Closed Bug 446181 Opened 16 years ago Closed 16 years ago

Crash [@ nsStringBuffer::Release][@ nsFrameManager::ReResolveStyleContext] with textZoom and large iframes

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, fixed1.9.0.4, testcase, Whiteboard: [sg:moderate] fixed by bug 443528)

Crash Data

Attachments

(3 files)

testcase (uses enhanced privs)
990 bytes, text/html
Details
stacktrace from debug build
6.09 KB, text/plain
Details
unminimized testcase
19.73 KB, text/html
Details
See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges. Usually, it crashes trunk builds within 10 seconds or so. It also crashes Firefox 3. I haven't looked for a regression range yet. I've marked it security sensitive, because the unminimized testcase can also crash by using the regular textzoom feature. Breakpad data don't give useful stacks for this testcase, in general: http://crash-stats.mozilla.com/report/index/142cf640-5592-11dd-bb0e-001a4bd43e5c?p=1 0 @0xf10e8c1 1 js3250.dll JS_GC js/src/jsapi.cpp:2499 2 js3250.dll JS_GetFunctionNative 3 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2256 4 xul.dll nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:2904 5 xul.dll nsJSContext::CC dom/src/base/nsJSEnvironment.cpp:3360 6 xul.dll xul.dll@0x2ec04a This is from the unminimized testcase: http://crash-stats.mozilla.com/report/index/76a2b933-54ea-11dd-9c87-001a4bd43ed6?p=1 0 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1368 1 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1404 2 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1404 3 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1404 4 xul.dll nsFrameManager::ReResolveStyleContext layout/base/nsFrameManager.cpp:1404 5 xul.dll nsFrameManager::ComputeStyleChangeFor layout/base/nsFrameManager.cpp:1470 6 xul.dll nsCSSFrameConstructor::RebuildAllStyleData layout/base/nsCSSFrameConstructor.cpp:13236 7 xul.dll xul.dll@0x2ae085 8 xul.dll SetChildTextZoom layout/base/nsDocumentViewer.cpp:2643 9 xul.dll xul.dll@0x271661 10 xul.dll DocumentViewerImpl::SetTextZoom layout/base/nsDocumentViewer.cpp:2667 11 xul.dll SetChildTextZoom layout/base/nsDocumentViewer.cpp:2643 12 xul.dll xul.dll@0x271661 13 xul.dll DocumentViewerImpl::SetTextZoom layout/base/nsDocumentViewer.cpp:2667 14 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 15 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2393
msvcr80d.dll!__free_dbg_nolock() + 0x446 bytes msvcr80d.dll!__free_dbg() + 0x4e bytes msvcr80d.dll!_free() + 0xe bytes > xpcom_core.dll!nsStringBuffer::Release() Line 197 + 0xa bytes C++ xpcom_core.dll!ReleaseData(void * data=0x04e07e78, unsigned int flags=5) Line 116 + 0x13 bytes C++ xpcom_core.dll!nsACString_internal::Finalize() Line 188 + 0x12 bytes C++ xpcom_core.dll!nsACString_internal::~nsACString_internal() Line 196 C++ thebes.dll!nsCString::~nsCString() + 0x10 bytes C++ thebes.dll!gfxFontStyle::~gfxFontStyle() + 0x12 bytes C++ thebes.dll!gfxFontGroup::~gfxFontGroup() Line 1388 + 0x16 bytes C++ thebes.dll!gfxWindowsFontGroup::~gfxWindowsFontGroup() Line 882 + 0x1e bytes C++ thebes.dll!gfxWindowsFontGroup::`vector deleting destructor'() + 0x4d bytes C++ thebes.dll!gfxTextRunFactory::Release() Line 564 + 0xa0 bytes C++ gkgfxthebes.dll!nsRefPtr<gfxFontGroup>::~nsRefPtr<gfxFontGroup>() Line 957 C++ gkgfxthebes.dll!nsThebesFontMetrics::~nsThebesFontMetrics() Line 62 + 0x16 bytes C++ gkgfxthebes.dll!nsThebesFontMetrics::`scalar deleting destructor'() + 0xf bytes C++ gkgfxthebes.dll!nsThebesFontMetrics::Release() Line 48 + 0xd6 bytes C++ gkgfx.dll!nsFontCache::Flush() Line 584 + 0xe bytes C++ gkgfx.dll!nsFontCache::~nsFontCache() Line 450 C++ etc..
From comment 0 the "unminimized" testcase looks like it could be a completely different crash. Are you hanging on to that testcase so we can be sure a fix for the testcase in this bug also fixes that one? It's probably best to attach it to a bug for safekeeping, either in this bug or file a new bug depending on this one that might be a dupe in the future.
guessing sg:critical because it crashed during GC
Whiteboard: [sg:critical?]
Actually "moderate" for now since the testcase requires privileges and/or convincing the user to go crazy on the text-zoom.
Whiteboard: [sg:critical?] → [sg:moderate]
Attached file unminimized testcase
For me it crashes with: ###!!! ABORT: running past end: 'mCurrent != mListLink', nsLineBox.h, line 611 The patch in bug 443528 fixes it.
Depends on: 443528
OS: Windows XP → All
Hardware: PC → All
Flags: wanted1.9.0.x+
Whiteboard: [sg:moderate] → [sg:moderate] fixed by bug 443528
Resolving as fixed by bug 443528. Holding the crashtest until 1.9.0.x is released with a fix for bug 443528. -> FIXED
Assignee: nobody → mats.palmgren
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Group: core-security
Crash Signature: [@ nsStringBuffer::Release] [@ nsFrameManager::ReResolveStyleContext]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: