Closed Bug 469432 Opened 16 years ago Closed 15 years ago

Crash [@ nsStyleContext::~nsStyleContext] on reload with menuitem, select, tooltip and mathml

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

testcase
291 bytes, application/xhtml+xml
Details
Attached file testcase 
See testcase, which crashes current trunk build and Firefox 3 (so marking security sensitive for now) on reload.
It doesn't crash Firefox 2, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/122ea824-3d00-474a-a383-d1cc42081212?p=1
0  	xul.dll  	nsStyleContext::~nsStyleContext  	layout/style/nsStyleContext.cpp:100
1 	xul.dll 	nsStyleContext::Destroy 	layout/style/nsStyleContext.cpp:932
2 	xul.dll 	UndisplayedNode::~UndisplayedNode 	layout/base/nsFrameManager.cpp:214
3 	xul.dll 	UndisplayedNode::~UndisplayedNode 	layout/base/nsFrameManager.cpp:211
4 	xul.dll 	RemoveUndisplayedEntry 	layout/base/nsFrameManager.cpp:1848
5 	plds4.dll 	PL_HashTableEnumerateEntries 	nsprpub/lib/ds/plhash.c:432
6 	xul.dll 	nsFrameManagerBase::UndisplayedMap::Clear 	layout/base/nsFrameManager.cpp:1857
7 	xul.dll 	nsFrameManagerBase::UndisplayedMap::~UndisplayedMap 	layout/base/nsFrameManager.cpp:1729
8 	xul.dll 	nsFrameManager::Destroy 	layout/base/nsFrameManager.cpp:297
9 	xul.dll 	PresShell::Destroy 	layout/base/nsPresShell.cpp:1709
10 	xul.dll 	DocumentViewerImpl::Destroy 	layout/base/nsDocumentViewer.cpp:1527
11 	xul.dll 	DocumentViewerImpl::Show 	layout/base/nsDocumentViewer.cpp:1834
12 	xul.dll 	nsPresContext::EnsureVisible 	layout/base/nsPresContext.cpp:1528
13 	xul.dll 	PresShell::UnsuppressAndInvalidate 	layout/base/nsPresShell.cpp:4323
14 	xul.dll 	PresShell::UnsuppressPainting 	layout/base/nsPresShell.cpp:4371
15 	xul.dll 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1022
16 	xul.dll 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:5184
17 	xul.dll 	nsWebShell::EndPageLoad 	docshell/base/nsWebShell.cpp:1015
18 	xul.dll 	nsDocShell::OnStateChange 	docshell/base/nsDocShell.cpp:5080
19 	xul.dll 	nsDocLoader::FireOnStateChange 	uriloader/base/nsDocLoader.cpp:1235
20 	xul.dll 	nsDocLoader::doStopDocumentLoad 	uriloader/base/nsDocLoader.cpp:858
21 	xul.dll 	nsDocLoader::DocLoaderIsEmpty 	uriloader/base/nsDocLoader.cpp:763
22 	xul.dll 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:679
23 	xul.dll 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:688
24 	xul.dll 	nsDocument::DoUnblockOnload 	content/base/src/nsDocument.cpp:7016
25 	xul.dll 	nsDocument::UnblockOnload 	content/base/src/nsDocument.cpp:6963
26 	xul.dll 	nsDocument::DispatchContentLoadedEvents 	content/base/src/nsDocument.cpp:3945
27 	xul.dll 	nsRunnableMethod<nsJSChannel>::Run 	obj-firefox/dist/include/xpcom/nsThreadUtils.h:264
28 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
29 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:227
30 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
31 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
32 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3283
33 	firefox.exe 	NS_internal_main 	browser/app/nsBrowserApp.cpp:156
34 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
35 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/src/crtexe.c:591
36 	kernel32.dll 	BaseProcessStart
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
This could be a fun one to dig into
Assignee: nobody → zweinberg
The crash is on this line:

  presContext->PresShell()->StyleSet()->
    NotifyStyleContextDestroyed(presContext, this);

so that looks like a classic use-after-free problem (as we're in the middle of destroying the pres shell when that happens) but I can't reproduce the crash on Linux even under valgrind.  Will try Windows later today.
But we destroy the frame manager before destroying the style set or clearing out the pres context's back pointer.  (nsPresShell's destructor is pretty carefully ordered; it could use some better comments.)
The crash does reproduce on Windows XP in my virtual machine.  I'm not sure yet exactly where it's going off the rails.
*@!#!#(&()@#&%@*(#%_!@$&!(@$&*!_%$!(#%&+

The crash disappears with optimization disabled.
I'm sorry, I'm going to have to give this one back.  My Windows environment is just too slow (two hours for an unoptimized build) and I'm too unfamiliar with the ins and outs of this compiler to fix this bug efficiently.
Assignee: zweinberg → nobody
Dbaron, can you take this?
I'm happy to, since the crash is fixed by the patch in bug 475128.  (There's still another underlying problem shown by the testcase, though, since it still shows the assertions one would expect from a crash fixed by that patch.  That said, the underlying problem in question may well be a duplicate of bug 474377.)
Assignee: nobody → dbaron
Depends on: 474377, 475128
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
For searching purposes, the currently assertions triggered by this testcase:

###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/jruderman/central/layout/style/nsStyleSet.cpp, line 181

###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/jruderman/central/layout/style/nsStyleSet.cpp, line 947
WFM, no assertions at all now.  I'll add a crashtest.

The crash (and security problem) were fixed by bug 475128 on all active branches, so I'm making this bug public.
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsStyleContext::~nsStyleContext]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: