Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
11 years ago
3 years ago

People

(Reporter: martijn.martijn, Assigned: smontagu)

Tracking

({crash, regression, testcase})

Trunk
x86
Windows XP
crash, regression, testcase
Points:
---
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical][dbaron-1.9:RsCt], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Created attachment 285148 [details]
testcase

See testcase, which crashes current trunk build directly, or after a reload.

This seems to have regressed between 2007-09-05 and 2007-09-06:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-09-05+04&maxdate=2007-09-06+09&cvsroot=%2Fcvsroot
Regression from bug 392435 or bug 393923? I guess bug 393923 is more likely.

http://crash-stats.mozilla.com/report/index/a573bf4a-7c2d-11dc-ae43-001a4bd43e5c
0  	@0x26f3198  	
1 	nsFrameList::DestroyFrame(nsIFrame*) 	mozilla/layout/generic/nsFrameList.cpp:162
2 	nsContainerFrame::RemoveFrame(nsIAtom*, nsIFrame*) 	mozilla/layout/generic/nsContainerFrame.cpp:228
3 	nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) 	mozilla/layout/base/nsFrameManager.cpp:690
4 	nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:9669
5 	nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:11259
6 	nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:10094
7 	nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:13135
8 	nsCSSFrameConstructor::ProcessPendingRestyles() 	mozilla/layout/base/nsCSSFrameConstructor.cpp:13188
9 	PresShell::DoFlushPendingNotifications(mozFlushType, int) 	mozilla/layout/base/nsPresShell.cpp:4443
10 	PresShell::WillPaint()
etc..
Flags: blocking1.9?

Comment 1

11 years ago
Is the long string of 'm's necessary?  If so, is it necessary due to wrapping, and did you try forcing wrapping in a different way (e.g. "font-family: monospace; width: 1ch")?
Whiteboard: [sg:critical]
(Reporter)

Comment 2

11 years ago
Created attachment 285248 [details]
testcase2

This testcase might be a bit simpler to look at. It has the same regression range, so I presume it suffers from the same issue.
This crashes directly on first load/shift->reload.

http://crash-stats.mozilla.com/report/index/a5de2c70-7cd7-11dc-a252-001a4bd43e5c
0  	nsTextFrame::ClearTextRun()  	 mozilla/layout/generic/nsTextFrameThebes.cpp:3297
1 	BuildTextRunsScanner::AssignTextRun(gfxTextRun*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1699
2 	BuildTextRunsScanner::BuildTextRunForFrames(void*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1573
3 	BuildTextRunsScanner::FlushFrames(int) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1008
4 	BuildTextRunsScanner::ScanFrame(nsIFrame*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1123
5 	BuildTextRunsScanner::ScanFrame(nsIFrame*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1164
6 	BuildTextRuns 	mozilla/layout/generic/nsTextFrameThebes.cpp:942
7 	nsTextFrame::EnsureTextRun(gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1723
8 	nsTextFrame::AddInlineMinWidthForFlow(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:4769
9 	nsTextFrame::AddInlineMinWidth(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:4855
10 	nsContainerFrame::DoInlineIntrinsicWidth(nsIRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) 	mozilla/layout/generic/nsContainerFrame.cpp:650
etc...
(Reporter)

Updated

11 years ago
Summary: Crash [@ nsFrameList::DestroyFrame] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter → Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter
Flags: blocking1.9? → blocking1.9+
(Assignee)

Updated

11 years ago
Assignee: roc → smontagu
Group: security
Whiteboard: [sg:critical] → [sg:critical][dbaron-1.9:RsCt]
(Assignee)

Comment 3

11 years ago
I can reproduce this with a 2007-10-18 build but not a 2007-10-19 one. Fixed by bug 393758?
(Assignee)

Comment 4

11 years ago
Yup, the crash is fixed, but there still seems to be a bug with the rendering of testcase2
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You mean content duplication? Perhaps you could file a new bug about that and take it? :-)
(Assignee)

Comment 6

11 years ago
Filed bug 401621
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010221 Minefield/3.0b3pre - no crash on testcase 

Status: RESOLVED → VERIFIED
Crash Signature: [@ nsFrameList::DestroyFrame] [@ nsTextFrame::ClearTextRun()]

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.