Closed
Bug 421671
Opened 17 years ago
Closed 17 years ago
Crash with iExploder test 40129979 [@ BuildTextRunsScanner::FindBoundaries]
Categories
(Core :: Layout: Block and Inline, defect)
Core
Layout: Block and Inline
Tracking
()
VERIFIED
FIXED
mozilla1.9
People
(Reporter: j.moz, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords)
Crash Data
Attachments
(2 files, 1 obsolete file)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5pre) Gecko/2008030704 Minefield/3.0b5pre
iExploder test 40129979 crashes the browser. Tested on Linux and Windows nightly builds.
This is a simplified version of the above test case. It's still pretty complicated but I couldn't reduce it any more.
Note that like in bug 421673 comment 1, changing "-moz-column-count: 99999999" to "-moz-column-count: 1" makes this crash go away, but so does doing almost anything else to the simplified test case.
Assignee | ||
Comment 3•17 years ago
|
||
Assignee | ||
Comment 4•17 years ago
|
||
The testcases generates many assertions, this patch fixes the ones
regarding overflowing nscoord. There are still many assertions left
with this patch, for example the one bug 404140.
Attachment #308154 -
Flags: superreview?(roc)
Attachment #308154 -
Flags: review?(roc)
Assignee | ||
Comment 5•17 years ago
|
||
The remaining assertions (on Linux):
bad width: 'Not Reached', nsLineLayout.cpp, line 180
comparing iterators over different lists: 'mListLink == aOther.mListLink', nsLineBox.h, line 690
!didRemove || RECURSION_LEVEL(table) == 1: '!didRemove || RECURSION_LEVEL(table) == 1', file pldhash.c, line 737
Doing nscoord addition with values > nscoord_MAX: 'a < nscoord_MAX && b < nscoord_MAX', file nsCoord.h, line 150
math on NS_UNCONSTRAINEDSIZE: 'NS_UNCONSTRAINEDSIZE != aState.mReflowState.mComputedBorderPadding.left && NS_UNCONSTRAINEDSIZE != aState.mReflowState.ComputedWidth()', nsBlockFrame.cpp, line 1524
no unconstrained widths should be present anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.ComputedWidth()', nsBlockReflowState.cpp, line 113
RECURSION_LEVEL(table) == 0: 'RECURSION_LEVEL(table) == 0', file pldhash.c, line 380
running past end: 'mCurrent != mListLink', nsLineBox.h, line 611
should no longer be using unconstrained sizes: 'aRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 415
should no longer be using unconstrained widths: 'aWidth != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 177
should no longer use available widths: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsInlineFrame.cpp, line 428
shouldn't have unconstrained widths anymore: 'NS_UNCONSTRAINEDSIZE != aReflowState.availableWidth', nsLineLayout.cpp, line 1090
shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 2443
shouldn't have unconstrained widths anymore: 'psd->mRightEdge != NS_UNCONSTRAINEDSIZE', nsLineLayout.cpp, line 790
shouldn't use unconstrained widths anymore: 'availableWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 294
shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', nsHTMLReflowState.cpp, line 315
this shouldn't happen anymore: 'NS_UNCONSTRAINEDSIZE != aComputedWidth && NS_UNCONSTRAINEDSIZE != aAvailWidth', nsHTMLReflowState.cpp, line 1897
unconstrained widths no longer supported: 'aContainingBlockWidth != NS_UNCONSTRAINEDSIZE', nsLayoutUtils.cpp, line 1721
Assignee | ||
Comment 6•17 years ago
|
||
BTW, our 1000 column-count limit from bug 345583 is working correctly here,
it's just that the child frame min/pref-width * 1000 overflows nscoord.
Comment on attachment 308154 [details] [diff] [review]
wip (checked in)
Comment that you're avoiding integer overflow/wraparound
Attachment #308154 -
Flags: superreview?(roc)
Attachment #308154 -
Flags: superreview+
Attachment #308154 -
Flags: review?(roc)
Attachment #308154 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #308154 -
Flags: approval1.9?
Comment 8•17 years ago
|
||
Comment on attachment 308154 [details] [diff] [review]
wip (checked in)
a1.9=beltzner
Attachment #308154 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Assignee: nobody → mats.palmgren
Assignee | ||
Comment 9•17 years ago
|
||
Landed the integer overflow protection, with the requested code comments:
mozilla/layout/generic/nsColumnSetFrame.cpp 3.51
Leaving the bug open since there are more to work on here...
Assignee | ||
Updated•17 years ago
|
Attachment #308154 -
Attachment description: wip → wip (checked in)
Attachment #308154 -
Attachment is obsolete: true
Comment 10•17 years ago
|
||
Can you file a new bug on the extra work needed? Leaving bugs opened to land followup patches is very confusing.
Whiteboard: [not needed for 1.9]
Assignee | ||
Comment 11•17 years ago
|
||
Filed bug 444027 for the remaining issues.
-> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [not needed for 1.9]
Target Milestone: --- → mozilla1.9
Assignee | ||
Updated•16 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 12•16 years ago
|
||
Pushed the 2nd attachment as a crashtest:
http://hg.mozilla.org/mozilla-central/rev/4233c31e67d8
Flags: in-testsuite? → in-testsuite+
Assignee | ||
Comment 13•16 years ago
|
||
(Pushed the crashtest to 1.9.1 and 1.9.0.8 too)
Comment 14•16 years ago
|
||
verified FIXED Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090428 Minefield/3.6a1pre ID:20090428031037
Is this something that should be pushed into the 1.9.1 branch?
Status: RESOLVED → VERIFIED
Updated•14 years ago
|
Crash Signature: [@ BuildTextRunsScanner::FindBoundaries]
You need to log in
before you can comment on or make changes to this bug.
Description
•