Closed Bug 378027 Opened 18 years ago Closed 17 years ago

Printing crash [@ nsCellMap::GetCellInfoAt] Exception: EXC_BAD_INSTRUCTION (0x0002)

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: devon, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:moderate?][needs patch] using freed frame)

Crash Data

Attachments

(5 files)

crashlogs and web complete page sample that causes crash
88.33 KB, application/octet-stream
Details
Vista xps print output of sample page
219.11 KB, application/octet-stream
Details
Safari printed PDF output of sample page
97.13 KB, application/pdf
Details
stack + data
45.01 KB, text/plain
Details
Testcase #1
1.06 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Firefox crashes every time with an EXC_BAD_INSTRUCTION exception when trying to print a particular page from Intuit.com; a product order page.  The original page is from intuit.com.  A web complete source page and supporting images,etc are attached to this bug.  The crash is 100% reproducible with this page content on MacOS X 10.4.9 with Firefox 2.0.0.3 (20070309).

Reproducible: Always

Steps to Reproduce:
1. Using Firefox 2.0.0.3 (20070309)...
2. Open the attached 'edit_confirmation.html' file.
3. Once open, click on the 'Print this page' icon/link on the page.
4. When the OS print dialog comes up, select 'Print'
Actual Results:  
Firefox crashes after you have clicked 'Print' and the print dialog has been dismissed.

Exception:  EXC_BAD_INSTRUCTION (0x0002)


Expected Results:  
Firefox should successfully print the page.

This sample page content prints fine on Windows Vista with Firefox 2.0.0.3 (20070309).  Attached is a sample 'order_confirmation.xps' of the page output from Windows Vista.
The attached *.zip file contains crashlogs, and a web complete *.html page and files that crash Firefox everytime when a print is attempted.
Win Vista xps output of sample page (what print output should look like)
Safari printed PDF output of sample page. This is a PDF that Firefox should be able to produce, through the OS, just like Safari does.
Comment on attachment 262126 [details]
crashlogs and web complete page sample that causes crash

updated comment on crashlogs and sample page attachment.
Attachment #262126 - Attachment description: web complete page sample that causes print crash → crashlogs and web complete page sample that causes crash
Do you have also a Talkback ID from this crashs ? (http://kb.mozillazine.org/Talkback)
Talkback (v2.0.0.3) add-on is installed and enabled.  Talkback never activates and/or catches the crash though.
Because the crash is occuring in nsTableCellMap (under nsTableFrame), I started eliminating table data in the *.html file one by one to identify the offending table.  The offending table is the 'Shipping Address" <div> block.

- if you remove the contents of the <div> block the page will print fine.
- if you remove both "class" and "style" on the <div> block the page will print fine.
- if you remove just the "class" on the <div> block the page will crash printing.
- if you remove just the "style" on the <div> block the page will crash printing.

It doesn't look like the css used on this <div> block is the problem though.  If you use the previous <div> block's css, the "wcgBillingAddress", the page will still crash printing.  Together, both "class" and "style" props are leading to the crash but there is nothing invalid with their syntax.
minor typo correction: "The offending table data is..."
actually, it's a combination of both <div> elements for "Billing Address" and "Shipping Address".  If you comment out either one of them, the other will print just fine.  When you remove both "class" and "style" props on both <div> elements, the page prints fine.

Maybe the combination of usage for the table <div> elements here will ring a bell with someone who understands the rendering engine in Firefox a lot better than I do.  :-)
if you can reduce the crash to a smaller file, please attach that crashing reduced testcase, thanks.
Component: OS Integration → Layout
Product: Firefox → Core
QA Contact: os.integration → layout
Group: security
Status: UNCONFIRMED → NEW
Component: Layout → Layout: Tables
Ever confirmed: true
QA Contact: layout → layout.tables
Whiteboard: [sg:critical?] using freed frame
Version: unspecified → 1.8 Branch
Attached file stack + data 
There are two of these before the crash:
"Deleting out of flow without tearing down placeholder relationship"
I don't know if they are related to the crash but I included a backtrace
for them anyway.
The top of the crash stack is:

#0  0x025d3164 in ?? ()
#1  0x187e4d6b in nsCellMap::GetCellInfoAt (this=0x37605560, aMap=@0x3737d870, aRowX=1, aColX=1, aOriginates=0xbfff5330, aColSpan=0xbfff532c) at nsCellMap.cpp:2554
#2  0x187e4e3c in nsTableCellMap::GetCellInfoAt (this=0x3737d870, aRowIndex=1, aColIndex=1, aOriginates=0xbfff5330, aColSpan=0xbfff532c) at nsCellMap.cpp:882
#3  0x187f0d7a in nsTableFrame::GetCellInfoAt (this=0x25b8370, aRowX=1, aColX=1, aOriginates=0xbfff5330, aColSpan=0xbfff532c) at nsTableFrame.cpp:4578
#4  0x187de279 in BasicTableLayoutStrategy::AssignPctColumnWidths (this=0x366d9b20, aReflowState=@0xbfff581c, aAvailWidth=7360, aTableIsAutoWidth=0, aPixelToTwips=15) at BasicTableLayoutStrategy.cpp:1414
#5  0x187dfc38 in BasicTableLayoutStrategy::BalanceColumnWidths (this=0x366d9b20, aReflowState=@0xbfff581c) at BasicTableLayoutStrategy.cpp:244
#6  0x187f5f92 in nsTableFrame::BalanceColumnWidths (this=0x25b8370, aReflowState=@0xbfff581c) at nsTableFrame.cpp:3462
#7  0x18801ff1 in nsTableFrame::ReflowTable (this=0x25b8370, aDesiredSize=@0xbfff5ab4, aReflowState=@0xbfff581c, aAvailHeight=7755, aReason=eReflowReason_Resize, aLastChildReflowed=@0xbfff56ec, aDidBalance=@0xbfff5724, aStatus=@0xbfff650c) at nsTableFrame.cpp:2165
#8  0x18802e21 in nsTableFrame::Reflow (this=0x25b8370, aPresContext=0x3760ff60, aDesiredSize=@0xbfff5ab4, aReflowState=@0xbfff581c, aStatus=@0xbfff650c) at nsTableFrame.cpp:2014
#9  0x186af316 in nsContainerFrame::ReflowChild (this=0x25b821c, aKidFrame=0x25b8370, aPresContext=0x3760ff60, aDesiredSize=@0xbfff5ab4, aReflowState=@0xbfff581c, aX=0, aY=75, aFlags=3, aStatus=@0xbfff650c) at nsContainerFrame.cpp:905
#10 0x18807e7a in nsTableOuterFrame::OuterReflowChild (this=0x25b821c, aPresContext=0x3760ff60, aChildFrame=0x25b8370, aOuterRS=@0xbfff5d40, aMetrics=@0xbfff5ab4, aAvailWidth=7350, aDesiredSize=@0xbfff5be8, aMargin=@0xbfff5bd8, aMarginNoAuto=@0xbfff5bc8, aPadding=@0xbfff5bb8, aReflowReason=eReflowReason_Resize, aStatus=@0xbfff650c, aNeedToReflowCaption=0x0) at nsTableOuterFrame.cpp:1316
#11 0x1880a361 in nsTableOuterFrame::Reflow (this=0x25b821c, aPresContext=0x3760ff60, aDesiredSize=@0xbfff5efc, aOuterRS=@0xbfff5d40, aStatus=@0xbfff650c) at nsTableOuterFrame.cpp:1961
#12 0x186a5857 in nsBlockReflowContext::ReflowBlock (this=0xbfff5eb8, aSpace=@0xbfff5f78, aApplyTopMargin=1, aPrevMargin=@0xbfff5f60, aClearance=0, aIsAdjacentWithTop=0, aComputedOffsets=@0x37604218, aFrameRS=@0xbfff5d40, aFrameReflowStatus=@0xbfff650c) at nsBlockReflowContext.cpp:605
#13 0x18699c0f in nsBlockFrame::ReflowFloat (this=0x25b26fc, aState=@0xbfff6bc8, aPlaceholder=0x25b840c, aFloatCache=0x37604200, aReflowStatus=@0xbfff650c) at nsBlockFrame.cpp:6085
#14 0x186a7f89 in nsBlockReflowState::FlowAndPlaceFloat (this=0xbfff6bc8, aFloatCache=0x37604200, aIsLeftFloat=0xbfff6248, aReflowStatus=@0xbfff650c, aForceFit=0) at nsBlockReflowState.cpp:850
#15 0x186a8c29 in nsBlockReflowState::AddFloat (this=0xbfff6bc8, aLineLayout=@0xbfff6628, aPlaceholder=0x25b840c, aInitialReflow=0, aReflowStatus=@0xbfff650c) at nsBlockReflowState.cpp:634
#16 0x18b3bd19 in nsLineLayout::AddFloat (this=0xbfff6628, aFrame=0x25b840c, aReflowStatus=@0xbfff650c) at nsLineLayout.h:260
#17 0x186f084e in nsLineLayout::ReflowFrame (this=0xbfff6628, aFrame=0x25b840c, aReflowStatus=@0xbfff650c, aMetrics=0x0, aPushedFrame=@0xbfff6508) at nsLineLayout.cpp:1017
Summary: Printing crash in nsTableCellMap(); Exception: EXC_BAD_INSTRUCTION (0x0002) → Printing crash [@ nsCellMap::GetCellInfoAt] Exception: EXC_BAD_INSTRUCTION (0x0002)
The bug depends on the page size, I can only reproduce the crash on Mac
after changing the default page size (A4) to US/Letter.
I can also crash a SeaMonkey 1.8 branch debug build on Linux, but only
with US/Letter and in Landscape mode.
URL: [crash depends on Page Setup, see com...
OS: Mac OS X → All
Hardware: Macintosh → All
Attached file Testcase #1 

    
  
Keywords: testcase

    
    

    
  
Reducing impact to sg:moderate on the grounds that an average web surfer isn't going to click print on a random malicious page. (The page could call window.print(), but the user is likely to cancel a page that's trying to suspiciously print itself. Even if it's pr0n -- who wants the evidence lying around for the girlfriend to find?)
Whiteboard: [sg:critical?] using freed frame → [sg:moderate?] using freed frame
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

    
    

    
  
Mats does this crash trunk?

    
    

    
  
(In reply to comment #16)
> Mats does this crash trunk?

No, it's branch only AFAICT (tested Linux and MacOSX).
URL: [crash depends on Page Setup, see com...[branch-only][crash depends on Page S...

    
    

    
  
my guess would then be bug 295815

    
    

    
  
Backing out bug 295815 did not help. Same crash.

    
    

    
  
Just to be clear, what I meant above was: reversing the change from bug 295815
in the latest MOZILLA_1_8_BRANCH code did not help.

To double-check, I checked out 1.8 branch dated a day before bug 295815 got
fixed (does not crash) and after applying the patch it crashes -
so it looks like it is a regression from bug 295815 after all.
Blocks: 295815

    
    

    
  
Is is possible to identify a trunk build that also did crash? If so can we then identify what fixed the crash?
Assignee: nobody → mats.palmgren
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+

    
    

    
  
Doesn't look like we're making progress, moving to next release.
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.9?
Flags: blocking1.8.1.8+
Flags: blocking1.8.0.14?
Flags: blocking1.8.0.14+
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Flags: blocking1.8.1.13+
Flags: blocking1.8.1.12-
Flags: blocking1.8.1.12+
Whiteboard: [sg:moderate?] using freed frame → [sg:moderate?][needs patch] using freed frame
Flags: blocking1.8.0.15? → blocking1.8.0.15+

    
    

    
  
ditto
Flags: blocking1.8.1.14?
Flags: blocking1.8.1.13-
Flags: blocking1.8.1.13+
Keywords: qawanted

    
    

    
  
reflow log:

VP 03A8E9F0 r=0 a=11900,16837 c=11900,16837 cnt=1653
 scroll 03A8EC70 r=0 a=11900,16837 c=11900,16837 cnt=1654
  page 03A9CC44 r=0 a=12860,17797 c=12860,UC cnt=1656
   block 03A9D368 r=0 a=10460,13732 c=10220,UC cnt=1659
    block 03A9DDF8 r=0 a=10220,13732 c=7200,UC cnt=1665
     tblO 03A9E054 r=0 a=7200,3022 c=UC,UC cnt=1668
      tbl 03A9E1B4 r=0 a=7200,3015 c=7350,UC cnt=1669
       rowG 03AA3EAC r=0 a=UC,UC c=UC,UC cnt=1670
        row 03A9E5A8 r=0 a=UC,UC c=UC,UC cnt=1671
         cell 03A9E778 r=0 a=UC,UC c=UC,UC cnt=1672
          block 03A9E7D8 r=0 a=UC,UC c=UC,UC cnt=1673
          block 03A9E7D8 d=0,0 me=0
         cell 03A9E778 d=30,30 me=30
        row 03A9E5A8 d=UC,30
        row 03A9E928 r=0 a=UC,UC c=UC,UC cnt=1674
         cell 03A9EAF8 r=0 a=UC,UC c=UC,UC cnt=1675
          block 03A9EB58 r=0 a=UC,UC c=UC,UC cnt=1676
          block 03A9EB58 d=0,2400 me=0
         cell 03A9EAF8 d=30,2430 me=30
        row 03A9E928 d=UC,2430
       rowG 03AA3EAC d=UC,2490
       rowG 03AA3EAC r=2 a=7290,2955 c=7290,UC cnt=1686
        row 03A9E5A8 r=2 a=7290,UC c=7290,UC cnt=1687
         cell 03A9E778 r=2 a=7290,UC c=7260,UC cnt=1688
          block 03A9E7D8 r=2 a=7260,UC c=7260,UC cnt=1689
          block 03A9E7D8 d=7260,0 me=0
         cell 03A9E778 d=7290,30 me=30
        row 03A9E5A8 d=7290,30
        row 03A9E928 r=2 a=7290,UC c=7290,UC cnt=1690
         cell 03A9EAF8 r=2 a=7290,UC c=7260,UC cnt=1691
          block 03A9EB58 r=2 a=7260,UC c=7260,UC cnt=1692
          block 03A9EB58 d=7260,4500 me=0
         cell 03A9EAF8 d=7290,4530 me=30
        row 03A9E928 d=7290,4530
        row 03A9E928 r=2 a=7290,2895 c=7290,UC cnt=1700
         cell 03A9EAF8 r=2 a=7290,2895 c=7260,UC cnt=1701
          block 03A9EB58 r=2 a=7260,2865 c=7260,UC cnt=1702
          block 03A9EB58 d=7260,4500 me=0
         cell 03A9EAF8 d=7290,4530 me=30
        row 03A9E928 d=7290,4530
       rowG 03AA3EAC d=7290,30 status=0x1o=(0,0) 7290 x 4590
      tbl 03A9E1B4 d=7350,90 me=7350 status=0x1
     tblO 03A9E054 d=7350,90 me=7350 status=0x1
     tblO 03A9E054 r=2 a=7350,3022 c=UC,UC cnt=1712
      tbl 03A9E1B4 r=2 a=7350,3015 c=7350,UC cnt=1713
       rowG 03AA3EAC r=2 a=7290,2955 c=7290,UC nif=03A8EE90 cnt=1714
        row 03A9E5A8 r=2 a=7290,UC c=7290,UC cnt=1715
         cell 03A9E778 r=2 a=7290,UC c=7260,UC cnt=1716
          block 03A9E7D8 r=2 a=7260,UC c=7260,UC cnt=1717
          block 03A9E7D8 d=7260,0 me=0
         cell 03A9E778 d=7290,30 me=30
        row 03A9E5A8 d=7290,30
        row 03A9E928 r=2 a=7290,UC c=7290,UC cnt=1718
         cell 03A9EAF8 r=2 a=7290,UC c=7260,UC cnt=1719
          block 03A9EB58 r=2 a=7260,UC c=7260,UC cnt=1720
          block 03A9EB58 d=7260,4500 me=0
         cell 03A9EAF8 d=7290,4530 me=30
        row 03A9E928 d=7290,4530
        row 03A9E928 r=2 a=7290,2895 c=7290,UC cnt=1728
         cell 03A9EAF8 r=2 a=7290,2895 c=7260,UC cnt=1729
          block 03A9EB58 r=2 a=7260,2865 c=7260,UC cnt=1730
          block 03A9EB58 d=7260,4500 me=0
         cell 03A9EAF8 d=7290,4530 me=30
        row 03A9E928 d=7290,4530
       rowG 03AA3EAC d=7290,30 status=0x1o=(0,0) 7290 x 4590
      tbl 03A9E1B4 d=7350,90 me=7350 status=0x1
     tblO 03A9E054 d=7350,90 me=7350 status=0x1
    block 03A9DDF8 d=7200,14012 status=0x3o=(0,0) 7351 x 14012
   block 03A9D368 d=10220,0 status=0x3o=(10219,0) 1 x 280
  page 03A9CC44 d=12860,17797 status=0x3
  page 03AA51CC r=0 a=12860,17797 c=12860,UC pif=03A9CC44 cnt=1747
   block 03AA5148 r=0 a=10460,15397 c=10220,UC pif=03A9D368 cnt=1750
    block 03A9DDF8 r=2 a=10220,15397 c=7200,UC cnt=1751
     tblO 03A9E054 r=2 a=7200,4687 c=UC,UC nif=03AA5008 cnt=1754
      tbl 03A9E1B4 r=2 a=7200,4680 c=7350,UC nif=03AA5058 cnt=1755
       rowG 03AA3EAC r=2 a=7290,4620 c=7290,UC nif=03A8EE90 cnt=1756
        row 03A9E5A8 r=2 a=7290,UC c=7290,UC cnt=1757
         cell 03A9E778 r=2 a=7290,UC c=7260,UC cnt=1758
          block 03A9E7D8 r=2 a=7260,UC c=7260,UC cnt=1759
          block 03A9E7D8 d=7260,0 me=0
         cell 03A9E778 d=7290,30 me=30
        row 03A9E5A8 d=7290,30
       rowG 03AA3EAC d=7290,30

The interesting stuff happens on the first page the line
 tblO 03A9E054 r=2 a=7200,4687 c=UC,UC nif=03AA5008 cnt=1754

shows that we reflow on the second page the same table as on the first page instead of the continuing frame 03AA5008 there should be a reference to the pif.

What happens then is a quick story we reflow the table again it does fit and we delete the next inflow of the rowgroup which contains the second row. After this a access to the cellmap is expected to crash.


    
    

    
  
Martijn, could you help with comment 22.

    
    

    
  
Martijn, no need for searching taking bug 347367 fixes the crash
Depends on: 347367
Flags: blocking1.8.1.14? → blocking1.8.1.14+

    
    

    
  
fixed by bug 347367 going into branch
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.14
Resolution: --- → FIXED

    
    

    
  
Verified fixed in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008050803 BonEcho/2.0.0.15pre. The crashing no longer occurs as it does when I try the test case in 2.0.0.14.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.15, 
          
            qawantedverified1.8.1.15
Alias: CVE-2008-2798
Alias: CVE-2008-2798
Group: security

    
    

    
  
fwiw, verified printing html table sample still prints w/out crashing in current release: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Crash Signature: [@ nsCellMap::GetCellInfoAt]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: