Closed Bug 446181 Opened 16 years ago Closed 16 years ago

Crash [@ nsStringBuffer::Release][@ nsFrameManager::ReResolveStyleContext] with textZoom and large iframes

Categories

(Core :: Layout, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, fixed1.9.0.4, testcase, Whiteboard: [sg:moderate] fixed by bug 443528)

Crash Data

Attachments

(3 files)

See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.

Usually, it crashes trunk builds within 10 seconds or so. It also crashes Firefox 3. I haven't looked for a regression range yet.
I've marked it security sensitive, because the unminimized testcase can also crash by using the regular textzoom feature.

Breakpad data don't give useful stacks for this testcase, in general:
http://crash-stats.mozilla.com/report/index/142cf640-5592-11dd-bb0e-001a4bd43e5c?p=1
0  	 	@0xf10e8c1  	
1 	js3250.dll 	JS_GC 	js/src/jsapi.cpp:2499
2 	js3250.dll 	JS_GetFunctionNative 	
3 	xul.dll 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
4 	xul.dll 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904
5 	xul.dll 	nsJSContext::CC 	dom/src/base/nsJSEnvironment.cpp:3360
6 	xul.dll 	xul.dll@0x2ec04a 	

This is from the unminimized testcase:
http://crash-stats.mozilla.com/report/index/76a2b933-54ea-11dd-9c87-001a4bd43ed6?p=1
0  	xul.dll  	nsFrameManager::ReResolveStyleContext  	 layout/base/nsFrameManager.cpp:1368
1 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
2 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
3 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
4 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
5 	xul.dll 	nsFrameManager::ComputeStyleChangeFor 	layout/base/nsFrameManager.cpp:1470
6 	xul.dll 	nsCSSFrameConstructor::RebuildAllStyleData 	layout/base/nsCSSFrameConstructor.cpp:13236
7 	xul.dll 	xul.dll@0x2ae085 	
8 	xul.dll 	SetChildTextZoom 	layout/base/nsDocumentViewer.cpp:2643
9 	xul.dll 	xul.dll@0x271661 	
10 	xul.dll 	DocumentViewerImpl::SetTextZoom 	layout/base/nsDocumentViewer.cpp:2667
11 	xul.dll 	SetChildTextZoom 	layout/base/nsDocumentViewer.cpp:2643
12 	xul.dll 	xul.dll@0x271661 	
13 	xul.dll 	DocumentViewerImpl::SetTextZoom 	layout/base/nsDocumentViewer.cpp:2667
14 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
15 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2393
msvcr80d.dll!__free_dbg_nolock()  + 0x446 bytes	
 	msvcr80d.dll!__free_dbg()  + 0x4e bytes	
 	msvcr80d.dll!_free()  + 0xe bytes	
>	xpcom_core.dll!nsStringBuffer::Release()  Line 197 + 0xa bytes	C++
 	xpcom_core.dll!ReleaseData(void * data=0x04e07e78, unsigned int flags=5)  Line 116 + 0x13 bytes	C++
 	xpcom_core.dll!nsACString_internal::Finalize()  Line 188 + 0x12 bytes	C++
 	xpcom_core.dll!nsACString_internal::~nsACString_internal()  Line 196	C++
 	thebes.dll!nsCString::~nsCString()  + 0x10 bytes	C++
 	thebes.dll!gfxFontStyle::~gfxFontStyle()  + 0x12 bytes	C++
 	thebes.dll!gfxFontGroup::~gfxFontGroup()  Line 1388 + 0x16 bytes	C++
 	thebes.dll!gfxWindowsFontGroup::~gfxWindowsFontGroup()  Line 882 + 0x1e bytes	C++
 	thebes.dll!gfxWindowsFontGroup::`vector deleting destructor'()  + 0x4d bytes	C++
 	thebes.dll!gfxTextRunFactory::Release()  Line 564 + 0xa0 bytes	C++
 	gkgfxthebes.dll!nsRefPtr<gfxFontGroup>::~nsRefPtr<gfxFontGroup>()  Line 957	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::~nsThebesFontMetrics()  Line 62 + 0x16 bytes	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::`scalar deleting destructor'()  + 0xf bytes	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::Release()  Line 48 + 0xd6 bytes	C++
 	gkgfx.dll!nsFontCache::Flush()  Line 584 + 0xe bytes	C++
 	gkgfx.dll!nsFontCache::~nsFontCache()  Line 450	C++
etc..
From comment 0 the "unminimized" testcase looks like it could be a completely different crash. Are you hanging on to that testcase so we can be sure a fix for the testcase in this bug also fixes that one? It's probably best to attach it to a bug for safekeeping, either in this bug or file a new bug depending on this one that might be a dupe in the future.
guessing sg:critical because it crashed during GC
Whiteboard: [sg:critical?]
Actually "moderate" for now since the testcase requires privileges and/or convincing the user to go crazy on the text-zoom.
Whiteboard: [sg:critical?] → [sg:moderate]
Attached file unminimized testcase
For me it crashes with:
###!!! ABORT: running past end: 'mCurrent != mListLink', nsLineBox.h, line 611

The patch in bug 443528 fixes it.
Depends on: 443528
OS: Windows XP → All
Hardware: PC → All
Flags: wanted1.9.0.x+
Whiteboard: [sg:moderate] → [sg:moderate] fixed by bug 443528
Resolving as fixed by bug 443528.
Holding the crashtest until 1.9.0.x is released with a fix for bug 443528.

-> FIXED
Assignee: nobody → mats.palmgren
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Group: core-security
Crash Signature: [@ nsStringBuffer::Release] [@ nsFrameManager::ReResolveStyleContext]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: