Last Comment Bug 369542 - Crash [@ nsHTMLReflowState::ComputePadding] on branch, with partly minimised testcase from bug 363813
: Crash [@ nsHTMLReflowState::ComputePadding] on branch, with partly minimised ...
Status: RESOLVED FIXED
[sg:critical] should be fixed by bug ...
: crash, testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 1.8 Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
:
Mentors:
https://bugzilla.mozilla.org/attachme...
Depends on: 306533
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-06 14:24 PST by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2013-01-27 17:06 PST (History)
4 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
mats: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (143 bytes, text/html)
2007-02-26 19:34 PST, Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
no flags Details
testcase #2 (316 bytes, text/html)
2007-02-26 20:43 PST, Robert O'Callahan (:roc) (Exited; email my personal email if necessary)
no flags Details

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2007-02-06 14:24:07 PST
This is a follow-up from bug 363813, marking security sensitive since it's crashing branch builds.

I crash with the latest branch builds on the partly minimised testcase from bug 363813.

Talkback ID: TB28534877X
0x00000922
nsHTMLReflowState::ComputePadding 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 2444]
nsHTMLReflowState::InitConstraints 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 1759]
nsHTMLReflowState::Init  [mozilla/layout/generic/nsHTMLReflowState.cpp, line
342]
nsHTMLReflowState::nsHTMLReflowState 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 217]
nsLineLayout::ReflowFrame  [mozilla/layout/generic/nsLineLayout.cpp, line 913]
nsInlineFrame::ReflowInlineFrame  [mozilla/layout/generic/nsInlineFrame.cpp,
line 689]
nsInlineFrame::ReflowFrames  [mozilla/layout/generic/nsInlineFrame.cpp, line
519]
nsFirstLineFrame::Reflow  [mozilla/layout/generic/nsInlineFrame.cpp, line 1049]
nsLineLayout::ReflowFrame  [mozilla/layout/generic/nsLineLayout.cpp, line 996]
nsBlockFrame::ReflowInlineFrame  [mozilla/layout/generic/nsBlockFrame.cpp, line
4245]
nsBlockFrame::DoReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3898]
nsBlockFrame::ReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3779]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2772]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
nsHTMLScrollFrame::ReflowScrolledFrame 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523]
nsHTMLScrollFrame::ReflowContents 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571]
nsHTMLScrollFrame::Reflow  [mozilla/layout/generic/nsGfxScrollFrame.cpp, line
769]
nsBlockReflowContext::ReflowBlock 
[mozilla/layout/generic/nsBlockReflowContext.cpp, line 606]
nsBlockFrame::ReflowFloat  [mozilla/layout/generic/nsBlockFrame.cpp, line 6030]
nsBlockReflowState::FlowAndPlaceFloat 
[mozilla/layout/generic/nsBlockReflowState.cpp, line 863]
nsBlockReflowState::PlaceBelowCurrentLineFloats 
[mozilla/layout/generic/nsBlockReflowState.cpp, line 1132]
nsBlockFrame::PlaceLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 4609]
nsBlockFrame::DoReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 4010]
nsBlockFrame::ReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3779]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2772]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsBlockReflowContext::ReflowBlock 
[mozilla/layout/generic/nsBlockReflowContext.cpp, line 606]
nsBlockFrame::ReflowBlockFrame  [mozilla/layout/generic/nsBlockFrame.cpp, line
3492]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2651]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
CanvasFrame::Reflow  [mozilla/layout/generic/nsHTMLFrame.cpp, line 536]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
nsHTMLScrollFrame::ReflowScrolledFrame 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523]
nsHTMLScrollFrame::ReflowContents 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571]
nsHTMLScrollFrame::Reflow  [mozilla/layout/generic/nsGfxScrollFrame.cpp, line
769]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
ViewportFrame::Reflow  [mozilla/layout/generic/nsViewportFrame.cpp, line 240]
IncrementalReflow::Dispatch  [mozilla/layout/base/nsPresShell.cpp, line 914]
PresShell::ProcessReflowCommands  [mozilla/layout/base/nsPresShell.cpp, line
6928]
PresShell::WillPaint  [mozilla/layout/base/nsPresShell.cpp, line 6565]
0x778b0c24
0x00200064
0xe84d8d50
0x4badaf9a
Comment 1 Daniel Veditz [:dveditz] 2007-02-23 16:57:20 PST
In a debug build I get
  Access violation reading location 0xddddddfd.

A deleted frame is passed to nsHTMLReflowState::Init()

 	nsCachedStyleData::GetStyleData() Line 210	C++
 	nsStyleContext::GetStyleData() Line 248	C++
 	nsIFrame::GetStyleData() Line 612	C++
 	nsIFrame::GetStylePosition() Line 82	C++
>	nsHTMLReflowState::Init() Line 332	C++
 	nsHTMLReflowState::nsHTMLReflowState() Line 217	C++
 	nsLineLayout::ReflowFrame() Line 912	C++
 	nsInlineFrame::ReflowInlineFrame() Line 683	C++
 	nsInlineFrame::ReflowFrames() Line 518	C++
 	nsFirstLineFrame::Reflow() Line 1049	C++
 	nsLineLayout::ReflowFrame() Line 995	C++
 	nsBlockFrame::ReflowInlineFrame() Line 4058	C++
 	nsBlockFrame::DoReflowInlineFrames() Line 3897	C++
 	nsBlockFrame::ReflowInlineFrames() Line 3778	C++
 	nsBlockFrame::ReflowLine() Line 2771	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	nsHTMLScrollFrame::ReflowScrolledFrame() Line 515	C++
 	nsHTMLScrollFrame::ReflowContents() Line 570	C++
 	nsHTMLScrollFrame::Reflow() Line 768	C++
 	nsBlockReflowContext::ReflowBlock() Line 605	C++
 	nsBlockFrame::ReflowFloat() Line 6029	C++
 	nsBlockReflowState::FlowAndPlaceFloat() Line 853	C++
 	nsBlockReflowState::PlaceBelowCurrentLineFloats() Line 1128	C++
 	nsBlockFrame::PlaceLine() Line 4609	C++
 	nsBlockFrame::DoReflowInlineFrames() Line 4010	C++
 	nsBlockFrame::ReflowInlineFrames() Line 3778	C++
 	nsBlockFrame::ReflowLine() Line 2771	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsBlockReflowContext::ReflowBlock() Line 605	C++
 	nsBlockFrame::ReflowBlockFrame() Line 3492	C++
 	nsBlockFrame::ReflowLine() Line 2651	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	CanvasFrame::Reflow() Line 536	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	nsHTMLScrollFrame::ReflowScrolledFrame() Line 515	C++
 	nsHTMLScrollFrame::ReflowContents() Line 570	C++
 	nsHTMLScrollFrame::Reflow() Line 768	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	ViewportFrame::Reflow() Line 239	C++
 	IncrementalReflow::Dispatch() Line 906	C++
 	PresShell::ProcessReflowCommands() Line 6928	C++
 	PresShell::WillPaint() Line 6565	C++
 	nsViewManager::FlushPendingInvalidates() Line 4409	C++
 	nsViewManager::EnableRefresh() Line 3445	C++
 	nsViewManager::EndUpdateViewBatch() Line 3487	C++
 	nsCSSFrameConstructor::RestyleEvent::HandleEvent() Line 14215	C++
 	HandleRestyleEvent() Line 14224	C++
 	PL_HandleEvent() Line 688	C
 	PL_ProcessPendingEvents() Line 623	C
 	_md_EventReceiverProc() Line 1408	C
 	77d48744	
 	77d48826	
 	77d489dd	
 	77d49412	
 	77d48a20	
 	nsAppShell::Run() Line 133	C++
 	nsAppStartup::Run() Line 151	C++
 	XRE_main() Line 2444	C++
 	main() Line 61	C++
 	mainCRTStartup() Line 398	C
 	7c816fd7	
Comment 2 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2007-02-26 19:34:42 PST
Created attachment 256559 [details]
testcase

This minimized testcase produces a scary assertion about floats having the wrong parent. I believe this was fixed on trunk by the fix for bug 306534.

However, applying that fix doesn't solve the crash. I'll keep working on it.
Comment 3 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2007-02-26 20:43:03 PST
Created attachment 256571 [details]
testcase #2

This testcase is somewhat minimized, and with the fix for 306534, still produces scary assertions about frames not being found when deleting lines.
Comment 4 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2007-02-26 20:45:20 PST
It seems the assertions in testcase #2 were fixed by bug 306533 on trunk. Indeed, applying just that patch to the branch fixes the crash in attachment #248632 [details]. So we need to get that on branch.
Comment 5 chris hofmann 2007-03-01 15:03:46 PST
should we close this one out now as dup of, or fixed by, 306533 or other marking; then just get that patch on the branch?
Comment 6 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2007-03-01 18:55:37 PST
Lets just land that fix on branch and then mark this FIXED.
Comment 7 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2007-03-18 20:48:56 PDT
Should be fixed now that I've landed the fix for bug 306533 on branch.
Comment 8 Daniel Veditz [:dveditz] 2007-04-19 10:51:35 PDT
adding fixed keywords based on bug 306533 landing. Adding 'qawanted' to verify that the bug is in fact fixed by that.
Comment 9 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-04-20 07:34:00 PDT
Seems to already have been fixed on branch somehow between 2007-03-09 and 2007-03-23.

I can confirm, the url still doesn't crash, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12pre) Gecko/20070419 Firefox/1.5.0.12pre
and:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4pre) Gecko/20070420 BonEcho/2.0.0.4pre
Comment 10 Mats Palmgren (vacation) 2013-01-26 13:05:16 PST
Crash tests:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a105bb59b049
Comment 11 Ryan VanderMeulen [:RyanVM] 2013-01-27 17:06:52 PST
https://hg.mozilla.org/mozilla-central/rev/a105bb59b049

Note You need to log in before you can comment on or make changes to this bug.