Crash [@ nsFrame::CorrectStyleParentFrame] with maction

VERIFIED WORKSFORME

Status

()

--
critical
VERIFIED WORKSFORME
12 years ago
7 years ago

People

(Reporter: jruderman, Assigned: rbs)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
Created attachment 262218 [details]
testcase (crashes debug Firefox when loaded)

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xddddddf5

Thread 0 Crashed:
0   libgklayout.dylib        	0x1592517d nsStyleContext::GetRuleNode() + 9 (nsStyleContext.h:114)
1   libgklayout.dylib        	0x159251f9 nsIFrame::PresContext() const + 25 (nsIFrame.h:408)
2   libgklayout.dylib        	0x153064a3 nsFrame::CorrectStyleParentFrame(nsIFrame*, nsIAtom*) + 251 (nsFrame.cpp:5504)
3   libgklayout.dylib        	0x15306664 GetCorrectedParent(nsPresContext*, nsIFrame*, nsIFrame**) + 152 (nsFrame.cpp:5474)
4   libgklayout.dylib        	0x15306790 nsFrame::DoGetParentStyleContextFrame(nsPresContext*, nsIFrame**, int*) + 282 (nsFrame.cpp:5571)
5   libgklayout.dylib        	0x15306860 nsFrame::GetParentStyleContextFrame(nsPresContext*, nsIFrame**, int*) + 38 (nsFrame.cpp:5402)
6   libgklayout.dylib        	0x152af7ef VerifyContextParent(nsPresContext*, nsIFrame*, nsStyleContext*, nsStyleContext*) + 95 (nsFrameManager.cpp:804)
7   libgklayout.dylib        	0x152af9f9 VerifyStyleTree(nsPresContext*, nsIFrame*, nsStyleContext*) + 57 (nsFrameManager.cpp:845)
8   libgklayout.dylib        	0x152afb80 nsFrameManager::DebugVerifyStyleTree(nsIFrame*) + 62 (nsFrameManager.cpp:898)
9   libgklayout.dylib        	0x15792c41 nsMathMLContainerFrame::PropagateScriptStyleFor(nsIFrame*, int) + 775 (nsMathMLContainerFrame.cpp:712)
...

This might be related to bug 368430.
The parent of aFrame in this case is dead:

(gdb) frame 3
#3  0xb6dea76b in GetCorrectedParent (aPresContext=0x8a4f030, aFrame=0x8ad4574, 
    aSpecialParent=0xbfffdac4) at ../../../mozilla/layout/generic/nsFrame.cpp:5477
5477          while (parent->GetStyleContext()->GetPseudoType() ==
(gdb) p aFrame
$9 = (nsMathMLmrowFrame *) 0x8ad4574
(gdb) p aFrame->GetParent()
[Thread -1277715536 (LWP 14411) exited]
$10 = (nsIFrame *) 0x8ad436c
(gdb) p *aFrame->GetParent()
$11 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, 
    y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddd, 
  mStyleContext = 0xdddddddd, mParent = 0xdddddddd, mNextSibling = 0xdddddddd, 
  mState = 3722304989}

The basic problem is bug 355548, imo.
Depends on: 355548
(Reporter)

Comment 2

12 years ago
A related testcase triggers the assertion from bug 334514.
Blocks: 334514
(Reporter)

Updated

12 years ago
Whiteboard: [sg:critical?]

Comment 3

11 years ago
roc, can you own this bug based on bz comment 1 ?
(Reporter)

Updated

11 years ago
Assignee: general → roc

Updated

11 years ago
Flags: blocking1.9+
Poke.  Any word on this?
I think Vlad Sukhoy owns this now :-)

Comment 7

11 years ago
I do. This is one of the aspects of bug 355548 which is in desperate need of new comprehensive reliably crashing test case..
Assignee: roc → vladimir.sukhoy

Updated

11 years ago
Status: NEW → ASSIGNED

Comment 8

11 years ago
Crashes in release too, at NULL. Unfortunately, the testcase is <maction>-specific.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000120

Thread 0 Crashed:
0   XUL                            	0x011c47d4 nsFrame::MarkIntrinsicWidthsDirty() + 62
1   XUL                            	0x011a22fc PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, unsigned) + 116
2   XUL                            	0x014aada6 nsMathMLContainerFrame::ReLayoutChildren(nsIFrame*, unsigned) + 396
3   XUL                            	0x014aae2f nsMathMLContainerFrame::ChildListChanged(int) + 129
4   XUL                            	0x014a9b5d nsMathMLContainerFrame::AppendFrames(nsIAtom*, nsIFrame*) + 77
5   XUL                            	0x0116c7b0 nsCSSFrameConstructor::AppendFrames(nsFrameConstructorState const&, nsIContent*, nsIFrame*, nsIFrame*, nsIFrame*) + 120
6   XUL                            	0x0117f7cb nsCSSFrameConstructor::ContentAppended(nsIContent*, int) + 2833
7   XUL                            	0x011a20bc PresShell::ContentAppended(nsIDocument*, nsIContent*, int) + 48
8   XUL                            	0x013da6dd nsBindingManager::ContentAppended(nsIDocument*, nsIContent*, int) + 433
(Reporter)

Comment 9

11 years ago
Vlad, are you going to be able to fix this in time for 1.9?  If not, we should find a new owner.

Comment 10

11 years ago
:(. Unlikely, as I cannot reproduce bug 355548 other than with mutation events and, frankly, it is hard to fix crashes in a module that is broken. I will continue to look at it, but I don't think I can own this as it is.
Assignee: vladimir.sukhoy → rbs
Status: ASSIGNED → NEW

Comment 11

11 years ago
See also bug 368430 comment 2, i.e. if I use NS_UNCONSTRAINEDSIZE for available width in nsMathMLmactionFrame::Reflow() this crash is gone. Perhaps, this may help.
No crash on Linux amd64.
(Reporter)

Comment 13

11 years ago
WFM (Mac trunk debug).
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase

-> Verified 
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsFrame::CorrectStyleParentFrame]
Group: core-security
You need to log in before you can comment on or make changes to this bug.