Crash [@ gfxTextRun::`vector deleting destructor'][@ nsTextFrame::ClearTextRun] with first-letter, float: left and display: table-cell

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
Layout
P2
critical
VERIFIED FIXED
10 years ago
7 years ago

People

(Reporter: Martijn Wargers (zombie), Assigned: roc)

Tracking

(6 keywords)

Trunk
mozilla1.9.2a1
crash, regression, testcase, topcrash, verified1.9.0.12, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(4 attachments)

(Reporter)

Description

10 years ago
Created attachment 351936 [details]
testcase

See testcase, which crashes current trunk build after 100ms. It doesn't crash in a 2008-12-02 build, it does crash in a 2008-12-03 build:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-02+04%3A00%3A00&enddate=2008-12-03+06%3A00%3A00

I think a regression from bug 466763.

http://crash-stats.mozilla.com/report/index/c02eb4db-7afa-4841-a909-cfe612081208?p=1
0  	xul.dll  	gfxTextRun::`vector deleting destructor'  	
1 	xul.dll 	nsTextFrame::ClearTextRun 	layout/generic/nsTextFrameThebes.cpp:3593
2 	xul.dll 	nsContinuingTextFrame::Destroy 	layout/generic/nsTextFrameThebes.cpp:3392
Flags: blocking1.9.2?

Comment 1

10 years ago
Crashes dereferencing c0000007 for me :(
(Reporter)

Updated

10 years ago
Flags: blocking1.9.1?
Summary: Crash [@ nsTextFrame::ClearTextRun] with first-letter, float: left and display: table-cell → Crash [@ gfxTextRun::`vector deleting destructor'][@ nsTextFrame::ClearTextRun] with first-letter, float: left and display: table-cell
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Assignee: nobody → roc
Works for me on Mac trunk debug.
(Reporter)

Comment 3

10 years ago
Still crashes here, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090204 Minefield/3.2a1pre (.NET CLR 3.5.30729)
It might possibly be fixed by the patch in bug 472776. If not, I guess I'll have to crank up a Windows build :-(.
(Reporter)

Updated

10 years ago
Depends on: 472776
Can someone retest this for me in a nightly build that includes the fix for bug 472776?
(Reporter)

Comment 7

9 years ago
The testcase still crashes using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090224 Minefield/3.2a1pre (.NET CLR 3.5.30729)
this site also crashing in similiar manner I think: 
http://www.daniweb.com/blogs/entry4041.html

http://crash-stats.mozilla.com/report/index/628cfa48-445a-402a-94f2-044ea2090225?p=1

Today's nightly - Vista HP SP1
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090225 Minefield/3.2a1pre Firefox/3.0.4 ID:20090225033705

Comment 9

9 years ago
Created attachment 364332 [details]
stack

I got the stack when re-loading http://www.daniweb.com/blogs/entry4041.html
Just a guess, do we perhaps set wrong flags to textrun?
No.

What happened here was that in the patch in bug 466763 we started calling RemoveFromFlow on the second frame in the continuation chain for a text node, and then destroying that second frame, repeatedly until there's no second frame in the chain. That can cause a problem when the second frame is at the start of a textrun. When we destroy the frame we also destroy the textrun, and we iterate through the frame's next-continuations to clear out their references to the textrun. Problem is we've already called RemoveFromFlow on the frame so its old next-continuations don't get traversed, and end up holding dangling references to the textrun.
Created attachment 368829 [details] [diff] [review]
fix
[Checkin: Comment 18]

This fixes the bug by just avoiding calling RemoveFromFlow here. Just removing the frames in reverse order, starting with the last continuation, is fine.

The only remaining callers to RemoveFromFlow are in nsContinuingTextFrame::Destroy, after we've cleaned out the textrun, and in nsSplittableFrame::Destroy. So those should be fine. I've made a note that you should only be calling RemoveFromFlow in a frame's Destroy method. Actually the only reason it's not inlined into nsSplittableFrame::Destroy is that nsContinuingTextFrame is not a subclass of nsSplittableFrame --- and it's the only splittable frame that isn't a subclass of nsSplittableFrame.

In this patch I'm also removing BreakFromPrevInFlow since there are no callers and we don't want to add any.
Attachment #368829 - Flags: review?(dbaron)
Whiteboard: [needs review]
(I tested this on latest-trunk mozilla-central nightly build on WinXP SP3)

0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - User Mode Write AV near NULL starting at xul!gfxTextRun::`vector deleting destructor'+0x1c (Hash=0x6f767310.0x7a710162)

User mode write access violations that are near NULL are probably exploitable.

Comment 14

9 years ago
Why do you think write AVs near NULL are probably exploitable?  I've been treating them like any other null deref.
I'd also like to know why that tool thinks "writes near NULL" are probably exploitable.

In this case, the bug is not actually limited to a NULL dereference, although I think it's non-exploitable for other reasons.
(In reply to comment #14)
> Why do you think write AVs near NULL are probably exploitable?  I've been
> treating them like any other null deref.

!exploitable thinks they're probably exploitable, I have no idea why.
(Reporter)

Updated

9 years ago
Blocks: 484375
Comment on attachment 368829 [details] [diff] [review]
fix
[Checkin: Comment 18]

Should we null out the next-continuation pointer on textFrame at the end of this exercise to avoid leaving a dangling pointer for a bit, or does something already here do that?

r=dbaron.  Sorry for the delay.
Attachment #368829 - Flags: review?(dbaron) → review+
+      aFrameManager->RemoveFrame(frameToDeleteParent, nsnull, frameToDelete);

This ends up call nsContinuingTextFrame::Destroy on frameToDelete, which calls nsSplittableFrame::RemoveFromFlow on it, which will set frameToDelete's prev-in-flow's next-continuation pointer to null (since frameToDelete is the last in flow and has no next-continuation of its own). So there won't be a dangling frame pointer at any time.

Pushed: http://hg.mozilla.org/mozilla-central/rev/b53856abc749
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: blocking1.9.2? → in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs review] → [needs 191 landing]
Hmm, the Windows XP unittest box just failed with a similar stack. Caused by (or failed to be fixed by) this bug?

Full log: http://tinyurl.com/c7srwr

Thread 0 (crashed)
 0  xul.dll!nsTArray<gfxTextRun::GlyphRun>::~nsTArray<gfxTextRun::GlyphRun>() [nsTArray.h:07599e2b0941 : 267 + 0x5]
    eip = 0x101c2cdb   esp = 0x0012e11c   ebp = 0x0012e174   ebx = 0x0b159501
    esi = 0x0b159540   edi = 0x0b6b2080   eax = 0x00000000   ecx = 0x0b159540
    edx = 0x8e05000c   efl = 0x00010202
 1  xul.dll!gfxTextRun::~gfxTextRun() [gfxFont.cpp:07599e2b0941 : 1412 + 0xf]
    eip = 0x1062e548   esp = 0x0012e124   ebp = 0x0012e174
 2  xul.dll!gfxTextRun::`vector deleting destructor'(unsigned int) + 0x35
    eip = 0x101bb866   esp = 0x0012e12c   ebp = 0x0012e174
 3  xul.dll!nsTextFrame::ClearTextRun() [nsTextFrameThebes.cpp:07599e2b0941 : 3772 + 0x7]
    eip = 0x1026fc28   esp = 0x0012e138   ebp = 0x0012e174   ebx = 0x0b159530
Verified fixed on trunk with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090422 Minefield/3.6a1pre

Seems like we forgot to check it into 1.9.1. Adding keyword...
Status: RESOLVED → VERIFIED
Keywords: checkin-needed
Target Milestone: --- → mozilla1.9.2a1
Attachment #368829 - Attachment description: fix → fix [Checkin: Comment 18 & 22]
Comment on attachment 368829 [details] [diff] [review]
fix
[Checkin: Comment 18]


http://hg.mozilla.org/releases/mozilla-1.9.1/rev/1f9c68abedcf

After fixing context for
{
patching file layout/base/crashtests/crashtests.list
Hunk #1 FAILED at 182
1 out of 1 hunks FAILED
patching file layout/generic/nsSplittableFrame.cpp
Hunk #1 FAILED at 223
1 out of 1 hunks FAILED
patching file layout/generic/nsSplittableFrame.h
Hunk #1 FAILED at 93
1 out of 1 hunks FAILED
}
Keywords: checkin-needed → fixed1.9.1
Whiteboard: [needs 191 landing] → [fixed1.9.1b5]
Comment on attachment 368829 [details] [diff] [review]
fix
[Checkin: Comment 18]


Backout:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/9f1036d0c19b

It looks like there are still other callers:
http://mxr.mozilla.org/mozilla1.9.1/search?string=BreakFromPrevFlow&case=on
:-<
Attachment #368829 - Attachment description: fix [Checkin: Comment 18 & 22] → fix [Checkin: Comment 18]
Keywords: fixed1.9.1
Whiteboard: [fixed1.9.1b5] → [needs 1.9.1 landing: needs 1.9.1 patch!]
Is this still blocking the 1.9.1 / 3.5 release? I can't see it in the list of All Blockers or Layout blockers on https://wiki.mozilla.org/Platform/1.9.1
Reopening for branch fix.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
(Thanks for the heads-up Luke)
Blocks: 493287
Oh, this is easy, we don't need to land the nsSplittableFrame changes on branch, just the rest of the patch.
Whiteboard: [needs 1.9.1 landing: needs 1.9.1 patch!] → [needs 191 landing]
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/0904c429bd5b
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
Whiteboard: [needs 191 landing]
Verified fixed on trunk and 1.9.1 with:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090522 Minefield/3.6a1pre ID:20090522032716

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090521 Shiretoko/3.5pre ID:20090521135222
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
OS: Windows XP → All
Hardware: x86 → All
Created attachment 382854 [details] [diff] [review]
fix, backported to 1.9.0.x (based on 1.9.1 checkin)

Here's this bug's fix, backported to 1.9.0.x.  I just applied the 1.9.1 changeset (0904c429bd5b), so this doesn't include the changes to nsSplittableFrame, but those aren't needed, per comment 28.  (they just remove an obsolete method, I think)  My only modification was to fix bitrot in crashtests.list.
Attachment #382854 - Flags: approval1.9.0.12?
Removing stale dependency on bug 472776 -- this dependency was tentatively added on 2009/02/05, as a result of comment 4 (where roc suggested that bug 472776's patch might fix this bug), but comment 7 shows that the dependency was incorrect.
No longer depends on: 472776
Attachment #382854 - Flags: approval1.9.0.12? → approval1.9.0.12+
Comment on attachment 382854 [details] [diff] [review]
fix, backported to 1.9.0.x (based on 1.9.1 checkin)

Approved for 1.9.0.12, a=dveditz for release-drivers
Patch landed on CVS trunk:

Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1485; previous revision: 1.1484
done
RCS file: /cvsroot/mozilla/layout/base/crashtests/468491-1.html,v
done
Checking in layout/base/crashtests/468491-1.html;
/cvsroot/mozilla/layout/base/crashtests/468491-1.html,v  <--  468491-1.html
initial revision: 1.1
done
Checking in layout/base/crashtests/crashtests.list;
/cvsroot/mozilla/layout/base/crashtests/crashtests.list,v  <--  crashtests.list
new revision: 1.101; previous revision: 1.100
done
Keywords: fixed1.9.0.12
Attached testcase does not crash 1.9.0.11 (nor the post-fix 1.9.0.12pre builds).
(In reply to comment #37)
> Attached testcase does not crash 1.9.0.11 (nor the post-fix 1.9.0.12pre
> builds).

That's expected. I landed the patch that causes this regression and the patch that fixes it back-to-back, so as not to expose our 1.9.0.x nightly users to this bug.

So, this was only broken on 1.9.0.x for a few minutes -- between revision 1.100 and 1.101 of layout/base/crashtests/crashtests.list:
http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/layout/base/crashtests/crashtests.list&rev=HEAD&mark=1.101,1.100

If you'd like, you should be able to reproduce this bug by checking out a build from 2009-06-12 at 12:30 PDT.
Thanks, Dan. I'll mark this as verified for 1.9.0.12 then.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Crash Signature: [@ gfxTextRun::`vector deleting destructor'] [@ nsTextFrame::ClearTextRun]
You need to log in before you can comment on or make changes to this bug.