Last Comment Bug 472668 - Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified
: Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified
Status: VERIFIED FIXED
[sg:critical?] fixed by 468211
: crash, regression, testcase, verified1.9.0.12, verified1.9.1
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 Windows XP
P3 critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (pto-ish for couple of days)
:
: Neil Deakin
Mentors:
Depends on: 468211
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-08 06:44 PST by Martijn Wargers [:mwargers]
Modified: 2011-06-13 10:01 PDT (History)
9 users (show)
roc: blocking1.9.1-
roc: wanted1.9.1+
dveditz: blocking1.9.0.12+
dveditz: wanted1.9.0.x+
samuel.sidler+old: wanted1.8.1.x-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
binding needed for testcase (266 bytes, text/xml)
2009-01-08 06:44 PST, Martijn Wargers [:mwargers]
no flags Details
testcase (394 bytes, application/vnd.mozilla.xul+xml)
2009-01-08 06:45 PST, Martijn Wargers [:mwargers]
no flags Details
testcase v2 (394 bytes, application/vnd.mozilla.xul+xml)
2009-03-01 10:05 PST, Daniel Veditz [:dveditz]
no flags Details
testcase v3 (405 bytes, application/vnd.mozilla.xul+xml)
2009-03-01 10:06 PST, Daniel Veditz [:dveditz]
no flags Details
zipped up testcase (601 bytes, application/zip)
2009-03-12 06:46 PDT, Martijn Wargers [:mwargers]
no flags Details

Description User image Martijn Wargers [:mwargers] 2009-01-08 06:44:42 PST
Created attachment 355970 [details]
binding needed for testcase

See upcoming testcase, which crashes current trunk build.
It also crashes Firefox 3, so marking security sensitive for now.
It doesn't crash Firefox 2, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/4d1fdf06-c323-4d3c-baeb-f3cf12090108?p=1
0  	xul.dll  	nsFrame::GetBoxAscent  	 layout/generic/nsFrame.cpp:6352
1 	xul.dll 	nsSprocketLayout::GetAscent 	layout/xul/base/src/nsSprocketLayout.cpp:1525
2 	xul.dll 	nsStyleContext::GetStyleVisibility 	layout/style/nsStyleStructList.h:103
Comment 1 User image Martijn Wargers [:mwargers] 2009-01-08 06:45:21 PST
Created attachment 355971 [details]
testcase
Comment 2 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-01-08 08:47:55 PST
###!!! ASSERTION: element not in the document: 'doc', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null
Comment 3 User image Martijn Wargers [:mwargers] 2009-01-09 01:53:35 PST
Perhaps this is related to bug 468211?
Comment 4 User image David Baron :dbaron: ⌚️UTC-8 2009-01-20 11:20:07 PST
The output in comment 2 makes it look very related.
Comment 5 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-01-26 01:45:59 PST
This does still crash, although bug 468211 doesn't
Comment 6 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-01-26 01:51:53 PST
(In reply to comment #5)
> This does still crash, although bug 468211 doesn't
I was wrong, bug 468211 does still crash.
Comment 7 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-01-29 02:25:43 PST
the patch for Bug 468211 fixes this one too.
Comment 8 User image Martijn Wargers [:mwargers] 2009-02-01 08:14:31 PST
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Comment 9 User image Daniel Veditz [:dveditz] 2009-03-01 10:05:06 PST
Created attachment 364790 [details]
testcase v2

updated testcase for bugzilla's new attachment names
Comment 10 User image Daniel Veditz [:dveditz] 2009-03-01 10:06:17 PST
Created attachment 364791 [details]
testcase v3

Sorry, uploaded the original again
Comment 11 User image Daniel Veditz [:dveditz] 2009-03-01 10:27:36 PST
I cannot get the testcase to run correctly from bugzilla due to whatever redirecting magic we're doing. Despite directly referencing the pseudo sub-domain correctly I get a non-same-origin security warning:

Security Error: Content at https://bug472668.bugzilla.mozilla.org/attachment.cgi?id=355970 may not load data from https://bugzilla.mozilla.org/attachment.cgi?id=355970.

The binding can't access itself? (note it's the same attachment number)

As a local file I don't get a crash either. Martijn: can you still repro this problem in 1.9.0.x? I do get some of the same assertions:

###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file ../../../dist/include/content/nsContentUtils.h, line 1446
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 971
###!!! ASSERTION: element not in the document: 'doc', file /Users/daniel/dev/ff3/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 159
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 936
--DOMWINDOW == 17 (0x194609ec) [serial = 84] [outer = 0x174b1da0] [url = file:///Users/Daniel/dev/test/bug472668.xul]
Comment 12 User image Al Billings [:abillings] 2009-03-06 11:16:03 PST
Martijn, can we get a new test case for this?
Comment 13 User image Martijn Wargers [:mwargers] 2009-03-12 06:46:21 PDT
Created attachment 367035 [details]
zipped up testcase

This one crashes (in builds prior to the fix) when opening the tt.xul file.

Fwiw, because of bugzilla's current brokenness, I've stopped trying to get testcases that crash online, when the crash depends on multiple files. Instead, I'm now just attaching the zipped up testcase.
Comment 14 User image Martijn Wargers [:mwargers] 2009-03-12 06:47:31 PDT
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090208 Shiretoko/3.1b3pre (.NET CLR 3.5.30729)

I noticed that it crashed in a 1.9.1 build from 2009-01-19.

Oddly enough, it didn't seem to crash in a Firefox3.0.7 build.
Comment 15 User image Daniel Veditz [:dveditz] 2009-03-16 14:20:20 PDT
(In reply to comment #7)
> the patch for Bug 468211 fixes this one too.
Comment 16 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-06-14 08:14:03 PDT
fixed in bug 445177
Comment 17 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2009-06-15 00:41:31 PDT
The assertions are fixed now in 1.9.0.12. I can't reliably reproduce the
crash on 1.9.0.x
Comment 18 User image Al Billings [:abillings] 2009-06-30 16:53:59 PDT
Marking verified1.9.0.12. I can't reproduce the crash either.

Note You need to log in before you can comment on or make changes to this bug.