Last Comment Bug 392285 - Crash [@gklayout!nsIFrame::GetStateBits(void)]
: Crash [@gklayout!nsIFrame::GetStateBits(void)]
[sg:critical?] using freed frame
: crash, testcase, verified1.8.0.14, verified1.8.1.8
Product: Core
Classification: Components
Component: General (show other bugs)
: 1.8 Branch
: All All
: -- critical (vote)
: mozilla1.9beta1
Assigned To: Mats Palmgren (:mats)
: 392123 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2007-08-14 23:28 PDT by Paul Nickerson
Modified: 2014-10-23 14:39 PDT (History)
9 users (show)
dveditz: blocking1.8.1.8+
dveditz: blocking1.8.0.14+
mats: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Stack (prior to crash) (9.17 KB, text/html)
2007-08-15 04:31 PDT, Mats Palmgren (:mats)
no flags Details
Wallpaper (4.91 KB, patch)
2007-08-15 04:50 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review
Branch patch (5.98 KB, patch)
2007-08-16 01:02 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review
Branch patch (6.00 KB, patch)
2007-08-16 01:57 PDT, Mats Palmgren (:mats)
bzbarsky: review-
bzbarsky: superreview-
Details | Diff | Splinter Review
Branch patch, rev. 3 (7.28 KB, patch)
2007-08-16 10:02 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review
Branch patch, rev. 4 (6.37 KB, patch)
2007-08-16 10:10 PDT, Mats Palmgren (:mats)
bzbarsky: review+
bzbarsky: superreview+
dveditz: approval1.8.1.8+
dveditz: approval1.8.0.14+
Details | Diff | Splinter Review
Trunk patch, rev. 1 (8.20 KB, patch)
2007-10-02 20:10 PDT, Mats Palmgren (:mats)
bzbarsky: review+
bzbarsky: superreview+
dsicore: approval1.9+
Details | Diff | Splinter Review
REINTRODUCE-BUG-392285 (891 bytes, patch)
2014-10-23 14:38 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review

Description Paul Nickerson 2007-08-14 23:28:23 PDT
This bug has been automatically processed, reduced, and uploaded by Paul's Automated Pen-Tester alpha. It still may require more work.

Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070812 BonEcho/

eax=dddddddd ebx=7ffde000 ecx=dddddddd edx=dddddddd esi=00a078d8 edi=00011970
eip=0197f53a esp=0012df74 ebp=0012df78 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
*** WARNING: Unable to verify checksum for C:\mozilla\mozilla\firefox-debug\dist\bin\components\gklayout.dll
0197f53a 8b4024          mov     eax,dword ptr [eax+24h] ds:0023:ddddde01=????????

Stack trace:

                        class nsIFrame * aFrame = 0xdddddddd)

                        class nsIFrame * aFrame = 0x03c9fa60)

                        class nsIFrame * aFrame = 0x03c9fa60)

                        class nsIContent * aContainer = 0x03c56a20, 

                        class nsIContent * aChild = 0x03c57148, 

                        int aIndexInContainer = 0, 

                        int aInReinsertContent = 0)

                        class nsIContent * aContent = 0x03c57148)

                        class nsStyleChangeList * aChangeList = 0x0012e284)

                        class nsIDocument * aDocument = 0x033978c8, 

                        unsigned int aUpdateType = 2)

                        unsigned int aUpdateType = 2)

                        class nsIDocument * aOldDocument = 0x033978c8, 

                        class nsICSSLoaderObserver * aObserver = 0x00000000)

                        int aDeep = 1, 

                        int aNullParent = 1)

                        unsigned int aIndex = 4, 

                        int aNotify = 1, 

                        class nsIContent * aKid = 0x03cb7848, 

                        class nsIContent * aParent = 0x035cadc8, 

                        class nsIDocument * aDocument = 0x033978c8, 

                        class nsAttrAndChildArray * aChildArray = 0x035cade0)

                        unsigned int aIndex = 4, 

                        int aNotify = 1)

                        class nsIDOMNode * aOldChild = 0x03cb7864, 

                        class nsIDOMNode ** aReturn = 0x0012ea68)

                        class nsIDOMNode * aOldChild = 0x03cb7864, 

                        class nsIDOMNode ** aReturn = 0x0012ea68)

                        class nsISupports * that = 0x035cade4, 

                        unsigned int methodIndex = 0x11, 

                        unsigned int paramCount = 2, 

                        struct nsXPTCVariant * params = 0x0012ea58)

                        class XPCCallContext * ccx = 0x0012ebd4, 

                        XPCWrappedNative::CallMode mode = CALL_METHOD (0))

                        struct JSContext * cx = 0x032f2e60, 

                        struct JSObject * obj = 0x02d246b8, 

                        unsigned int argc = 1, 

                        long * argv = 0x03ab64b4, 

                        long * vp = 0x0012ed34)

A hash of the backtrace has been used to distinguish this from other bugs already reported by the tester. However, the automated pen-tester is still in development and this may not be the case. Also, I haven't added stack hashes to bugs that were not uploaded by the tester, so this bug may very well exist on bugzilla already.
Comment 1 Paul Nickerson 2007-08-14 23:28:32 PDT
Comment 2 Paul Nickerson 2007-08-14 23:38:32 PDT
Well, on the plus side, the pen-tester worked (almost) the whole way through. Still gotta work on the attachment uploader. On the down side, it reported the same bug as last time :P

*** This bug has been marked as a duplicate of bug 392123 ***
Comment 3 Paul Nickerson 2007-08-14 23:42:41 PDT
Actually, looking back at this thing, I changed my mind about the duplicate.
Comment 4 Paul Nickerson 2007-08-14 23:43:27 PDT
Created attachment 276746 [details]
Manually uploaded testcase
Comment 5 Mats Palmgren (:mats) 2007-08-15 04:31:01 PDT
Created attachment 276757 [details]
Stack (prior to crash)
Comment 6 Mats Palmgren (:mats) 2007-08-15 04:46:14 PDT
NotifyListBoxBody() calls listBoxObject->GetListBoxBody() in an attempt
to get the frame, but that flushes frames so end up with a recursive call
to RecreateFramesForContent()... see attached stack.
Comment 7 Mats Palmgren (:mats) 2007-08-15 04:50:06 PDT
Created attachment 276758 [details] [diff] [review]

This is a somewhat low-risk wallpaper we could take on branches unless
someone has a better idea.
Comment 8 Boris Zbarsky [:bz] (still a bit busy) 2007-08-15 08:52:46 PDT
We need a version of GetListBoxBody that doesn't flush frames to use here.  The weakframe approach is sorta-maybe ok, but I'm not sure I would trust it to insure against all possible ways to try to damage the frame tree....
Comment 9 Mats Palmgren (:mats) 2007-08-16 01:02:02 PDT
Created attachment 276921 [details] [diff] [review]
Branch patch
Comment 10 Mats Palmgren (:mats) 2007-08-16 01:07:43 PDT
It looks to me like this could also crash on trunk since GetListBoxBody()
leads to a Flush_Frames there too.  But the testcase doesn't trigger the
RecreateFramesForContent() call on trunk so we don't reach
NotifyListBoxBody().  I'm guessing a slightly different testcase would
crash on trunk though.
Comment 11 Mats Palmgren (:mats) 2007-08-16 01:57:18 PDT
Created attachment 276930 [details] [diff] [review]
Branch patch
Comment 12 Boris Zbarsky [:bz] (still a bit busy) 2007-08-16 09:02:39 PDT
Comment on attachment 276930 [details] [diff] [review]
Branch patch

We're not changing interfaces on branch.  Please add a new interface with the new method on it instead, and QI as needed.  See the various MOZILLA_1_8_BRANCH stuff on the branch.

On trunk this approach looks good, though.
Comment 13 Mats Palmgren (:mats) 2007-08-16 10:01:27 PDT
> We're not changing interfaces on branch.

Ok, I somehow thought we could change the "private" ones, i.e. those
with "nsPI" in the name...
Comment 14 Mats Palmgren (:mats) 2007-08-16 10:02:59 PDT
Created attachment 276967 [details] [diff] [review]
Branch patch, rev. 3
Comment 15 Mats Palmgren (:mats) 2007-08-16 10:10:41 PDT
Created attachment 276969 [details] [diff] [review]
Branch patch, rev. 4

... shouldn't change IID for nsPIListBoxObject of course...
Comment 16 Boris Zbarsky [:bz] (still a bit busy) 2007-08-16 10:24:26 PDT
Comment on attachment 276969 [details] [diff] [review]
Branch patch, rev. 4

Looks good.  I agree that we should do this on trunk too.
Comment 17 Daniel Veditz [:dveditz] 2007-09-26 13:29:20 PDT
Comment on attachment 276969 [details] [diff] [review]
Branch patch, rev. 4

Is this attachment ready for a branch approval request? If this is an appropriate fix for the trunk could we land it there first for some sanity checking?
Comment 18 Daniel Veditz [:dveditz] 2007-10-01 15:31:01 PDT
Mats: is this fix going to make the code freeze (Oct 3)?
Comment 19 Mats Palmgren (:mats) 2007-10-02 20:05:39 PDT
Comment on attachment 276969 [details] [diff] [review]
Branch patch, rev. 4

It's ready for both branches.
Comment 20 Mats Palmgren (:mats) 2007-10-02 20:10:42 PDT
Created attachment 283297 [details] [diff] [review]
Trunk patch, rev. 1
Comment 21 Boris Zbarsky [:bz] (still a bit busy) 2007-10-02 20:13:52 PDT
Comment on attachment 283297 [details] [diff] [review]
Trunk patch, rev. 1

Comment 22 Mats Palmgren (:mats) 2007-10-02 20:19:42 PDT
Comment on attachment 283297 [details] [diff] [review]
Trunk patch, rev. 1

Low-risk crash fix, if I can get this landed *now* it will give some "baking value" for the branch fix as well.
Comment 23 Daniel Veditz [:dveditz] 2007-10-02 21:57:03 PDT
Comment on attachment 276969 [details] [diff] [review]
Branch patch, rev. 4

approved for and, a=dveditz
Comment 24 Mats Palmgren (:mats) 2007-10-02 23:42:49 PDT
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.90

mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.
Comment 25 Mats Palmgren (:mats) 2007-10-06 08:41:51 PDT
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1407
mozilla/layout/xul/base/src/nsListBoxObject.cpp 	1.25
mozilla/layout/xul/base/src/nsPIListBoxObject.h 	1.3 

Comment 26 Carsten Book [:Tomcat] 2007-10-12 15:33:13 PDT
verified fixed on trunk with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a9pre) Gecko/2007101204 Minefield/3.0a9pre ID:2007101204

also verified fixed using  Mozilla/5.0 (Windows; U; Windows NT 5.2; de; rv: Gecko/2007100816 Firefox/ and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv: Gecko/2007100816 Firefox/

No crash on testcase - adding verified keyword
Comment 27 Al Billings [:abillings] 2007-12-10 17:52:11 PST
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20071210 Firefox/ It still crashes in Firefox but not in the current branch build above.

Marked as "Fixed" since this is a branch only bug.
Comment 28 Daniel Veditz [:dveditz] 2007-12-13 22:29:42 PST
*** Bug 392123 has been marked as a duplicate of this bug. ***
Comment 31 Mats Palmgren (:mats) 2014-10-23 14:38:55 PDT
Created attachment 8510623 [details] [diff] [review]

I tried reintroducing the bug to see if the attached test would crash
but it didn't.

Note You need to log in before you can comment on or make changes to this bug.