Closed
Bug 467881
Opened 16 years ago
Closed 16 years ago
Crash [@ IsBindingAncestor] with frameset, iframe, {ib}
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect, P2)
Core
Layout: Images, Video, and HTML Frames
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: jruderman, Assigned: dbaron)
References
Details
(5 keywords, Whiteboard: [sg:critical?] common fuzz blocker - post 1.8 branch)
Crash Data
Attachments
(2 files, 1 obsolete file)
946 bytes,
text/html
|
Details | |
7.28 KB,
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.9.0.9+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 6347
###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file /Users/jruderman/central/layout/generic/nsBlockFrame.cpp, line 5385
Crash [@ IsBindingAncestor] trying to access memory at 0xdddddded.
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Comment 1•16 years ago
|
||
Looks like we have destroyed frames in the frame tree. That's really bad. That second assertion is pretty much summing up why _that_ happens, and I bet the first one explains the second one.
roc, this seems like something up your alley.
Flags: blocking1.9.1?
Assignee | ||
Comment 2•16 years ago
|
||
What's the reflow root in question?
Comment 3•16 years ago
|
||
ViewportFrame.
Reporter | ||
Comment 4•16 years ago
|
||
This bug shows up with a few different crash assertions and crash signatures, so it kinda gets in the way of fuzzing.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Comment 5•16 years ago
|
||
Crashes my Linux mozilla-central build, too, with the assertions mentioned in comment 0.
Platform --> All/All
OS: Mac OS X → All
Hardware: PC → All
Assignee | ||
Updated•16 years ago
|
Component: Layout → Layout: HTML Frames
QA Contact: layout → layout.html-frames
Assignee | ||
Comment 6•16 years ago
|
||
Setting a breakpoint on nsBlockFrame::SetOverflowLines (it split because it had overflow lines) shows that we have overflow lines because aState.mBottomEdge was 0 in nsBlockFrame::PlaceLine (when it should have been NS_UNCONSTRAINEDSIZE).
Assignee | ||
Comment 7•16 years ago
|
||
So I think the basic problem is something like this:
* we often reflow the viewport with a constrained height, but we trust that its child scroll frame won't pass this further.
* when we have a frameset, the viewport doesn't have a child scroll frame
* we don't have anything to prevent mixing framesets with other things, or changing the structure at the top of the document when the frameset is gone
(Need to investigate all these points in a little more detail, though.)
What's happening here is that the constrained available height that we give the viewport is making its way all the way down the tree.
There are probably two ways to fix this:
* stop using constrained available heights
* maintain the frame tree invariants
We probably ought to do both.
Assignee | ||
Comment 8•16 years ago
|
||
This seems to just work, although I need to do a good bit more testing.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•16 years ago
|
||
Needed a few additional changes to fix resizing.
Attachment #358727 -
Attachment is obsolete: true
Attachment #358737 -
Flags: superreview?(roc)
Attachment #358737 -
Flags: review?(roc)
Attachment #358737 -
Flags: superreview?(roc)
Attachment #358737 -
Flags: superreview+
Attachment #358737 -
Flags: review?(roc)
Attachment #358737 -
Flags: review+
Comment 10•16 years ago
|
||
This is a common fuzz blocker, raising the priority slightly (p2) to try to keep it in the release. Since it's mostly patched I hope I'm not overstepping here.
Priority: P3 → P2
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker [needs landing]
Assignee | ||
Comment 11•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [sg:critical?] common fuzz blocker [needs landing] → [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
Assignee | ||
Comment 12•16 years ago
|
||
Keywords: fixed1.9.1
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker [needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Assignee | ||
Updated•16 years ago
|
Attachment #358737 -
Flags: approval1.9.0.8?
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8+
Comment 13•16 years ago
|
||
Comment on attachment 358737 [details] [diff] [review]
patch to stop using constrained heights for viewport reflow
Approved for 1.9.0.8, a=dveditz for release-drivers
Attachment #358737 -
Flags: approval1.9.0.8? → approval1.9.0.8+
Assignee | ||
Comment 14•16 years ago
|
||
I was sort of hoping we'd ship this in a 1.9.1 beta release to make sure it didn't break anything before we shipped it in a 1.9.0.* release, but I suppose we're probably ok based on nightly testing.
Assignee | ||
Comment 15•16 years ago
|
||
Checked in to CVS trunk for 1.9.0.8, 2009-02-22 19:21/22 -0800.
Keywords: fixed1.9.0.8
Whiteboard: [sg:critical?] common fuzz blocker [needs 1.9.0.* landing] → [sg:critical?] common fuzz blocker
Comment 16•16 years ago
|
||
Verified on OS X and Windows with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
Status: RESOLVED → VERIFIED
Target Milestone: mozilla1.9.1b3 → mozilla1.9.2a1
Comment 17•16 years ago
|
||
The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a debug build or does the testcase not work on 1.9.0?
Comment 18•16 years ago
|
||
(In reply to comment #17)
> The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a
> debug build or does the testcase not work on 1.9.0?
I don't suppose someone could reply to this since I asked this almost two weeks ago? :-)
Assignee | ||
Comment 19•16 years ago
|
||
I don't know. You could see what happens in a 1.9.0.* debug build if you want (or try under valgrind).
Hard to give more details without knowing what you're trying to do.
Comment 20•16 years ago
|
||
Al, the testcase crashes reliably in a debug build, where we mark deallocated memory with the 0xdddddddd pattern. In a non-debug build, it will randomly either crash or not crash or let someone run arbitrary code depending on the values that happen to be in the deallocated memory.
Comment 21•16 years ago
|
||
The testcase constantly crashes 01/30 Shiretoko builds on Windows and OS X. With the fix no more crashes happen with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) ID:20090305152042
Keywords: fixed1.9.1 → verified1.9.1
Comment 22•16 years ago
|
||
Doesn't crash using Firefox 2.0.0.20.
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?] common fuzz blocker - post 1.8 branch
Comment 23•16 years ago
|
||
verified fixed 1.9.0.9 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.0.9pre) Gecko/2009040221 Firefox/3.0.9pre (debug build) + : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040214 Minefield/3.0.9pre - no crash on testcase
Keywords: fixed1.9.0.9 → verified1.9.0.9
Updated•16 years ago
|
Group: core-security
Reporter | ||
Comment 24•16 years ago
|
||
Crashtest added:
http://hg.mozilla.org/mozilla-central/rev/ea128fc02710
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ IsBindingAncestor]
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•