Last Comment Bug 372376 - Memory corruption with <tr style="display: inherit">
: Memory corruption with <tr style="display: inherit">
Status: VERIFIED FIXED
[sg:critical] see https://bugzilla.mo...
: arch, crash, testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: Layout: Tables (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
Depends on: 317876 323656
Blocks: stirtable
  Show dependency treegraph
 
Reported: 2007-03-02 04:58 PST by Jesse Ruderman
Modified: 2007-12-16 21:49 PST (History)
6 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
jruderman: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (causes memory corruption / crashes) (725 bytes, application/xhtml+xml)
2007-03-02 04:58 PST, Jesse Ruderman
no flags Details
valgrind warnings (106.02 KB, text/plain; charset=UTF-8)
2007-03-02 10:36 PST, David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch)
no flags Details

Description Jesse Ruderman 2007-03-02 04:58:10 PST
Created attachment 257012 [details]
testcase (causes memory corruption / crashes)

This testcase leads to crashes in *entirely* random places and times.  It might crash soon during GC, or it might crash while writing bookmarks during shutdown, or it might not crash at all.  You should restart Firefox after loading the testcase to avoid data loss in a crash later.

Memory corruption leading to random crashes, including "Illegal instruction" crashes --> sg:critical.

You're also likely to see these two assertions:

###!!! ASSERTION: wrong display type on rowframe: 'NS_STYLE_DISPLAY_TABLE_ROW == childFrame->GetStyleDisplay()->mDisplay', file /Users/jruderman/trunk/mozilla/layout/tables/nsTableRowFrame.cpp, line 1291

###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 318

and you might also see:

###!!! ASSERTION: span beyond the row size!: 'endColIndex + 1 <= row.Length()', file /Users/jruderman/trunk/mozilla/layout/tables/nsCellMap.cpp, line 2108

###!!! ASSERTION: Bogus row index?: 'Not Reached', file /Users/jruderman/trunk/mozilla/layout/tables/nsCellMap.cpp, line 399
Comment 1 Jesse Ruderman 2007-03-02 05:01:31 PST
Does the tr's display property have to be "inherit" to trigger this crash?  The computed style is "block" (why not "table"?), but if I change "inherit" to "block" in the testcase the assertions and crash and incorrect display go away.
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-03-02 05:09:25 PST
I think this might be related to bug 317876.
Comment 3 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2007-03-02 10:36:46 PST
Created attachment 257038 [details]
valgrind warnings
Comment 4 Bernd 2007-03-02 11:10:47 PST
###!!! ASSERTION: wrong display type on rowframe: 'NS_STYLE_DISPLAY_TABLE_ROW
== childFrame->GetStyleDisplay()->mDisplay', file
/Users/jruderman/trunk/mozilla/layout/tables/nsTableRowFrame.cpp, line 1291

Is exactly bug 317876, the cure is outlined in https://bugzilla.mozilla.org/show_bug.cgi?id=323656#c5 which is beyond my capabilities.
Comment 5 Window Snyder 2007-03-08 13:38:27 PST
Critical security bugs need to have an owner.  Bern, DBarron, who should own this bug?
Comment 6 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2007-03-08 13:50:39 PST
Whoever owns bug 323656.
Comment 7 Window Snyder 2007-03-08 14:02:06 PST
That one is also assigned to nobody.  Any ideas who should get them?
Comment 8 Jesse Ruderman 2007-03-08 14:05:39 PST
bz attached a patch last week and it already has review.  It sounds like he needs more time to test the patch before he's comfortable checking it in.
Comment 9 Boris Zbarsky [:bz] 2007-03-30 20:39:06 PDT
Note to self:  The PresContext() landing bitrotted this.  Need to update...  The patch lives in the "leafframe" tree.
Comment 10 Boris Zbarsky [:bz] 2007-04-15 16:48:58 PDT
Now that bug bug 323656 is fixed, is this still a problem?
Comment 11 Jesse Ruderman 2007-04-15 18:10:02 PDT
A debug build from earlier today had a bunch of problems (random rendering, assertions, random crashes) with the testcase.  A debug build from just now does fine.  FIXED by the checkin for bug 323656.
Comment 12 Daniel Veditz [:dveditz] 2007-04-16 18:25:40 PDT
The testcase crashes debug 1.5.0.12pre/2.0.0.4pre builds but with a different assertion (twice):

###!!! ASSERTION: Computed overflow area must contain frame bounds: 'aNewSize.width == 0 || aNewSize.height == 0 || aOverflowArea->Contains(nsRect(nsPoint(0, 0), aNewSize))', file c:/dev/ff2/mozilla/layout/generic/nsFrame.cpp, line 4410

The crash is due to the debug heap routines detecting damaged blocks (i.e. most likely sg:critical). Applying the patch from bug 323656 to see if it's the same thing as the trunk crash.
Comment 13 Daniel Veditz [:dveditz] 2007-04-16 18:59:02 PDT
The patch from bug 323656 seems to fix the branch crash, too.
Comment 14 Daniel Veditz [:dveditz] 2007-04-27 12:24:48 PDT
Appears fixed in 1.8.1.4pre by bug 323656. Adding keywords but also "qawanted" to make sure we double-check this one.
Comment 15 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-04-27 13:06:39 PDT
Verified fixed on trunk and branches.
The testcase doesn't crash on load, or even reloading it a few times.
Comment 16 Jesse Ruderman 2007-12-16 21:49:59 PST
Crashtest checked in.

Note You need to log in before you can comment on or make changes to this bug.