Closed Bug 369542 Opened 17 years ago Closed 17 years ago

Crash [@ nsHTMLReflowState::ComputePadding] on branch, with partly minimised testcase from bug 363813

Categories

(Core :: Layout, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

()

Details

(4 keywords, Whiteboard: [sg:critical] should be fixed by bug 306533)

Crash Data

Attachments

(2 files)

This is a follow-up from bug 363813, marking security sensitive since it's crashing branch builds.

I crash with the latest branch builds on the partly minimised testcase from bug 363813.

Talkback ID: TB28534877X
0x00000922
nsHTMLReflowState::ComputePadding 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 2444]
nsHTMLReflowState::InitConstraints 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 1759]
nsHTMLReflowState::Init  [mozilla/layout/generic/nsHTMLReflowState.cpp, line
342]
nsHTMLReflowState::nsHTMLReflowState 
[mozilla/layout/generic/nsHTMLReflowState.cpp, line 217]
nsLineLayout::ReflowFrame  [mozilla/layout/generic/nsLineLayout.cpp, line 913]
nsInlineFrame::ReflowInlineFrame  [mozilla/layout/generic/nsInlineFrame.cpp,
line 689]
nsInlineFrame::ReflowFrames  [mozilla/layout/generic/nsInlineFrame.cpp, line
519]
nsFirstLineFrame::Reflow  [mozilla/layout/generic/nsInlineFrame.cpp, line 1049]
nsLineLayout::ReflowFrame  [mozilla/layout/generic/nsLineLayout.cpp, line 996]
nsBlockFrame::ReflowInlineFrame  [mozilla/layout/generic/nsBlockFrame.cpp, line
4245]
nsBlockFrame::DoReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3898]
nsBlockFrame::ReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3779]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2772]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
nsHTMLScrollFrame::ReflowScrolledFrame 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523]
nsHTMLScrollFrame::ReflowContents 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571]
nsHTMLScrollFrame::Reflow  [mozilla/layout/generic/nsGfxScrollFrame.cpp, line
769]
nsBlockReflowContext::ReflowBlock 
[mozilla/layout/generic/nsBlockReflowContext.cpp, line 606]
nsBlockFrame::ReflowFloat  [mozilla/layout/generic/nsBlockFrame.cpp, line 6030]
nsBlockReflowState::FlowAndPlaceFloat 
[mozilla/layout/generic/nsBlockReflowState.cpp, line 863]
nsBlockReflowState::PlaceBelowCurrentLineFloats 
[mozilla/layout/generic/nsBlockReflowState.cpp, line 1132]
nsBlockFrame::PlaceLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 4609]
nsBlockFrame::DoReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 4010]
nsBlockFrame::ReflowInlineFrames  [mozilla/layout/generic/nsBlockFrame.cpp,
line 3779]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2772]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsBlockReflowContext::ReflowBlock 
[mozilla/layout/generic/nsBlockReflowContext.cpp, line 606]
nsBlockFrame::ReflowBlockFrame  [mozilla/layout/generic/nsBlockFrame.cpp, line
3492]
nsBlockFrame::ReflowLine  [mozilla/layout/generic/nsBlockFrame.cpp, line 2651]
nsBlockFrame::ReflowDirtyLines  [mozilla/layout/generic/nsBlockFrame.cpp, line
2302]
nsBlockFrame::Reflow  [mozilla/layout/generic/nsBlockFrame.cpp, line 905]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
CanvasFrame::Reflow  [mozilla/layout/generic/nsHTMLFrame.cpp, line 536]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
nsHTMLScrollFrame::ReflowScrolledFrame 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 523]
nsHTMLScrollFrame::ReflowContents 
[mozilla/layout/generic/nsGfxScrollFrame.cpp, line 571]
nsHTMLScrollFrame::Reflow  [mozilla/layout/generic/nsGfxScrollFrame.cpp, line
769]
nsContainerFrame::ReflowChild  [mozilla/layout/generic/nsContainerFrame.cpp,
line 905]
ViewportFrame::Reflow  [mozilla/layout/generic/nsViewportFrame.cpp, line 240]
IncrementalReflow::Dispatch  [mozilla/layout/base/nsPresShell.cpp, line 914]
PresShell::ProcessReflowCommands  [mozilla/layout/base/nsPresShell.cpp, line
6928]
PresShell::WillPaint  [mozilla/layout/base/nsPresShell.cpp, line 6565]
0x778b0c24
0x00200064
0xe84d8d50
0x4badaf9a
In a debug build I get
  Access violation reading location 0xddddddfd.

A deleted frame is passed to nsHTMLReflowState::Init()

 	nsCachedStyleData::GetStyleData() Line 210	C++
 	nsStyleContext::GetStyleData() Line 248	C++
 	nsIFrame::GetStyleData() Line 612	C++
 	nsIFrame::GetStylePosition() Line 82	C++
>	nsHTMLReflowState::Init() Line 332	C++
 	nsHTMLReflowState::nsHTMLReflowState() Line 217	C++
 	nsLineLayout::ReflowFrame() Line 912	C++
 	nsInlineFrame::ReflowInlineFrame() Line 683	C++
 	nsInlineFrame::ReflowFrames() Line 518	C++
 	nsFirstLineFrame::Reflow() Line 1049	C++
 	nsLineLayout::ReflowFrame() Line 995	C++
 	nsBlockFrame::ReflowInlineFrame() Line 4058	C++
 	nsBlockFrame::DoReflowInlineFrames() Line 3897	C++
 	nsBlockFrame::ReflowInlineFrames() Line 3778	C++
 	nsBlockFrame::ReflowLine() Line 2771	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	nsHTMLScrollFrame::ReflowScrolledFrame() Line 515	C++
 	nsHTMLScrollFrame::ReflowContents() Line 570	C++
 	nsHTMLScrollFrame::Reflow() Line 768	C++
 	nsBlockReflowContext::ReflowBlock() Line 605	C++
 	nsBlockFrame::ReflowFloat() Line 6029	C++
 	nsBlockReflowState::FlowAndPlaceFloat() Line 853	C++
 	nsBlockReflowState::PlaceBelowCurrentLineFloats() Line 1128	C++
 	nsBlockFrame::PlaceLine() Line 4609	C++
 	nsBlockFrame::DoReflowInlineFrames() Line 4010	C++
 	nsBlockFrame::ReflowInlineFrames() Line 3778	C++
 	nsBlockFrame::ReflowLine() Line 2771	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsBlockReflowContext::ReflowBlock() Line 605	C++
 	nsBlockFrame::ReflowBlockFrame() Line 3492	C++
 	nsBlockFrame::ReflowLine() Line 2651	C++
 	nsBlockFrame::ReflowDirtyLines() Line 2301	C++
 	nsBlockFrame::Reflow() Line 903	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	CanvasFrame::Reflow() Line 536	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	nsHTMLScrollFrame::ReflowScrolledFrame() Line 515	C++
 	nsHTMLScrollFrame::ReflowContents() Line 570	C++
 	nsHTMLScrollFrame::Reflow() Line 768	C++
 	nsContainerFrame::ReflowChild() Line 905	C++
 	ViewportFrame::Reflow() Line 239	C++
 	IncrementalReflow::Dispatch() Line 906	C++
 	PresShell::ProcessReflowCommands() Line 6928	C++
 	PresShell::WillPaint() Line 6565	C++
 	nsViewManager::FlushPendingInvalidates() Line 4409	C++
 	nsViewManager::EnableRefresh() Line 3445	C++
 	nsViewManager::EndUpdateViewBatch() Line 3487	C++
 	nsCSSFrameConstructor::RestyleEvent::HandleEvent() Line 14215	C++
 	HandleRestyleEvent() Line 14224	C++
 	PL_HandleEvent() Line 688	C
 	PL_ProcessPendingEvents() Line 623	C
 	_md_EventReceiverProc() Line 1408	C
 	77d48744	
 	77d48826	
 	77d489dd	
 	77d49412	
 	77d48a20	
 	nsAppShell::Run() Line 133	C++
 	nsAppStartup::Run() Line 151	C++
 	XRE_main() Line 2444	C++
 	main() Line 61	C++
 	mainCRTStartup() Line 398	C
 	7c816fd7	
Assignee: nobody → roc
Whiteboard: [sg:critical]
Attached file testcase
This minimized testcase produces a scary assertion about floats having the wrong parent. I believe this was fixed on trunk by the fix for bug 306534.

However, applying that fix doesn't solve the crash. I'll keep working on it.
Attached file testcase #2
This testcase is somewhat minimized, and with the fix for 306534, still produces scary assertions about frames not being found when deleting lines.
It seems the assertions in testcase #2 were fixed by bug 306533 on trunk. Indeed, applying just that patch to the branch fixes the crash in attachment #248632 [details]. So we need to get that on branch.
Depends on: 306533
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
should we close this one out now as dup of, or fixed by, 306533 or other marking; then just get that patch on the branch?
Lets just land that fix on branch and then mark this FIXED.
Whiteboard: [sg:critical] → [sg:critical] should be fixed by bug 306533
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Should be fixed now that I've landed the fix for bug 306533 on branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
adding fixed keywords based on bug 306533 landing. Adding 'qawanted' to verify that the bug is in fact fixed by that.
Seems to already have been fixed on branch somehow between 2007-03-09 and 2007-03-23.

I can confirm, the url still doesn't crash, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12pre) Gecko/20070419 Firefox/1.5.0.12pre
and:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4pre) Gecko/20070420 BonEcho/2.0.0.4pre
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsHTMLReflowState::ComputePadding]
Crash tests:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a105bb59b049
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.