Last Comment Bug 430569 - Crash [@ nsPropertyTable::PropertyList::Equals] with -moz-column, position:fixed
: Crash [@ nsPropertyTable::PropertyList::Equals] with -moz-column, position:fixed
Status: VERIFIED FIXED
[sg:critical?][fixed by bug 363247]
: assertion, crash, testcase, verified1.9.0.14, verified1.9.1
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla1.9.2a1
Assigned To: Daniel Holbert [:dholbert]
:
: Jet Villegas (:jet)
Mentors:
Depends on: 363247 CVE-2009-3981
Blocks: randomstyles
  Show dependency treegraph
 
Reported: 2008-04-23 15:57 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
14 users (show)
roc: wanted1.9.1+
dveditz: blocking1.9.0.14+
dveditz: wanted1.9.0.x+
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes Firefox when closed) (214 bytes, text/html)
2008-04-23 15:57 PDT, Jesse Ruderman
no flags Details
testcase 2 (crashes Firefox when closed) (464 bytes, text/html)
2008-10-29 15:01 PDT, Daniel Holbert [:dholbert]
no flags Details
backtrace of crash on testcase 2 (17.51 KB, text/plain)
2008-10-31 10:44 PDT, Daniel Holbert [:dholbert]
no flags Details

Description Jesse Ruderman 2008-04-23 15:57:45 PDT
Created attachment 317414 [details]
testcase (crashes Firefox when closed)

Loading the testcase triggers:

###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 6296

Closing the window triggers:

Crash [@ nsPropertyTable::PropertyList::Equals] dereferencing 0xddddde09.

Related to bug 399994?
Comment 1 Daniel Holbert [:dholbert] 2008-10-29 13:57:23 PDT
Crashes for me using yesterday's linux nightly, when I close the testcase's tab.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081028 Minefield/3.1b2pre

 OS --> All;  Assignee --> me
Comment 2 Daniel Holbert [:dholbert] 2008-10-29 14:09:50 PDT
Crash report:
http://crash-stats.mozilla.com/report/index/d10bcefa-a5fc-11dd-99d6-001cc4e2bf68
Comment 3 Daniel Holbert [:dholbert] 2008-10-29 15:01:10 PDT
Created attachment 345372 [details]
testcase 2 (crashes Firefox when closed)

This testcase is tweaked a bit.
 - uses <br> instead of  newline+"whitespace: pre" to trigger a break
 - uses -moz-column-count:1 instead of -moz-column-width to trigger moz-col usage
 - Adds backgrounds & a border to show what's going on
 - Improved readability of style attribute, using newlines.
Like the previous one, this testcase crashes when I close or reload the tab.
Comment 4 Daniel Holbert [:dholbert] 2008-10-29 17:17:40 PDT
FWIW, I also still get the assertion mentioned in comment 0, using both testcases.

###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /mozilla/layout/base/nsPresShell.cpp, line 6338
Comment 5 Daniel Holbert [:dholbert] 2008-10-31 10:44:16 PDT
Created attachment 345746 [details]
backtrace of crash on testcase 2

Here's a backtrace of the crash triggered by testcase 2.

A few annotations:
 - At stack level 8, aPropertyName is the atom for "ExcessOverflowContainersProperty".
 - At stack levels 2-3, aPropertyName is the atom for "OverflowProperty". (This is passed in from level 4, which is GetOverflowFrames())

Basically, it looks like we're crashing because we're partway through deleting all the propertyLists in the propertyTable (stack level 12), and then we try to iterate across those same propertyLists and call methods on them ("Equals" in this case) (at stack level 1).
Comment 6 David Baron :dbaron: ⌚️UTC-10 2008-10-31 15:54:14 PDT
Shouldn't we be deleting frame properties when the frame is destroyed?  Or do we suppress that during pres shell destruction?
Comment 7 Robert O'Callahan (:roc) (email my personal email if necessary) 2008-11-01 21:54:55 PDT
We do, yes.
Comment 8 David Baron :dbaron: ⌚️UTC-10 2009-01-26 16:27:19 PST
(In reply to comment #0)
> ###!!! ASSERTION: reflow roots should never split: 'status ==
> NS_FRAME_COMPLETE', file
> /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 6296

I think this assertion is the same problem described in bug 468771 comment 8.  Not sure if the crash is, though, although it seems likely.
Comment 9 Daniel Holbert [:dholbert] 2009-02-09 12:06:07 PST
Both testcase are now WFM in my mozilla-central debug build and nightly build.

("WFM" = No crash & no assertions at load, reload, or tab-closing)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090209 Minefield/3.2a1pre

My debug build is at changeset 5f349409c9d5 (up-to-date as of this morning).
Comment 10 Daniel Holbert [:dholbert] 2009-02-09 12:14:04 PST
This isn't yet fixed in 191, though.  I just tested today's 191 nightly, and I got a crash:
http://crash-stats.mozilla.com/report/pending/7a08dbdb-a62f-44dd-9372-b43e12090209
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20090209 Shiretoko/3.1b3pre
Comment 11 Daniel Holbert [:dholbert] 2009-02-09 14:58:44 PST
Fix range for mozilla-central:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090204 Minefield/3.2a1pre
Built from http://hg.mozilla.org/mozilla-central/rev/4ada519b5c97

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090205 Minefield/3.2a1pre
Built from http://hg.mozilla.org/mozilla-central/rev/5de9f1e51c68

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4ada519b5c97&tochange=5de9f1e51c68
Comment 12 David Baron :dbaron: ⌚️UTC-10 2009-02-09 15:14:13 PST
Maybe bug 363247?
Comment 13 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-02-09 15:16:41 PST
Bug 399994 is still crashing.
Comment 14 David Baron :dbaron: ⌚️UTC-10 2009-02-09 16:38:41 PST
Yes, confirmed by local backout that it was fixed by bug 363247.
Comment 15 Daniel Holbert [:dholbert] 2009-02-09 16:55:35 PST
Great, thanks dbaron!  And it looks like you've already requested approval1.9.1 on that bug's patch, so hopefully it'll be approved and able to land there soon.
Comment 16 David Baron :dbaron: ⌚️UTC-10 2009-02-12 19:57:06 PST
I landed bug 363247 on 1.9.1, so marking this fixed1.9.1.
Comment 17 Henrik Skupin (:whimboo) 2009-03-11 08:42:00 PDT
Verified fixed on OS X and Windows with:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
Comment 18 David Baron :dbaron: ⌚️UTC-10 2009-08-08 21:42:08 PDT
So this is blocking1.9.0.14+, but I can't reproduce it on my 1.9.0 build.  Can anybody else?
Comment 19 Samuel Sidler (old account; do not CC) 2009-08-09 03:11:13 PDT
dbaron: I can reproduce this using testcase 2 with Firefox 3.0.13 on Mac.

I get bp-082f9466-f9f5-4f9e-a608-a88b02090809.
Comment 20 David Baron :dbaron: ⌚️UTC-10 2009-08-09 08:36:54 PDT
I can't even get the testcase to emit a valgrind warning with DEBUG_TRACEMALLOC_FRAMEARENA.  (And no assertion, either.)
Comment 21 Samuel Sidler (old account; do not CC) 2009-08-10 09:30:36 PDT
Might be opt only? I definitely see it.
Comment 22 Al Billings [:abillings] 2009-08-18 15:29:30 PDT
Verified fixed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729) for 1.9.0.14. I saw the crashes with the test cases here in 1.9.0.13.
Comment 23 Jesse Ruderman 2009-10-15 13:28:15 PDT
Crashtest: Crashtest: http://hg.mozilla.org/mozilla-central/rev/4da43cad0331

Note You need to log in before you can comment on or make changes to this bug.