Closed Bug 444925 Opened 17 years ago Closed 17 years ago

Crash [@ nsContextBoxBlur::BoxBlurHorizontal] with mathml:munderover and text-shadow

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1a1

People

(Reporter: martijn.martijn, Assigned: ventnor.bugzilla)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 2 obsolete files)

testcase
317 bytes, application/vnd.mozilla.xul+xml
Details
Patch 2.1
1.57 KB, patch
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build on load. http://crash-stats.mozilla.com/report/index/7ba9af97-501d-11dd-a4f2-001cc4e2bf68?p=1 0 xul.dll nsContextBoxBlur::BoxBlurHorizontal layout/base/nsCSSRendering.cpp:4768 1 xul.dll nsContextBoxBlur::DoPaint layout/base/nsCSSRendering.cpp:4871 2 xul.dll nsDisplayTextShadow::Paint layout/generic/nsHTMLContainerFrame.cpp:233 3 xul.dll nsDisplayList::Paint layout/base/nsDisplayList.cpp:296 4 xul.dll nsDisplayClip::Paint layout/base/nsDisplayList.cpp:892 5 xul.dll nsDisplayList::Paint layout/base/nsDisplayList.cpp:296 6 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:988 7 xul.dll PresShell::Paint layout/base/nsPresShell.cpp:5420 8 xul.dll nsViewManager::RenderViews view/src/nsViewManager.cpp:614 9 xul.dll nsViewManager::Refresh view/src/nsViewManager.cpp:502 10 xul.dll xul.dll@0x309ec4 11 xul.dll HandleEvent view/src/nsView.cpp:168 12 xul.dll nsWindow::DispatchEvent widget/src/windows/nsWindow.cpp:985 13 xul.dll nsWindow::DispatchWindowEvent widget/src/windows/nsWindow.cpp:1010 14 xul.dll xul.dll@0x2fb689 15 xul.dll nsWindow::ProcessMessage widget/src/windows/nsWindow.cpp:4288 16 xul.dll nsWindow::WindowProc widget/src/windows/nsWindow.cpp:1200 17 user32.dll InternalCallWinProc 18 user32.dll UserCallWinProcCheckWow 19 user32.dll DispatchClientMessage 20 user32.dll __fnDWORD 21 ntdll.dll KiUserCallbackDispatcher 22 xul.dll XBLResolve 23 user32.dll DispatchMessageW 24 xul.dll nsAppShell::ProcessNextNativeEvent widget/src/windows/nsAppShell.cpp:148 25 winmm.dll timeGetTime
There is no crash with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008071202 Minefield/3.1a1pre ID:2008071202. So it looks like to be a Windows only crash. Look like we are out of bounds on the following line: alphaSum += aInput[stride * y + pos];
Attached patch Patch (obsolete) — Splinter Review
This is happening because the crash-causing frame is making a zero-sized blur surface. nsContextBoxBlur has no protection against zero-sized frames and surfaces. Its always good to protect yourself against any scenario when implementing a web-facing feature :)
Assignee: nobody → ventnor.bugzilla
Status: NEW → ASSIGNED
Attachment #329263 - Flags: superreview?(roc)
Attachment #329263 - Flags: review?(roc)
Hang on, there's nothing wrong with a zero-sized surface. I think instead of returning null here, you should detect a zero-sized surface earlier and just treat it the same as a zero blur-radius, i.e. no blur and return mContext. Make sure that DoPaint also does nothing (you might just want to set mBlurRadius to zero).
Attached patch Patch 2 (obsolete) — Splinter Review
Attachment #329263 - Attachment is obsolete: true
Attachment #329377 - Flags: superreview?(roc)
Attachment #329377 - Flags: review?(roc)
Attachment #329263 - Flags: superreview?(roc)
Attachment #329263 - Flags: review?(roc)
Comment on attachment 329377 [details] [diff] [review] Patch 2 + if (!mRect.Width() || !mRect.Height()) { if (mRect.IsEmpty()) Make sure this testcase is checked in as a crashtest.
Attachment #329377 - Flags: superreview?(roc)
Attachment #329377 - Flags: superreview+
Attachment #329377 - Flags: review?(roc)
Attachment #329377 - Flags: review+
Attached patch Patch 2.1Splinter Review
With crashtest.
Attachment #329377 - Attachment is obsolete: true
Keywords: checkin-needed
http://hg.mozilla.org/index.cgi/mozilla-central/rev/2d0d421facb0
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.1a1
Flags: in-testsuite+
No crash with testcase using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a1pre) Gecko/2008071504 Minefield/3.1a1pre. Will check Win XP build and then verify this bug.
Me first! Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a1pre) Gecko/2008071504 Minefield/3.1a1pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsContextBoxBlur::BoxBlurHorizontal]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: