Crash [@ nsStringBuffer::Release][@ nsFrameManager::ReResolveStyleContext] with textZoom and large iframes




11 years ago
8 years ago


(Reporter: martijn.martijn, Assigned: mats)


({crash, fixed1.9.0.4, testcase})

crash, fixed1.9.0.4, testcase
Bug Flags:
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:moderate] fixed by bug 443528, crash signature)


(3 attachments)



11 years ago
Created attachment 330375 [details]
testcase (uses enhanced privs)

See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.

Usually, it crashes trunk builds within 10 seconds or so. It also crashes Firefox 3. I haven't looked for a regression range yet.
I've marked it security sensitive, because the unminimized testcase can also crash by using the regular textzoom feature.

Breakpad data don't give useful stacks for this testcase, in general:
0  	 	@0xf10e8c1  	
1 	js3250.dll 	JS_GC 	js/src/jsapi.cpp:2499
2 	js3250.dll 	JS_GetFunctionNative 	
3 	xul.dll 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
4 	xul.dll 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904
5 	xul.dll 	nsJSContext::CC 	dom/src/base/nsJSEnvironment.cpp:3360
6 	xul.dll 	xul.dll@0x2ec04a 	

This is from the unminimized testcase:
0  	xul.dll  	nsFrameManager::ReResolveStyleContext  	 layout/base/nsFrameManager.cpp:1368
1 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
2 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
3 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
4 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1404
5 	xul.dll 	nsFrameManager::ComputeStyleChangeFor 	layout/base/nsFrameManager.cpp:1470
6 	xul.dll 	nsCSSFrameConstructor::RebuildAllStyleData 	layout/base/nsCSSFrameConstructor.cpp:13236
7 	xul.dll 	xul.dll@0x2ae085 	
8 	xul.dll 	SetChildTextZoom 	layout/base/nsDocumentViewer.cpp:2643
9 	xul.dll 	xul.dll@0x271661 	
10 	xul.dll 	DocumentViewerImpl::SetTextZoom 	layout/base/nsDocumentViewer.cpp:2667
11 	xul.dll 	SetChildTextZoom 	layout/base/nsDocumentViewer.cpp:2643
12 	xul.dll 	xul.dll@0x271661 	
13 	xul.dll 	DocumentViewerImpl::SetTextZoom 	layout/base/nsDocumentViewer.cpp:2667
14 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
15 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2393

Comment 1

11 years ago
Created attachment 330376 [details]
stacktrace from debug build

 	msvcr80d.dll!__free_dbg_nolock()  + 0x446 bytes	
 	msvcr80d.dll!__free_dbg()  + 0x4e bytes	
 	msvcr80d.dll!_free()  + 0xe bytes	
>	xpcom_core.dll!nsStringBuffer::Release()  Line 197 + 0xa bytes	C++
 	xpcom_core.dll!ReleaseData(void * data=0x04e07e78, unsigned int flags=5)  Line 116 + 0x13 bytes	C++
 	xpcom_core.dll!nsACString_internal::Finalize()  Line 188 + 0x12 bytes	C++
 	xpcom_core.dll!nsACString_internal::~nsACString_internal()  Line 196	C++
 	thebes.dll!nsCString::~nsCString()  + 0x10 bytes	C++
 	thebes.dll!gfxFontStyle::~gfxFontStyle()  + 0x12 bytes	C++
 	thebes.dll!gfxFontGroup::~gfxFontGroup()  Line 1388 + 0x16 bytes	C++
 	thebes.dll!gfxWindowsFontGroup::~gfxWindowsFontGroup()  Line 882 + 0x1e bytes	C++
 	thebes.dll!gfxWindowsFontGroup::`vector deleting destructor'()  + 0x4d bytes	C++
 	thebes.dll!gfxTextRunFactory::Release()  Line 564 + 0xa0 bytes	C++
 	gkgfxthebes.dll!nsRefPtr<gfxFontGroup>::~nsRefPtr<gfxFontGroup>()  Line 957	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::~nsThebesFontMetrics()  Line 62 + 0x16 bytes	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::`scalar deleting destructor'()  + 0xf bytes	C++
 	gkgfxthebes.dll!nsThebesFontMetrics::Release()  Line 48 + 0xd6 bytes	C++
 	gkgfx.dll!nsFontCache::Flush()  Line 584 + 0xe bytes	C++
 	gkgfx.dll!nsFontCache::~nsFontCache()  Line 450	C++
From comment 0 the "unminimized" testcase looks like it could be a completely different crash. Are you hanging on to that testcase so we can be sure a fix for the testcase in this bug also fixes that one? It's probably best to attach it to a bug for safekeeping, either in this bug or file a new bug depending on this one that might be a dupe in the future.
guessing sg:critical because it crashed during GC
Whiteboard: [sg:critical?]
Actually "moderate" for now since the testcase requires privileges and/or convincing the user to go crazy on the text-zoom.
Whiteboard: [sg:critical?] → [sg:moderate]

Comment 5

11 years ago
Created attachment 330387 [details]
unminimized testcase

Comment 6

10 years ago
For me it crashes with:
###!!! ABORT: running past end: 'mCurrent != mListLink', nsLineBox.h, line 611

The patch in bug 443528 fixes it.
Depends on: 443528
OS: Windows XP → All
Hardware: PC → All
Flags: wanted1.9.0.x+
Whiteboard: [sg:moderate] → [sg:moderate] fixed by bug 443528

Comment 7

10 years ago
Resolving as fixed by bug 443528.
Holding the crashtest until 1.9.0.x is released with a fix for bug 443528.

Assignee: nobody → mats.palmgren
Last Resolved: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Keywords: fixed1.9.0.4
Group: core-security
Crash Signature: [@ nsStringBuffer::Release] [@ nsFrameManager::ReResolveStyleContext]
You need to log in before you can comment on or make changes to this bug.