The default bug view has changed. See this FAQ.

free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree

RESOLVED FIXED

Status

()

Core
Layout
--
critical
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: Paul Nickerson, Assigned: mats)

Tracking

(4 keywords)

1.8 Branch
x86
Linux
crash, testcase, verified1.8.0.13, verified1.8.1.5
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.5 +
wanted1.8.1.x +
blocking1.8.0.13 +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] 1.8-branch only)

Attachments

(4 attachments)

(Reporter)

Description

10 years ago
Created attachment 268270 [details]
Testcase

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223562608 (LWP 4878)]
0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, 
    aSID=@0xbfe65950)
    at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210
210         char* resetOrInherit = NS_REINTERPRET_CAST(char*, *NS_REINTERPRET_CAST(void**, resetOrInheritSlot));

(gdb) print resetOrInheritSlot
$1 = 0xddddddfd <Address 0xddddddfd out of bounds>

(gdb) bt
#0  0x085bf5b9 in nsCachedStyleData::GetStyleData (this=0xddddddf9, 
    aSID=@0xbfe65950)
    at /home/pvnick/Desktop/mozilla/layout/style/nsRuleNode.h:210
#1  0x085c1b28 in nsStyleContext::GetStyleData (this=0xdddddddd, 
    aSID=eStyleStruct_Display)
    at /home/pvnick/Desktop/mozilla/layout/style/nsStyleContext.cpp:248
#2  0x08435842 in nsIFrame::GetStyleData (this=0xb145adf0, 
    aSID=eStyleStruct_Display)
    at /home/pvnick/Desktop/mozilla/layout/mathml/base/src/../../../generic/nsIFrame.h:608
#3  0x0843585d in nsIFrame::GetStyleDisplay (this=0xb145adf0)
    at ../../../dist/include/layout/nsStyleStructList.h:90
#4  0x08413d51 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, 
    aRemovedFrame=0xaf55b9c8, aFrame=0xaf55bad0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9755
#5  0x08413d21 in DoDeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aDestroyQueue=@0xbfe65a90, 
    aRemovedFrame=0xaf55b9c8, aFrame=0xaf55b9c8)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9740
#6  0x084150f5 in DeletingFrameSubtree (aPresContext=0xb1481fe8, 
    aFrameManager=0xb14aec6c, aFrame=0xaf55b9c8)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:9812
Assignee: roc → nobody
Component: Layout: View Rendering → Layout
QA Contact: ian → layout
Summary: Read AV at nsCachedStyleData:GetStyleData → free memory read at nsCachedStyleData:GetStyleData within DoDeletingFrameSubtree
(Assignee)

Comment 1

10 years ago
I think this is a duplicate of bug 366128 / bug 322436...
Keywords: crash, testcase
(Assignee)

Comment 2

10 years ago
Created attachment 268289 [details]
stack
(Assignee)

Comment 3

10 years ago
Created attachment 268290 [details] [diff] [review]
patch

Merging rev. 1.1352 -> 1.1353  +  rev. 1.1354 -> 1.1355 of
layout/base/nsCSSFrameConstructor.cpp fixes the crash.
There are still a few line layout assertions though...
What assertions?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
(Assignee)

Comment 5

10 years ago
Created attachment 268292 [details]
A few remaining assertions after patch

I happened to have a diagnostic frame dump on the "How'd we get a
floated inline frame?" assertion in this tree so I'm including that as well.
Assignee: nobody → mats.palmgren
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:moderate?] 1.8-branch only
Do we need to fix those assertions? If we've got a fix for a crash involving deleted objects that sounds like good progress to get into FF2.0.0.5.

Time is tight: please get some reviews and request approval on this.
Whiteboard: [sg:moderate?] 1.8-branch only → [sg:critical?] 1.8-branch only
Comment on attachment 268290 [details] [diff] [review]
patch

r/sr=bzbarsky over IRC
approved for 1.8.1.5 and 1.8.0.13, a=dveditz
Attachment #268290 - Flags: superreview+
Attachment #268290 - Flags: review+
Attachment #268290 - Flags: approval1.8.1.5+
Attachment #268290 - Flags: approval1.8.0.13+
(Assignee)

Comment 8

10 years ago
MOZILLA_1_8_BRANCH
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.81 

MOZILLA_1_8_0_BRANCH
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.12.2.58 

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed1.8.0.13, fixed1.8.1.5
Resolution: --- → FIXED
verified fixed 1.8.1.5 using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007071216 BonEcho/2.0.0.5pre and the Testcase from comment 0 . No crash on testcase - build remain stable - adding verified keyword.
Keywords: fixed1.8.1.5 → verified1.8.1.5
Depends on: 322436, 366128
verified fixed in 1.8.0.13 using Thunderbird build 2007080918 on Windows XP (en-US). No crash with test case.
Keywords: fixed1.8.0.13 → verified1.8.0.13
Group: security
Flags: in-testsuite?

Comment 11

8 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/d849dbf33b4f
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.