Closed Bug 421671 Opened 14 years ago Closed 13 years ago
Crash with i
Exploder test 40129979 [@ Build Text Runs Scanner::Find Boundaries]
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030704 Minefield/3.0b5pre iExploder test 40129979 crashes the browser. Tested on Linux and Windows nightly builds.
This is a simplified version of the above test case. It's still pretty complicated but I couldn't reduce it any more.
Note that like in bug 421673 comment 1, changing "-moz-column-count: 99999999" to "-moz-column-count: 1" makes this crash go away, but so does doing almost anything else to the simplified test case.
The testcases generates many assertions, this patch fixes the ones regarding overflowing nscoord. There are still many assertions left with this patch, for example the one bug 404140.
The remaining assertions (on Linux): bad width: 'Not Reached', nsLineLayout.cpp, line 180 comparing iterators over different lists: 'mListLink == aOther.mListLink', nsLineBox.h, line 690 !didRemove || RECURSION_LEVEL(table) == 1: '!didRemove || RECURSION_LEVEL(table) == 1', file pldhash.c, line 737 Doing nscoord addition with values > nscoord_MAX: 'a < nscoord_MAX && b < nscoord_MAX', file nsCoord.h, line 150 math on NS_UNCONSTRAINEDSIZE: 'NS_UNCONSTRAINEDSIZE != aState.mReflowState.mComputedBorderPadding.left && NS_UNCONSTRAINEDSIZE != aState.mReflowState.ComputedWidth()', nsBlockFrame.cpp, line 1524 no unconstrained widths should be present anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.ComputedWidth()', nsBlockReflowState.cpp, line 113 RECURSION_LEVEL(table) == 0: 'RECURSION_LEVEL(table) == 0', file pldhash.c, line 380 running past end: 'mCurrent != mListLink', nsLineBox.h, line 611 should no longer be using unconstrained sizes: 'aRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 415 should no longer be using unconstrained widths: 'aWidth != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 177 should no longer use available widths: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsInlineFrame.cpp, line 428 shouldn't have unconstrained widths anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.availableWidth', nsLineLayout.cpp, line 1090 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 2443 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 790 shouldn't use unconstrained widths anymore: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 294 shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 315 this shouldn't happen anymore: 'NS_UNCONSTRAINEDSIZE != aComputedWidth && NS_UNCONSTRAINEDSIZE != aAvailWidth', nsHTMLReflowState.cpp, line 1897 unconstrained widths no longer supported: 'aContainingBlockWidth != NS_UNCONSTRAINEDSIZE', nsLayoutUtils.cpp, line 1721
BTW, our 1000 column-count limit from bug 345583 is working correctly here, it's just that the child frame min/pref-width * 1000 overflows nscoord.
Comment on attachment 308154 [details] [diff] [review] wip (checked in) Comment that you're avoiding integer overflow/wraparound
Comment on attachment 308154 [details] [diff] [review] wip (checked in) a1.9=beltzner
Attachment #308154 - Flags: approval1.9? → approval1.9+
Landed the integer overflow protection, with the requested code comments: mozilla/layout/generic/nsColumnSetFrame.cpp 3.51 Leaving the bug open since there are more to work on here...
Can you file a new bug on the extra work needed? Leaving bugs opened to land followup patches is very confusing.
Whiteboard: [not needed for 1.9]
Filed bug 444027 for the remaining issues. -> FIXED
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [not needed for 1.9]
Target Milestone: --- → mozilla1.9
Pushed the 2nd attachment as a crashtest: http://hg.mozilla.org/mozilla-central/rev/4233c31e67d8
Flags: in-testsuite? → in-testsuite+
(Pushed the crashtest to 1.9.1 and 126.96.36.199 too)
verified FIXED Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090428 Minefield/3.6a1pre ID:20090428031037 Is this something that should be pushed into the 1.9.1 branch?
Status: RESOLVED → VERIFIED
Crash Signature: [@ BuildTextRunsScanner::FindBoundaries]
You need to log in before you can comment on or make changes to this bug.