Closed Bug 472668 Opened 11 years ago Closed 11 years ago

Crash [@ nsFrame::GetBoxAscent] with binding, observes and DOMAttrModified

Categories

(Core :: XUL, defect, P3, critical)

x86
Windows XP
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(5 keywords, Whiteboard: [sg:critical?] fixed by 468211)

Crash Data

Attachments

(3 files, 2 obsolete files)

266 bytes, text/xml
Details
405 bytes, application/vnd.mozilla.xul+xml
Details
601 bytes, application/zip
Details
See upcoming testcase, which crashes current trunk build.
It also crashes Firefox 3, so marking security sensitive for now.
It doesn't crash Firefox 2, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/4d1fdf06-c323-4d3c-baeb-f3cf12090108?p=1
0  	xul.dll  	nsFrame::GetBoxAscent  	 layout/generic/nsFrame.cpp:6352
1 	xul.dll 	nsSprocketLayout::GetAscent 	layout/xul/base/src/nsSprocketLayout.cpp:1525
2 	xul.dll 	nsStyleContext::GetStyleVisibility 	layout/style/nsStyleStructList.h:103
Attached file testcase (obsolete) —
Flags: wanted1.8.1.x-
###!!! ASSERTION: element not in the document: 'doc', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10983
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsFrameManager.cpp, line 850
frame: Block(div)(-1) (0xad3c62b0) style: 0xad3b8ca8 {}
Has parent context:  style: 0xad3b8834 {}
Should be null
Perhaps this is related to bug 468211?
Flags: blocking1.9.1?
The output in comment 2 makes it look very related.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Whiteboard: [sg:critical?]
This does still crash, although bug 468211 doesn't
(In reply to comment #5)
> This does still crash, although bug 468211 doesn't
I was wrong, bug 468211 does still crash.
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Component: Layout → XUL
QA Contact: layout → xptoolkit.widgets
the patch for Bug 468211 fixes this one too.
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Status: RESOLVED → VERIFIED
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.7?
Flags: blocking1.9.0.7? → blocking1.9.0.8?
Attached file testcase v2 (obsolete) —
updated testcase for bugzilla's new attachment names
Attachment #355971 - Attachment is obsolete: true
Attached file testcase v3
Sorry, uploaded the original again
Attachment #364790 - Attachment is obsolete: true
I cannot get the testcase to run correctly from bugzilla due to whatever redirecting magic we're doing. Despite directly referencing the pseudo sub-domain correctly I get a non-same-origin security warning:

Security Error: Content at https://bug472668.bugzilla.mozilla.org/attachment.cgi?id=355970 may not load data from https://bugzilla.mozilla.org/attachment.cgi?id=355970.

The binding can't access itself? (note it's the same attachment number)

As a local file I don't get a crash either. Martijn: can you still repro this problem in 1.9.0.x? I do get some of the same assertions:

###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file ../../../dist/include/content/nsContentUtils.h, line 1446
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 971
###!!! ASSERTION: element not in the document: 'doc', file /Users/daniel/dev/ff3/mozilla/layout/base/nsChildIterator.cpp, line 62
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

WARNING: NS_ENSURE_TRUE(aContent->GetDocument()) failed: file /Users/daniel/dev/ff3/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11238
###!!! ASSERTION: Have parent context and shouldn't: 'Error', file /Users/daniel/dev/ff3/mozilla/layout/base/nsFrameManager.cpp, line 834
frame: Block(div)(-1) (0x1ef37e78) style: 0x1ef37abc {}
Has parent context:  style: 0x1ef37700 {}
Should be null

###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 159
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /Users/daniel/dev/ff3/mozilla/layout/style/nsStyleSet.cpp, line 936
--DOMWINDOW == 17 (0x194609ec) [serial = 84] [outer = 0x174b1da0] [url = file:///Users/Daniel/dev/test/bug472668.xul]
Martijn, can we get a new test case for this?
Whiteboard: [sg:critical?] → [sg:critical?] Need answer to comment 11 from Martijn
Attached file zipped up testcase
This one crashes (in builds prior to the fix) when opening the tt.xul file.

Fwiw, because of bugzilla's current brokenness, I've stopped trying to get testcases that crash online, when the crash depends on multiple files. Instead, I'm now just attaching the zipped up testcase.
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090208 Shiretoko/3.1b3pre (.NET CLR 3.5.30729)

I noticed that it crashed in a 1.9.1 build from 2009-01-19.

Oddly enough, it didn't seem to crash in a Firefox3.0.7 build.
Whiteboard: [sg:critical?] Need answer to comment 11 from Martijn → [sg:critical?]
(In reply to comment #7)
> the patch for Bug 468211 fixes this one too.
Flags: blocking1.9.0.8? → blocking1.9.0.9?
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 468211
Flags: blocking1.9.0.10? → blocking1.9.0.10+
Flags: blocking1.9.0.10+ → blocking1.9.0.11+
fixed in bug 445177
Keywords: fixed1.9.0.12
Keywords: fixed1.9.0.12
The assertions are fixed now in 1.9.0.12. I can't reliably reproduce the
crash on 1.9.0.x
Keywords: fixed1.9.0.12
Marking verified1.9.0.12. I can't reproduce the crash either.
Group: core-security
Crash Signature: [@ nsFrame::GetBoxAscent]
You need to log in before you can comment on or make changes to this bug.