[FIX]Crash [@ PresShell::GetPrimaryFrameFor] with :first-letter and :after and counter

RESOLVED FIXED in mozilla1.9alpha5



12 years ago
8 years ago


(Reporter: jruderman, Assigned: bzbarsky)


(Blocks 1 bug, 4 keywords)

Dependency tree / graph
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
blocking1.8.0.next +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:critical] (needed if 362901 taken on branch), crash signature)


(5 attachments)

Posted file testcase
Loading the testcase in a Mac trunk debug build causes:

Thread 0 Crashed:
0   <<00000000>> 	0x10711001 0 + 275845121
1   libgklayout.dylib        	0x19724602 PresShell::GetPrimaryFrameFor(nsIContent*) const + 42 (nsPresShell.cpp:4705)
2   libgklayout.dylib        	0x196e39af nsCSSFrameConstructor::CharacterDataChanged(nsIContent*, int) + 301 (nsCSSFrameConstructor.cpp:9852)
3   libgklayout.dylib        	0x19729455 PresShell::CharacterDataChanged(nsIDocument*, nsIContent*, CharacterDataChangeInfo*) + 233 (nsPresShell.cpp:4478)
4   libgklayout.dylib        	0x19a88fca nsBindingManager::CharacterDataChanged(nsIDocument*, nsIContent*, CharacterDataChangeInfo*) + 88 (nsBindingManager.cpp:1160)
5   libgklayout.dylib        	0x19945fa0 nsNodeUtils::CharacterDataChanged(nsIContent*, CharacterDataChangeInfo*) + 166 (nsNodeUtils.cpp:88)
6   libgklayout.dylib        	0x1992bb95 nsGenericDOMDataNode::SetTextInternal(unsigned, unsigned, unsigned short const*, unsigned, int) + 1003 (nsGenericDOMDataNode.cpp:485)
7   libgklayout.dylib        	0x1992c002 nsGenericDOMDataNode::SetData(nsAString_internal const&) + 84 (nsGenericDOMDataNode.cpp:323)
8   libgklayout.dylib        	0x19dc8bd0 nsTextNode::SetData(nsAString_internal const&) + 24 (nsTextNode.cpp:69)
9   libgklayout.dylib        	0x19700ad6 nsCounterList::RecalcAll() + 200 (nsCounterManager.cpp:186)
10  libgklayout.dylib        	0x19700b33 RecalcDirtyLists(nsAString_internal const&, nsCounterList*, void*) + 37 (nsCounterManager.cpp:274)
11  libgklayout.dylib        	0x19d54ea5 nsBaseHashtable<nsStringHashKey, nsAutoPtr<nsCounterList>, nsCounterList*>::s_EnumReadStub(PLDHashTable*, PLDHashEntryHdr*, unsigned, void*) + 81 (nsBaseHashtable.h:327)
12  libxpcom_core.dylib      	0x012f5764 PL_DHashTableEnumerate + 191 (pldhash.c:724)
13  libgklayout.dylib        	0x19d54b60 nsBaseHashtable<nsStringHashKey, nsAutoPtr<nsCounterList>, nsCounterList*>::EnumerateRead(PLDHashOperator (*)(nsAString_internal const&, nsCounterList*, void*), void*) const + 128 (nsBaseHashtable.h:188)
14  libgklayout.dylib        	0x19700bf3 nsCounterManager::RecalcAll() + 41 (nsCounterManager.cpp:281)
15  libgklayout.dylib        	0x196d66dc nsCSSFrameConstructor::RecalcQuotesAndCounters() + 80 (nsCSSFrameConstructor.cpp:10200)
16  libgklayout.dylib        	0x196d6784 nsCSSFrameConstructor::EndUpdate() + 36 (nsCSSFrameConstructor.cpp:10181)
17  libgklayout.dylib        	0x196ecfd2 nsCSSFrameConstructor::ProcessPendingRestyles() + 536 (nsCSSFrameConstructor.cpp:12973)
18  libgklayout.dylib        	0x196ed0bc nsCSSFrameConstructor::RestyleEvent::Run() + 200 (nsCSSFrameConstructor.cpp:13032)
19  libxpcom_core.dylib      	0x013557ea nsThread::ProcessNextEvent(int, int*) + 508 (nsThread.cpp:483)
Flags: blocking1.9?
Whiteboard: [sg:critical]
So the frame for the <span> ends up as a child of the first-letter frame in this case...
Posted patch Proposed fixSplinter Review
The real issue is that we don't remove first-letter on restyles, really... but this fixes the problem by making sure to remove it on ContentInserted if it's around (though we readd it too, unfortunately).
Attachment #263952 - Flags: superreview?(dbaron)
Attachment #263952 - Flags: review?(dbaron)
I wonder whether this is a problem on branches...  I bet it is.
Priority: -- → P2
Hardware: PC → All
Summary: Crash [@ PresShell::GetPrimaryFrameFor] with :first-letter and :after and counter → [FIX]Crash [@ PresShell::GetPrimaryFrameFor] with :first-letter and :after and counter
Target Milestone: --- → mozilla1.9alpha5
Is there a bug filed on the "real issue" that comment 4 alludes to?
Though I suppose removing it in a performant way is easier than adding it... maybe.
Comment on attachment 263952 [details] [diff] [review]
Proposed fix


I don't like the function names here, though.  The two versions of HaveFirstLetterStyle are quite different.  Perhaps you should rename:

HaveFirstLetterStyle(,) -> ShouldHaveFirstLetterStyle
HaveFirstLineStyle -> ShouldHaveFirstLineStyle
HaveSpecialBlockStyle -> ShouldHaveSpecialBlockStyle

HaveFirstLetterStyle() -> HasFirstLetterStyle

as a followup patch, if you agree.  (No need to ask for further review.)

It would be nice to fix the underlying problem, though.
Attachment #263952 - Flags: superreview?(dbaron)
Attachment #263952 - Flags: superreview+
Attachment #263952 - Flags: review?(dbaron)
Attachment #263952 - Flags: review+
Fixed on trunk.  Doesn't seem to be a problem on branches, so probably an effect of bug 372550.

Not adding tests yet, because those would give away the bug, I guess.  :(
Blocks: 372550
Closed: 12 years ago
Flags: in-testsuite?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Resolution: --- → FIXED
Good idea on this.  Checked this in too.
bz: having trouble reconciling your branch-blocking requests with your comment 10 saying this isn't a problem on branches, which seem to be made at the same time. Do we want/need this on branches or not?
This bug is a regression from the fix for bug 362901 (see comments in bug 372550).  The blocking flags were set to mirror those on bug 362901.  This business of not adding deps to hidden bugs really sucks.  :(  Do we have any better way to track things?
Why are we not adding dependencies on hidden bugs? I can think of no better way to track things.
I was told at some point to not have dependencies between hidden and not-hidden bugs...  Presumably because if a non-hidden bug blocks a hidden one people realize that it's a security-related fix?

In any case, if you're ok with me doing it I'd love to add said deps.
If something is a regression from a security fix then the security fix has already been checked in--that's got to be more revealing than a dependent bug. Please definitely do mark regressions as blocking "fixed" security bugs so we don't miss them when we're planning branch landings.

In other cases if merely hinting that there might be a security bug that will fix or be fixed by the public bug is enough to point someone at the problem then the public bug should possibly not be public. If this is the case and you really don't want to privatize the public bug then maybe don't mark dependencies, but in most cases it should be fine.

In cases where you withhold explicit dependencies please mention them in the status whiteboard of the hidden bug(s) so we can easily find them during triage and remember to mark them when the security bugs are eventually publicized.
Blocks: 362901
Sounds like a plan.  I updated the dependencies...
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:critical] → [sg:critical] (needed if 362901 taken on branch)
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Flags: blocking1.8.1.6+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Flags: blocking1.9?
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Fixed for by checkin for bug 362901.
Keywords: fixed1.8.1.7
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/2007083005 BonEcho/ - no crash on the 2 testcases from this bug - adding verified keyword
Group: security
Flags: blocking1.8.0.14+ → blocking1.8.0.15?
I checked in my testcase as a crashtest and bz's reftest pair as a reftest pair.
Flags: in-testsuite? → in-testsuite+
Flags: blocking1.8.0.15? → blocking1.8.0.15+
Assignee: nobody → bzbarsky
Crash Signature: [@ PresShell::GetPrimaryFrameFor]
You need to log in before you can comment on or make changes to this bug.