Closed Bug 421671 Opened 12 years ago Closed 12 years ago

Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]

Categories

(Core :: Layout: Block and Inline, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9

People

(Reporter: j.moz, Assigned: mats)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030704 Minefield/3.0b5pre

iExploder test 40129979 crashes the browser. Tested on Linux and Windows nightly builds.
This is a simplified version of the above test case. It's still pretty complicated but I couldn't reduce it any more.
Note that like in bug 421673 comment 1, changing "-moz-column-count: 99999999" to "-moz-column-count: 1" makes this crash go away, but so does doing almost anything else to the simplified test case.
bp-0004e6e6-ed21-11dc-8d2a-001a4bd43ef6
Status: UNCONFIRMED → NEW
Component: General → Layout: Block and Inline
Ever confirmed: true
Keywords: crash, perf, testcase
Product: Firefox → Core
QA Contact: general → layout.block-and-inline
Attached patch wip (checked in) (obsolete) — Splinter Review
The testcases generates many assertions, this patch fixes the ones
regarding overflowing nscoord.  There are still many assertions left
with this patch, for example the one bug 404140.
Attachment #308154 - Flags: superreview?(roc)
Attachment #308154 - Flags: review?(roc)
The remaining assertions (on Linux):

bad width: 'Not Reached', nsLineLayout.cpp, line 180

comparing iterators over different lists: 'mListLink == aOther.mListLink', nsLineBox.h, line 690

!didRemove || RECURSION_LEVEL(table) == 1: '!didRemove || RECURSION_LEVEL(table) == 1', file pldhash.c, line 737

Doing nscoord addition with values > nscoord_MAX: 'a < nscoord_MAX && b < nscoord_MAX', file nsCoord.h, line 150

math on NS_UNCONSTRAINEDSIZE: 'NS_UNCONSTRAINEDSIZE != aState.mReflowState.mComputedBorderPadding.left && NS_UNCONSTRAINEDSIZE != aState.mReflowState.ComputedWidth()', nsBlockFrame.cpp, line 1524

no unconstrained widths should be present anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.ComputedWidth()', nsBlockReflowState.cpp, line 113

RECURSION_LEVEL(table) == 0: 'RECURSION_LEVEL(table) == 0', file pldhash.c, line 380

running past end: 'mCurrent != mListLink', nsLineBox.h, line 611

should no longer be using unconstrained sizes: 'aRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 415

should no longer be using unconstrained widths: 'aWidth != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 177

should no longer use available widths: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsInlineFrame.cpp, line 428

shouldn't have unconstrained widths anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.availableWidth', nsLineLayout.cpp, line 1090

shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 2443

shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 790

shouldn't use unconstrained widths anymore: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 294

shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 315

this shouldn't happen anymore: 'NS_UNCONSTRAINEDSIZE != aComputedWidth && NS_UNCONSTRAINEDSIZE != aAvailWidth', nsHTMLReflowState.cpp, line 1897

unconstrained widths no longer supported: 'aContainingBlockWidth != NS_UNCONSTRAINEDSIZE', nsLayoutUtils.cpp, line 1721
Depends on: 404140
Keywords: assertion
Summary: Crash with iExploder test 40129979 → Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]
BTW, our 1000 column-count limit from bug 345583 is working correctly here,
it's just that the child frame min/pref-width * 1000 overflows nscoord.
Blocks: 421673
Comment on attachment 308154 [details] [diff] [review]
wip (checked in)

Comment that you're avoiding integer overflow/wraparound
Attachment #308154 - Flags: superreview?(roc)
Attachment #308154 - Flags: superreview+
Attachment #308154 - Flags: review?(roc)
Attachment #308154 - Flags: review+
Attachment #308154 - Flags: approval1.9?
Comment on attachment 308154 [details] [diff] [review]
wip (checked in)

a1.9=beltzner
Attachment #308154 - Flags: approval1.9? → approval1.9+
Assignee: nobody → mats.palmgren
Landed the integer overflow protection, with the requested code comments:
mozilla/layout/generic/nsColumnSetFrame.cpp 	3.51 

Leaving the bug open since there are more to work on here...
Attachment #308154 - Attachment description: wip → wip (checked in)
Attachment #308154 - Attachment is obsolete: true
Can you file a new bug on the extra work needed? Leaving bugs opened to land followup patches is very confusing.
Whiteboard: [not needed for 1.9]
Filed bug 444027 for the remaining issues.

-> FIXED
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [not needed for 1.9]
Target Milestone: --- → mozilla1.9
Flags: in-testsuite?
Pushed the 2nd attachment as a crashtest:
http://hg.mozilla.org/mozilla-central/rev/4233c31e67d8
Flags: in-testsuite? → in-testsuite+
(Pushed the crashtest to 1.9.1 and 1.9.0.8 too)
verified FIXED Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090428 Minefield/3.6a1pre ID:20090428031037


Is this something that should be pushed into the 1.9.1 branch?
Status: RESOLVED → VERIFIED
Crash Signature: [@ BuildTextRunsScanner::FindBoundaries]
You need to log in before you can comment on or make changes to this bug.