Closed Bug 421671 Opened 17 years ago Closed 17 years ago

Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]

Categories

(Core :: Layout: Block and Inline, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9

People

(Reporter: j.moz, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030704 Minefield/3.0b5pre iExploder test 40129979 crashes the browser. Tested on Linux and Windows nightly builds.
This is a simplified version of the above test case. It's still pretty complicated but I couldn't reduce it any more.
Note that like in bug 421673 comment 1, changing "-moz-column-count: 99999999" to "-moz-column-count: 1" makes this crash go away, but so does doing almost anything else to the simplified test case.
Status: UNCONFIRMED → NEW
Component: General → Layout: Block and Inline
Ever confirmed: true
Keywords: crash, perf, testcase
Product: Firefox → Core
QA Contact: general → layout.block-and-inline
Attached patch wip (checked in) (obsolete) — Splinter Review
The testcases generates many assertions, this patch fixes the ones regarding overflowing nscoord. There are still many assertions left with this patch, for example the one bug 404140.
Attachment #308154 - Flags: superreview?(roc)
Attachment #308154 - Flags: review?(roc)
The remaining assertions (on Linux): bad width: 'Not Reached', nsLineLayout.cpp, line 180 comparing iterators over different lists: 'mListLink == aOther.mListLink', nsLineBox.h, line 690 !didRemove || RECURSION_LEVEL(table) == 1: '!didRemove || RECURSION_LEVEL(table) == 1', file pldhash.c, line 737 Doing nscoord addition with values > nscoord_MAX: 'a < nscoord_MAX && b < nscoord_MAX', file nsCoord.h, line 150 math on NS_UNCONSTRAINEDSIZE: 'NS_UNCONSTRAINEDSIZE != aState.mReflowState.mComputedBorderPadding.left && NS_UNCONSTRAINEDSIZE != aState.mReflowState.ComputedWidth()', nsBlockFrame.cpp, line 1524 no unconstrained widths should be present anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.ComputedWidth()', nsBlockReflowState.cpp, line 113 RECURSION_LEVEL(table) == 0: 'RECURSION_LEVEL(table) == 0', file pldhash.c, line 380 running past end: 'mCurrent != mListLink', nsLineBox.h, line 611 should no longer be using unconstrained sizes: 'aRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 415 should no longer be using unconstrained widths: 'aWidth != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 177 should no longer use available widths: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsInlineFrame.cpp, line 428 shouldn't have unconstrained widths anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.availableWidth', nsLineLayout.cpp, line 1090 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 2443 shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 790 shouldn't use unconstrained widths anymore: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 294 shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 315 this shouldn't happen anymore: 'NS_UNCONSTRAINEDSIZE != aComputedWidth && NS_UNCONSTRAINEDSIZE != aAvailWidth', nsHTMLReflowState.cpp, line 1897 unconstrained widths no longer supported: 'aContainingBlockWidth != NS_UNCONSTRAINEDSIZE', nsLayoutUtils.cpp, line 1721
Depends on: 404140
Keywords: assertion
Summary: Crash with iExploder test 40129979 → Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]
BTW, our 1000 column-count limit from bug 345583 is working correctly here, it's just that the child frame min/pref-width * 1000 overflows nscoord.
Blocks: 421673
Comment on attachment 308154 [details] [diff] [review] wip (checked in) Comment that you're avoiding integer overflow/wraparound
Attachment #308154 - Flags: superreview?(roc)
Attachment #308154 - Flags: superreview+
Attachment #308154 - Flags: review?(roc)
Attachment #308154 - Flags: review+
Attachment #308154 - Flags: approval1.9?
Comment on attachment 308154 [details] [diff] [review] wip (checked in) a1.9=beltzner
Attachment #308154 - Flags: approval1.9? → approval1.9+
Assignee: nobody → mats.palmgren
Landed the integer overflow protection, with the requested code comments: mozilla/layout/generic/nsColumnSetFrame.cpp 3.51 Leaving the bug open since there are more to work on here...
Attachment #308154 - Attachment description: wip → wip (checked in)
Attachment #308154 - Attachment is obsolete: true
Can you file a new bug on the extra work needed? Leaving bugs opened to land followup patches is very confusing.
Whiteboard: [not needed for 1.9]
Filed bug 444027 for the remaining issues. -> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [not needed for 1.9]
Target Milestone: --- → mozilla1.9
Flags: in-testsuite?
Pushed the 2nd attachment as a crashtest: http://hg.mozilla.org/mozilla-central/rev/4233c31e67d8
Flags: in-testsuite? → in-testsuite+
(Pushed the crashtest to 1.9.1 and 1.9.0.8 too)
verified FIXED Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090428 Minefield/3.6a1pre ID:20090428031037 Is this something that should be pushed into the 1.9.1 branch?
Status: RESOLVED → VERIFIED
Crash Signature: [@ BuildTextRunsScanner::FindBoundaries]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: