Crash [@ IsBindingAncestor] with frameset, iframe, {ib}

VERIFIED FIXED in mozilla1.9.2a1

Status

()

defect
P2
critical
VERIFIED FIXED
11 years ago
11 months ago

People

(Reporter: jruderman, Assigned: dbaron)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla1.9.2a1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] common fuzz blocker - post 1.8 branch, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 6347

###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file /Users/jruderman/central/layout/generic/nsBlockFrame.cpp, line 5385

Crash [@ IsBindingAncestor] trying to access memory at 0xdddddded.
Whiteboard: [sg:critical?]
Looks like we have destroyed frames in the frame tree.  That's really bad.  That second assertion is pretty much summing up why _that_ happens, and I bet the first one explains the second one.

roc, this seems like something up your alley.
Flags: blocking1.9.1?
What's the reflow root in question?
ViewportFrame.
This bug shows up with a few different crash assertions and crash signatures, so it kinda gets in the way of fuzzing.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Crashes my Linux mozilla-central build, too, with the assertions mentioned in comment 0.
  Platform --> All/All
OS: Mac OS X → All
Hardware: PC → All
Component: Layout → Layout: HTML Frames
QA Contact: layout → layout.html-frames
Setting a breakpoint on nsBlockFrame::SetOverflowLines (it split because it had overflow lines) shows that we have overflow lines because aState.mBottomEdge was 0 in nsBlockFrame::PlaceLine (when it should have been NS_UNCONSTRAINEDSIZE).
So I think the basic problem is something like this:
 * we often reflow the viewport with a constrained height, but we trust that its child scroll frame won't pass this further.
 * when we have a frameset, the viewport doesn't have a child scroll frame
 * we don't have anything to prevent mixing framesets with other things, or changing the structure at the top of the document when the frameset is gone

(Need to investigate all these points in a little more detail, though.)

What's happening here is that the constrained available height that we give the viewport is making its way all the way down the tree.


There are probably two ways to fix this:
 * stop using constrained available heights
 * maintain the frame tree invariants

We probably ought to do both.
This seems to just work, although I need to do a good bit more testing.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Needed a few additional changes to fix resizing.
Attachment #358727 - Attachment is obsolete: true
Attachment #358737 - Flags: superreview?(roc)
Attachment #358737 - Flags: review?(roc)
Attachment #358737 - Flags: superreview?(roc)
Attachment #358737 - Flags: superreview+
Attachment #358737 - Flags: review?(roc)
Attachment #358737 - Flags: review+
This is a common fuzz blocker, raising the priority slightly (p2) to try to keep it in the release. Since it's mostly patched I hope I'm not overstepping here.
Priority: P3 → P2
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker [needs landing]
http://hg.mozilla.org/mozilla-central/rev/ea3adcdfa653
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [sg:critical?] common fuzz blocker [needs landing] → [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5ce32275362a
Keywords: fixed1.9.1
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker [needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Attachment #358737 - Flags: approval1.9.0.8?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8+
Comment on attachment 358737 [details] [diff] [review]
patch to stop using constrained heights for viewport reflow

Approved for 1.9.0.8, a=dveditz for release-drivers
Attachment #358737 - Flags: approval1.9.0.8? → approval1.9.0.8+
I was sort of hoping we'd ship this in a 1.9.1 beta release to make sure it didn't break anything before we shipped it in a 1.9.0.* release, but I suppose we're probably ok based on nightly testing.
Checked in to CVS trunk for 1.9.0.8, 2009-02-22 19:21/22 -0800.
Keywords: fixed1.9.0.8
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker
Verified on OS X and Windows with:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
Status: RESOLVED → VERIFIED
Target Milestone: mozilla1.9.1b3 → mozilla1.9.2a1
The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a debug build or does the testcase not work on 1.9.0?
(In reply to comment #17)
> The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a
> debug build or does the testcase not work on 1.9.0?

I don't suppose someone could reply to this since I asked this almost two weeks ago? :-)
I don't know.  You could see what happens in a 1.9.0.* debug build if you want (or try under valgrind).

Hard to give more details without knowing what you're trying to do.
Al, the testcase crashes reliably in a debug build, where we mark deallocated memory with the 0xdddddddd pattern.  In a non-debug build, it will randomly either crash or not crash or let someone run arbitrary code depending on the values that happen to be in the deallocated memory.
The testcase constantly crashes 01/30 Shiretoko builds on Windows and OS X. With the fix no more crashes happen with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) ID:20090305152042
Doesn't crash using Firefox 2.0.0.20.
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker - post 1.8 branch
verified fixed 1.9.0.9 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.0.9pre) Gecko/2009040221 Firefox/3.0.9pre (debug build) + : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040214 Minefield/3.0.9pre - no crash on testcase
Group: core-security
Crashtest added:

http://hg.mozilla.org/mozilla-central/rev/ea128fc02710
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ IsBindingAncestor]
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.