXED (closure=0x9d2810, return_value=0x7fff277e0d20, n_param_values=<value optimized out>, 
    param_values=0x7fff277e0e20, invocation_hint=<value optimized out>, marshal_data=0x2aaaafcfdb8c) at gtkmarshalers.c:84
#14 0x00000035e4a0b16a in IA__g_closure_invoke (closure=0x9d2810, return_value=0x7fff277e0d20, n_param_values=2, param_values=0x7fff277e0e20, 
    invocation_hint=0x7fff277e0ce0) at gclosure.c:490
#15 0x00000035e4a1b3bd in signal_emit_unlocked_R (node=0x74fd10, detail=0, instance=0x7896a0, emission_return=0x7fff277e1040, 
    instance_and_params=0x7fff277e0e20) at gsignal.c:2438
#16 0x00000035e4a1c5ef in IA__g_signal_emit_valist (instance=0x7896a0, signal_id=<value optimized out>, detail=0, var_args=0x7fff277e10a0)
    at gsignal.c:2207
#17 0x00000035e4a1ca03 in IA__g_signal_emit (instance=0x2aaab4cc8aa0, signal_id=0, detail=0) at gsignal.c:2241
#18 0x00000035e702d5be in gtk_widget_event_internal (widget=0x7896a0, event=0x7fff277e1220) at gtkwidget.c:3911
#19 0x00000035e6f2a932 in IA__gtk_main_do_event (event=0x7fff277e1220) at gtkmain.c:1384
#20 0x00000035e7831f8a in gdk_window_process_updates_internal (window=0x2aaab4b7d580) at gdkwindow.c:2324
#21 0x00000035e78321cb in IA__gdk_window_process_all_updates () at gdkwindow.c:2387
#22 0x00000035e783223a in gdk_window_update_idle (data=0x2aaab4cc8aa0) at gdkwindow.c:2245
#23 0x00000035e422cf44 in IA__g_main_context_dispatch (context=0x64e980) at gmain.c:2045
#24 0x00000035e422fd7d in g_main_context_iterate (context=0x64e980, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2677
#25 0x00000035e423008a in IA__g_main_loop_run (loop=0xbb9a10) at gmain.c:2881
#26 0x00000035e6f2ac13 in IA__gtk_main () at gtkmain.c:1001
#27 0x00002aaaafd00c5a in nsAppShell::Run (this=0x78d810) at nsAppShell.cpp:139
#28 0x00002aaab034c52a in nsAppStartup::Run (this=0x78d790) at nsAppStartup.cpp:151
#29 0x00000000004083ee in XRE_main (argc=0, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:2444
#30 0x00000035de61da44 in __libc_start_main (main=0x403a38 <main>, argc=3, ubp_av=0x7fff277e1e48, init=<value optimized out>, 
    fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff277e1e38) at libc-start.c:231
#31 0x00000000004039a9 in _start ()

Reproducible: Always

Comment 1

[Robert O'Callahan (:roc) (email my personal email if necessary)]

I can't reproduce on Mac in release or debug builds, nor in a Linux release build (SUSE). Martijn, can you?

Comment 2

[Martijn Wargers (dead)]

No, I can't reproduce this on windows, neither with current branch or trunk builds.
Isn't that stacktrace of a trunk build?

Comment 4

[Magnus Melin [:mkmelin]]

Roc, Martijn: from the dupe which crashes here http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/view/src/nsViewManager.cpp&mark=2342&rev=MOZILLA_1_8_BRANCH#2342

it seems pretty clear aView is null. Should we just add a check?

Comment 5

[Robert O'Callahan (:roc) (email my personal email if necessary)]

No, that would just mask a deeper bug.

Comment 6

[Jesse Ruderman]

roc, do you know what the "deeper bug" is?  From the dup, it sounds like this was fixed in Firefox 3.

Comment 7

[Robert O'Callahan (:roc) (email my personal email if necessary)]

That bug would have been a call to nsViewManager::BuildDisplayList with null aView. However, we removed nsViewManager::BuildDisplayList in Firefox 3.