Closed Bug 472668 Opened 16 years ago Closed 16 years ago

Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(5 keywords, Whiteboard: [sg:critical?] fixed by 468211)

Crash Data

Attachments

(3 files, 2 obsolete files)

binding needed for testcase
266 bytes, text/xml
Details
testcase v3
405 bytes, application/vnd.mozilla.xul+xml
Details
zipped up testcase
601 bytes, application/zip
Details
See upcoming testcase, which crashes current trunk build. It also crashes Firefox 3, so marking security sensitive for now. It doesn't crash Firefox 2, I can look for a regression range, if wanted. http://crash-stats.mozilla.com/report/index/4d1fdf06-c323-4d3c-baeb-f3cf12090108?p=1 0 xul.dll nsFrame::GetBoxAscent layout/generic/nsFrame.cpp:6352 1 xul.dll nsSprocketLayout::GetAscent layout/xul/base/src/nsSprocketLayout.cpp:1525 2 xul.dll nsStyleContext::GetStyleVisibility layout/style/nsStyleStructList.h:103
Attached file testcase (obsolete) —
Flags: wanted1.8.1.x-
###!!! ASSERTION: element not in the document: 'doc', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsChildIterator.cpp, line 62 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850 frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {} Has parent context: style: 0xad3b8834 {} Should be null
Perhaps this is related to bug 468211?
Flags: blocking1.9.1?
The output in comment 2 makes it look very related.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Whiteboard: [sg:critical?]
This does still crash, although bug 468211 doesn't
(In reply to comment #5) > This does still crash, although bug 468211 doesn't I was wrong, bug 468211 does still crash.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Component: Layout → XUL
QA Contact: layout → xptoolkit.widgets
the patch for Bug 468211 fixes this one too.
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Status: RESOLVED → VERIFIED
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.7?
Flags: blocking1.9.0.7? → blocking1.9.0.8?
Attached file testcase v2 (obsolete) —
updated testcase for bugzilla's new attachment names
Attachment #355971 - Attachment is obsolete: true
Attached file testcase v3
Sorry, uploaded the original again
Attachment #364790 - Attachment is obsolete: true
I cannot get the testcase to run correctly from bugzilla due to whatever redirecting magic we're doing. Despite directly referencing the pseudo sub-domain correctly I get a non-same-origin security warning: Security Error: Content at https://bug472668.bugzilla.mozilla.org/attachment.cgi?id=355970 may not load data from https://bugzilla.mozilla.org/attachment.cgi?id=355970. The binding can't access itself? (note it's the same attachment number) As a local file I don't get a crash either. Martijn: can you still repro this problem in 1.9.0.x? I do get some of the same assertions: ###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file ../../../dist/include/content/nsContentUtils.h, line 1446 WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 971 ###!!! ASSERTION: element not in the document: 'doc', file /Users/daniel/dev/ff3/mozilla/layout/base/nsChildIterator.cpp, line 62 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238 ###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834 frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {} Has parent context: style: 0x1ef37700 {} Should be null ###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 159 ###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 936 --DOMWINDOW == 17 (0x194609ec) [serial = 84] [outer = 0x174b1da0] [url = file:///Users/Daniel/dev/test/bug472668.xul]
Martijn, can we get a new test case for this?
Whiteboard: [sg:critical?] → [sg:critical?] Need answer to comment 11 from Martijn
Attached file zipped up testcase
This one crashes (in builds prior to the fix) when opening the tt.xul file. Fwiw, because of bugzilla's current brokenness, I've stopped trying to get testcases that crash online, when the crash depends on multiple files. Instead, I'm now just attaching the zipped up testcase.
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090208 Shiretoko/3.1b3pre (.NET CLR 3.5.30729) I noticed that it crashed in a 1.9.1 build from 2009-01-19. Oddly enough, it didn't seem to crash in a Firefox3.0.7 build.
Keywords: fixed1.9.1verified1.9.1
Whiteboard: [sg:critical?] Need answer to comment 11 from Martijn → [sg:critical?]
(In reply to comment #7) > the patch for Bug 468211 fixes this one too.
Flags: blocking1.9.0.8? → blocking1.9.0.9?
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 468211
Flags: blocking1.9.0.10? → blocking1.9.0.10+
Flags: blocking1.9.0.10+ → blocking1.9.0.11+
fixed in bug 445177
Keywords: fixed1.9.0.12
Keywords: fixed1.9.0.12
The assertions are fixed now in 1.9.0.12. I can't reliably reproduce the crash on 1.9.0.x
Keywords: fixed1.9.0.12
Marking verified1.9.0.12. I can't reproduce the crash either.
Keywords: fixed1.9.0.12verified1.9.0.12
Group: core-security
Crash Signature: [@ nsFrame::GetBoxAscent]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: