Crash [@ IsBindingAncestor] with frameset, iframe, {ib}

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
Layout: HTML Frames
P2
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: dbaron)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla1.9.2a1
assertion, crash, testcase, verified1.9.0.9, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] common fuzz blocker - post 1.8 branch, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
Created attachment 351325 [details]
testcase (crashes Firefox when loaded)

###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 6347

###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file /Users/jruderman/central/layout/generic/nsBlockFrame.cpp, line 5385

Crash [@ IsBindingAncestor] trying to access memory at 0xdddddded.
(Reporter)

Updated

9 years ago
Whiteboard: [sg:critical?]
Looks like we have destroyed frames in the frame tree.  That's really bad.  That second assertion is pretty much summing up why _that_ happens, and I bet the first one explains the second one.

roc, this seems like something up your alley.
Flags: blocking1.9.1?
(Assignee)

Comment 2

9 years ago
What's the reflow root in question?
ViewportFrame.
(Reporter)

Comment 4

9 years ago
This bug shows up with a few different crash assertions and crash signatures, so it kinda gets in the way of fuzzing.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Crashes my Linux mozilla-central build, too, with the assertions mentioned in comment 0.
  Platform --> All/All
OS: Mac OS X → All
Hardware: PC → All
(Assignee)

Updated

9 years ago
Component: Layout → Layout: HTML Frames
QA Contact: layout → layout.html-frames
(Assignee)

Comment 6

9 years ago
Setting a breakpoint on nsBlockFrame::SetOverflowLines (it split because it had overflow lines) shows that we have overflow lines because aState.mBottomEdge was 0 in nsBlockFrame::PlaceLine (when it should have been NS_UNCONSTRAINEDSIZE).
(Assignee)

Comment 7

9 years ago
So I think the basic problem is something like this:
 * we often reflow the viewport with a constrained height, but we trust that its child scroll frame won't pass this further.
 * when we have a frameset, the viewport doesn't have a child scroll frame
 * we don't have anything to prevent mixing framesets with other things, or changing the structure at the top of the document when the frameset is gone

(Need to investigate all these points in a little more detail, though.)

What's happening here is that the constrained available height that we give the viewport is making its way all the way down the tree.


There are probably two ways to fix this:
 * stop using constrained available heights
 * maintain the frame tree invariants

We probably ought to do both.
(Assignee)

Comment 8

9 years ago
Created attachment 358727 [details] [diff] [review]
patch to stop using constrained heights for viewport reflow

This seems to just work, although I need to do a good bit more testing.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
(Assignee)

Comment 9

9 years ago
Created attachment 358737 [details] [diff] [review]
patch to stop using constrained heights for viewport reflow

Needed a few additional changes to fix resizing.
Attachment #358727 - Attachment is obsolete: true
Attachment #358737 - Flags: superreview?(roc)
Attachment #358737 - Flags: review?(roc)
Attachment #358737 - Flags: superreview?(roc)
Attachment #358737 - Flags: superreview+
Attachment #358737 - Flags: review?(roc)
Attachment #358737 - Flags: review+
This is a common fuzz blocker, raising the priority slightly (p2) to try to keep it in the release. Since it's mostly patched I hope I'm not overstepping here.
Priority: P3 → P2
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker [needs landing]
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/mozilla-central/rev/ea3adcdfa653
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [sg:critical?] common fuzz blocker [needs landing] → [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
(Assignee)

Comment 12

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5ce32275362a
Keywords: fixed1.9.1
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker [needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
(Assignee)

Updated

8 years ago
Attachment #358737 - Flags: approval1.9.0.8?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8+
Comment on attachment 358737 [details] [diff] [review]
patch to stop using constrained heights for viewport reflow

Approved for 1.9.0.8, a=dveditz for release-drivers
Attachment #358737 - Flags: approval1.9.0.8? → approval1.9.0.8+
(Assignee)

Comment 14

8 years ago
I was sort of hoping we'd ship this in a 1.9.1 beta release to make sure it didn't break anything before we shipped it in a 1.9.0.* release, but I suppose we're probably ok based on nightly testing.
(Assignee)

Comment 15

8 years ago
Checked in to CVS trunk for 1.9.0.8, 2009-02-22 19:21/22 -0800.
Keywords: fixed1.9.0.8
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker
Verified on OS X and Windows with:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
Status: RESOLVED → VERIFIED
Target Milestone: mozilla1.9.1b3 → mozilla1.9.2a1
The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a debug build or does the testcase not work on 1.9.0?
(In reply to comment #17)
> The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a
> debug build or does the testcase not work on 1.9.0?

I don't suppose someone could reply to this since I asked this almost two weeks ago? :-)
(Assignee)

Comment 19

8 years ago
I don't know.  You could see what happens in a 1.9.0.* debug build if you want (or try under valgrind).

Hard to give more details without knowing what you're trying to do.
Al, the testcase crashes reliably in a debug build, where we mark deallocated memory with the 0xdddddddd pattern.  In a non-debug build, it will randomly either crash or not crash or let someone run arbitrary code depending on the values that happen to be in the deallocated memory.
The testcase constantly crashes 01/30 Shiretoko builds on Windows and OS X. With the fix no more crashes happen with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) ID:20090305152042
Keywords: fixed1.9.1 → verified1.9.1
Doesn't crash using Firefox 2.0.0.20.
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker - post 1.8 branch
verified fixed 1.9.0.9 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.0.9pre) Gecko/2009040221 Firefox/3.0.9pre (debug build) + : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040214 Minefield/3.0.9pre - no crash on testcase
Keywords: fixed1.9.0.9 → verified1.9.0.9
Group: core-security
(Reporter)

Comment 24

8 years ago
Crashtest added:

http://hg.mozilla.org/mozilla-central/rev/ea128fc02710
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ IsBindingAncestor]
You need to log in before you can comment on or make changes to this bug.