Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified

VERIFIED FIXED

Status

()

Core
XUL
P3
critical
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: smaug)

Tracking

(5 keywords)

Trunk
x86
Windows XP
crash, regression, testcase, verified1.9.0.12, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 -
wanted1.9.1 +
blocking1.9.0.12 +
wanted1.9.0.x +
wanted1.8.1.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] fixed by 468211, crash signature)

Attachments

(3 attachments, 2 obsolete attachments)

266 bytes, text/xml
Details
405 bytes, application/vnd.mozilla.xul+xml
Details
601 bytes, application/zip
Details
(Reporter)

Description

8 years ago
Created attachment 355970 [details]
binding needed for testcase

See upcoming testcase, which crashes current trunk build.
It also crashes Firefox 3, so marking security sensitive for now.
It doesn't crash Firefox 2, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/4d1fdf06-c323-4d3c-baeb-f3cf12090108?p=1
0  	xul.dll  	nsFrame::GetBoxAscent  	 layout/generic/nsFrame.cpp:6352
1 	xul.dll 	nsSprocketLayout::GetAscent 	layout/xul/base/src/nsSprocketLayout.cpp:1525
2 	xul.dll 	nsStyleContext::GetStyleVisibility 	layout/style/nsStyleStructList.h:103
(Reporter)

Comment 1

8 years ago
Created attachment 355971 [details]
testcase
Flags: wanted1.8.1.x-
(Assignee)

Comment 2

8 years ago
###!!! ASSERTION: element not in the document: 'doc', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null
(Reporter)

Comment 3

8 years ago
Perhaps this is related to bug 468211?
Flags: blocking1.9.1?
The output in comment 2 makes it look very related.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Whiteboard: [sg:critical?]
Depends on: 468211
(Assignee)

Comment 5

8 years ago
This does still crash, although bug 468211 doesn't
(Assignee)

Comment 6

8 years ago
(In reply to comment #5)
> This does still crash, although bug 468211 doesn't
I was wrong, bug 468211 does still crash.
(Assignee)

Updated

8 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Updated

8 years ago
Status: NEW → ASSIGNED
(Assignee)

Updated

8 years ago
Component: Layout → XUL
QA Contact: layout → xptoolkit.widgets
(Assignee)

Comment 7

8 years ago
the patch for Bug 468211 fixes this one too.
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
(Assignee)

Updated

8 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Keywords: fixed1.9.1
(Reporter)

Comment 8

8 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Status: RESOLVED → VERIFIED
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.7?
Flags: blocking1.9.0.7? → blocking1.9.0.8?
Created attachment 364790 [details]
testcase v2

updated testcase for bugzilla's new attachment names
Attachment #355971 - Attachment is obsolete: true
Created attachment 364791 [details]
testcase v3

Sorry, uploaded the original again
Attachment #364790 - Attachment is obsolete: true
I cannot get the testcase to run correctly from bugzilla due to whatever redirecting magic we're doing. Despite directly referencing the pseudo sub-domain correctly I get a non-same-origin security warning:

Security Error: Content at https://bug472668.bugzilla.mozilla.org/attachment.cgi?id=355970 may not load data from https://bugzilla.mozilla.org/attachment.cgi?id=355970.

The binding can't access itself? (note it's the same attachment number)

As a local file I don't get a crash either. Martijn: can you still repro this problem in 1.9.0.x? I do get some of the same assertions:

###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file ../../../dist/include/content/nsContentUtils.h, line 1446
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 971
###!!! ASSERTION: element not in the document: 'doc', file /Users/daniel/dev/ff3/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 159
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 936
--DOMWINDOW == 17 (0x194609ec) [serial = 84] [outer = 0x174b1da0] [url = file:///Users/Daniel/dev/test/bug472668.xul]
Martijn, can we get a new test case for this?
Whiteboard: [sg:critical?] → [sg:critical?] Need answer to comment 11 from Martijn
(Reporter)

Comment 13

8 years ago
Created attachment 367035 [details]
zipped up testcase

This one crashes (in builds prior to the fix) when opening the tt.xul file.

Fwiw, because of bugzilla's current brokenness, I've stopped trying to get testcases that crash online, when the crash depends on multiple files. Instead, I'm now just attaching the zipped up testcase.
(Reporter)

Comment 14

8 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090208 Shiretoko/3.1b3pre (.NET CLR 3.5.30729)

I noticed that it crashed in a 1.9.1 build from 2009-01-19.

Oddly enough, it didn't seem to crash in a Firefox3.0.7 build.
Keywords: fixed1.9.1 → verified1.9.1
Whiteboard: [sg:critical?] Need answer to comment 11 from Martijn → [sg:critical?]
(In reply to comment #7)
> the patch for Bug 468211 fixes this one too.
Flags: blocking1.9.0.8? → blocking1.9.0.9?
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 468211
Flags: blocking1.9.0.10? → blocking1.9.0.10+
Flags: blocking1.9.0.10+ → blocking1.9.0.11+
(Assignee)

Comment 16

8 years ago
fixed in bug 445177
Keywords: fixed1.9.0.12
(Assignee)

Updated

8 years ago
Keywords: fixed1.9.0.12
(Assignee)

Comment 17

8 years ago
The assertions are fixed now in 1.9.0.12. I can't reliably reproduce the
crash on 1.9.0.x
Keywords: fixed1.9.0.12
Marking verified1.9.0.12. I can't reproduce the crash either.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Group: core-security
Crash Signature: [@ nsFrame::GetBoxAscent]
You need to log in before you can comment on or make changes to this bug.