Closed
Bug 421671
Opened 16 years ago
Closed 16 years ago
Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]
Categories
(Core :: Layout: Block and Inline, defect)
Core
Layout: Block and Inline
Tracking
()
VERIFIED
FIXED
mozilla1.9
People
(Reporter: j.moz, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords)
Crash Data
Attachments
(2 files, 1 obsolete file)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030704 Minefield/3.0b5pre iExploder test 40129979 crashes the browser. Tested on Linux and Windows nightly builds.
This is a simplified version of the above test case. It's still pretty complicated but I couldn't reduce it any more.
Note that like in bug 421673 comment 1, changing "-moz-column-count: 99999999" to "-moz-column-count: 1" makes this crash go away, but so does doing almost anything else to the simplified test case.
Assignee | ||
Comment 3•16 years ago
|
||
bp-0004e6e6-ed21-11dc-8d2a-001a4bd43ef6
Assignee | ||
Comment 4•16 years ago
|
||
The testcases generates many assertions, this patch fixes the ones regarding overflowing nscoord. There are still many assertions left with this patch, for example the one bug 404140.
Attachment #308154 -
Flags: superreview?(roc)
Attachment #308154 -
Flags: review?(roc)
Assignee | ||
Comment 5•16 years ago
|
||
The remaining assertions (on Linux): bad width: 'Not Reached', nsLineLayout.cpp, line 180 comparing iterators over different lists: 'mListLink == aOther.mListLink', nsLineBox.h, line 690 !didRemove || RECURSION_LEVEL(table) == 1: '!didRemove || RECURSION_LEVEL(table) == 1', file pldhash.c, line 737 Doing nscoord addition with values > nscoord_MAX: 'a < nscoord_MAX && b < nscoord_MAX', file nsCoord.h, line 150 math on NS_UNCONSTRAINEDSIZE: 'NS_UNCONSTRAINEDSIZE != aState.mReflowState.mComputedBorderPadding.left && NS_UNCONSTRAINEDSIZE != aState.mReflowState.ComputedWidth()', nsBlockFrame.cpp, line 1524 no unconstrained widths should be present anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.ComputedWidth()', nsBlockReflowState.cpp, line 113 RECURSION_LEVEL(table) == 0: 'RECURSION_LEVEL(table) == 0', file pldhash.c, line 380 running past end: 'mCurrent != mListLink', nsLineBox.h, line 611 should no longer be using unconstrained sizes: 'aRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 415 should no longer be using unconstrained widths: 'aWidth != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 177 should no longer use available widths: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsInlineFrame.cpp, line 428 shouldn't have unconstrained widths anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.availableWidth', nsLineLayout.cpp, line 1090 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 2443 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 790 shouldn't use unconstrained widths anymore: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 294 shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 315 this shouldn't happen anymore: 'NS_UNCONSTRAINEDSIZE != aComputedWidth && NS_UNCONSTRAINEDSIZE != aAvailWidth', nsHTMLReflowState.cpp, line 1897 unconstrained widths no longer supported: 'aContainingBlockWidth != NS_UNCONSTRAINEDSIZE', nsLayoutUtils.cpp, line 1721
Assignee | ||
Comment 6•16 years ago
|
||
BTW, our 1000 column-count limit from bug 345583 is working correctly here, it's just that the child frame min/pref-width * 1000 overflows nscoord.
Comment on attachment 308154 [details] [diff] [review] wip (checked in) Comment that you're avoiding integer overflow/wraparound
Attachment #308154 -
Flags: superreview?(roc)
Attachment #308154 -
Flags: superreview+
Attachment #308154 -
Flags: review?(roc)
Attachment #308154 -
Flags: review+
Assignee | ||
Updated•16 years ago
|
Attachment #308154 -
Flags: approval1.9?
Comment 8•16 years ago
|
||
Comment on attachment 308154 [details] [diff] [review] wip (checked in) a1.9=beltzner
Attachment #308154 -
Flags: approval1.9? → approval1.9+
Updated•16 years ago
|
Assignee: nobody → mats.palmgren
Assignee | ||
Comment 9•16 years ago
|
||
Landed the integer overflow protection, with the requested code comments: mozilla/layout/generic/nsColumnSetFrame.cpp 3.51 Leaving the bug open since there are more to work on here...
Assignee | ||
Updated•16 years ago
|
Attachment #308154 -
Attachment description: wip → wip (checked in)
Attachment #308154 -
Attachment is obsolete: true
Comment 10•16 years ago
|
||
Can you file a new bug on the extra work needed? Leaving bugs opened to land followup patches is very confusing.
Whiteboard: [not needed for 1.9]
Assignee | ||
Comment 11•16 years ago
|
||
Filed bug 444027 for the remaining issues. -> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [not needed for 1.9]
Target Milestone: --- → mozilla1.9
Assignee | ||
Updated•16 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 12•15 years ago
|
||
Pushed the 2nd attachment as a crashtest: http://hg.mozilla.org/mozilla-central/rev/4233c31e67d8
Flags: in-testsuite? → in-testsuite+
Assignee | ||
Comment 13•15 years ago
|
||
(Pushed the crashtest to 1.9.1 and 1.9.0.8 too)
Comment 14•15 years ago
|
||
verified FIXED Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090428 Minefield/3.6a1pre ID:20090428031037 Is this something that should be pushed into the 1.9.1 branch?
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ BuildTextRunsScanner::FindBoundaries]
You need to log in
before you can comment on or make changes to this bug.
Description
•