Crash [@ nsHTMLFramesetBorderFrame::SetVisibility] with dynamic changes

RESOLVED FIXED

Status

()

Core
Layout: HTML Frames
--
critical
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: mkaply, Unassigned)

Tracking

({regression})

Trunk
regression
Points:
---
Bug Flags:
wanted1.8.1.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?]Is this still an issue?)

(Reporter)

Description

12 years ago
We are experiencing a crash in nsHTMLFramesetBorderFrame::SetVisibility. We're working on a testcase. Here's what we know so far.

There has been another report of it (same product we are working with)

http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=27967312

The problem is actually in 

nsHTMLFramesetFrame::Reflow here:

http://lxr.mozilla.org/seamonkey/source/layout/generic/nsFrameSetFrame.cpp#1231

mVerBorders[verX] is 0xfdfdfdfd so it has somehow been corrupted? Here's a full stack.



>	gklayout.dll!nsHTMLFramesetBorderFrame::SetVisibility(int aVisibility=0)  Line 1619 + 0x6 bytes	C++
 	gklayout.dll!nsHTMLFramesetFrame::Reflow(nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 1233	C++
 	gklayout.dll!nsBlockReflowContext::ReflowBlock(const nsRect & aSpace={...}, int aApplyTopMargin=1, nsCollapsingMargin & aPrevMargin={...}, int aClearance=0, int aIsAdjacentWithTop=1, nsMargin & aComputedOffsets={...}, nsHTMLReflowState & aFrameRS={...}, unsigned int & aFrameReflowStatus=0)  Line 371 + 0x2c bytes	C++
 	gklayout.dll!nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012da40)  Line 2877 + 0x3f bytes	C++
 	gklayout.dll!nsBlockFrame::ReflowLine(nsBlockReflowState & aState={...}, nsLineList_iterator aLine={...}, int * aKeepReflowGoing=0x0012da40)  Line 2123 + 0x1b bytes	C++
 	gklayout.dll!nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & aState={...})  Line 1787 + 0x1b bytes	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 911 + 0xf bytes	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x062914b4, nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0)  Line 754 + 0x21 bytes	C++
 	gklayout.dll!CanvasFrame::Reflow(nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 586	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x0628bdd0, nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=3, unsigned int & aStatus=0)  Line 754 + 0x21 bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::ReflowScrolledFrame(const ScrollReflowState & aState={...}, int aAssumeHScroll=0, int aAssumeVScroll=0, nsHTMLReflowMetrics * aMetrics=0x0012e2e0, int aFirstPass=1)  Line 463 + 0x2e bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::ReflowContents(ScrollReflowState * aState=0x0012e380, const nsHTMLReflowMetrics & aDesiredSize={...})  Line 533 + 0x1b bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::Reflow(nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 748 + 0x13 bytes	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x0628bf14, nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0)  Line 754 + 0x21 bytes	C++
 	gklayout.dll!ViewportFrame::Reflow(nsPresContext * aPresContext=0x0624d0f8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 286 + 0x2b bytes	C++
 	gklayout.dll!PresShell::ProcessReflowCommands(int aInterruptible=1)  Line 5955	C++
 	gklayout.dll!PresShell::WillPaint()  Line 5640	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012eaec, nsEventStatus * aStatus=0x0012e998)  Line 1380	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012eaec)  Line 174	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012eaec, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1103 + 0xc bytes	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012eaec, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1129	C++
 	gkwidget.dll!nsWindow::OnPaint(HDC__ * aDC=0x00000000)  Line 5946 + 0x1e bytes	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=15, unsigned int wParam=0, long lParam=0, long * aRetValue=0x0012ef90)  Line 4435 + 0x15 bytes	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x000b0ed2, unsigned int msg=15, unsigned int wParam=0, long lParam=0)  Line 1316 + 0x1d bytes	C++
 	user32.dll!77d48734() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!77d48816() 	
 	ntdll.dll!7c91056d() 	
 	user32.dll!77d4b4c0() 	
 	user32.dll!77d4b50c() 	
 	ntdll.dll!7c90eae3() 	
 	user32.dll!77d4d83f() 	
 	user32.dll!77d4d82a() 	
 	gkwidget.dll!nsWindow::DispatchStarvedPaints(HWND__ * aWnd=0x00110e24, long aMsg=0)  Line 4239 + 0xa bytes	C++
 	user32.dll!77d4ccd1() 	
 	user32.dll!77d4da57() 	
 	gkwidget.dll!nsWindow::DispatchPendingEvents()  Line 4276	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=512, unsigned int wParam=0, long lParam=22741460, long * aRetValue=0x0012f520)  Line 4668	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x000b0ed2, unsigned int msg=512, unsigned int wParam=0, long lParam=22741460)  Line 1316 + 0x1d bytes	C++
 	user32.dll!77d48734() 	
 	user32.dll!77d48816() 	
 	user32.dll!77d489cd() 	
 	ntdll.dll!7c91056d() 	
 	user32.dll!77d49402() 	
 	user32.dll!77d48a10() 	
 	gkwidget.dll!nsAppShell::ProcessNextNativeEvent(int mayWait=0)  Line 149	C++
 	gkwidget.dll!nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=0)  Line 136 + 0x11 bytes	C++
 	gkwidget.dll!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b5f218, int mayWait=1, unsigned int recursionDepth=0)  Line 209 + 0xd bytes	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012f70c)  Line 472	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b5f218, int mayWait=1)  Line 225 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 153 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 171 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=1, char * * argv=0x00b5ba80, const nsXREAppData * aAppData=0x004036b4)  Line 2846 + 0x25 bytes	C++
 	firefox.exe!main(int argc=1, char * * argv=0x00b5ba80)  Line 61 + 0x13 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!7c816fd7() 	
 	ntdll.dll!7c91056d()

Comment 2

12 years ago
Does bug 369150 have the same regression window?
(In reply to comment #2)
> Does bug 369150 have the same regression window?

I answered this question in bug 369150 (the answer was... yes)
(Reporter)

Comment 4

12 years ago
We actually found out how to work around this problem which might help with diagnosing the crash:

From the developer:

well essentially, if you have a frameset that doesn't have the cols/rows set (perhaps other attributes as well) and you append a child to it, when you actually try to set the cols/rows, it will crash. I found that as long as I set the cols/rows first, THEN append a child frame, it works. Small fix, big debugging effort 
In a windows debug build 0xfdfdfdfd is used to mark a "no man's land" buffer around allocated blocks --> something has run past its boundary, or maybe grabbed some other object's memory. (0xdddddddd is deleted memory, 0xcdcdcdcd is uninitialized allocated memory, and 0xcccccccc is uninitialized stack)

Testcase would be good. Is it a web page testcase, or reachable from an extension (chrome) only? The latter would lower the severity, but seems unlikely to be extension-only from the symptoms.

I assume this is happening on the 1.8 branch? What about FF1.5?
Group: security
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.4?
Keywords: regression
Whiteboard: [sg:critical?]
(Reporter)

Comment 6

12 years ago
This happens on FF 1.5 and FF 2.0 and FF 3.0.

The only way to debug is to connect to a server - we couldn't reduce the testcase.

I've sent bz info on connecting to that server, and I could give that info to anyone else on request.

Comment 7

12 years ago
Critical security bugs need to have an owner.  If you are not the correct person for this bug, please help us find someone else.  Thanks.
Assignee: nobody → roc
Martijn, could you work with mkaply and try to get a usable testcase here?
Bug 369150 has some discussion on who should own this...

Comment 10

11 years ago
over to bz per comment 9
Assignee: roc → bzbarsky

Comment 11

11 years ago
Did the fix for bug 369150 help with this?
(Reporter)

Comment 12

11 years ago
Still trying to get a testcase...
Please renominate when there's a testcase and we can answer whether the fix in bug 369150 solves the problem.
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.4?
To default owner.  Not likely to get time to work on it in the current state.
Assignee: bzbarsky → nobody
Whiteboard: [sg:critical?] → [sg:critical?]Is this still an issue?
(Reporter)

Comment 15

11 years ago
I finally was able to test this on the latest trunk and it is fixed by the patches in the other bug.

Thanks!
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 16

11 years ago
sounds like this is ready to mark fixed (on trunk testing in comment 15) and bug 369150 has fixed1.8.0.12, fixed1.8.1.4, keywords applied so doesn't sound like there is anything left to do on this bug, right?

Comment 17

11 years ago
Chris, this bug is already marked as fixed...
Probably fixed on the branch by bug 369150, minusing to get off our queries (since there's no way to test or to reproduce it would otherwise uselessly sit there forever).
Flags: wanted1.8.1.x+ → wanted1.8.1.x-
Group: security
You need to log in before you can comment on or make changes to this bug.