477775 - Crash with iExploder test 2203 [@ nsComputedDOMStyle::GetWidth]

Status: VERIFIED FIXED

(Core :: Layout, defect, P2)

Description

[Mats Palmgren (inactive)]

Attachment: Testcase

Crash with iExploder test 2203 [@ nsComputedDOMStyle::GetWidth]
bp-4c74fadc-f5ec-448a-8431-90d0e2090210

@0x0	
nsComputedDOMStyle::GetWidth	layout/style/nsComputedDOMStyle.cpp:2888
nsComputedDOMStyle::GetPropertyCSSValue	layout/style/nsComputedDOMStyle.cpp:366
nsComputedDOMStyle::GetPropertyValue	layout/style/nsComputedDOMStyle.cpp:300
nsComputedDOMStyle::GetPropertyValue	layout/style/nsComputedDOMStyle.cpp:244
CSS2PropertiesTearoff::GetWidth	layout/style/nsCSSPropList.h:543
NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
XPCWrappedNative::CallMethod	js/src/xpconnect/src/xpcwrappednative.cpp:2424
XPC_WN_GetterSetter	js/src/xpconnect/src/xpcprivate.h:2298
js_Invoke	js/src/jsinterp.cpp:1316
js_InternalInvoke	js/src/jsinterp.cpp:1392
JS_CallFunctionValue	js/src/jsapi.cpp:5299
XPCWrapper::GetOrSetNativeProperty	js/src/xpconnect/src/XPCWrapper.cpp:717
XPC_NW_GetOrSetProperty	js/src/xpconnect/src/XPCNativeWrapper.cpp:597
js_NativeGet	js/src/jsobj.cpp:3853
js_GetPropertyHelper	js/src/jsobj.cpp:4023
js_Interpret	js/src/jsinterp.cpp:4297
js_Invoke	js/src/jsinterp.cpp:1334
nsXPCWrappedJSClass::CallMethod	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1606
nsXPCWrappedJS::CallMethod	js/src/xpconnect/src/xpcwrappedjs.cpp:561
PrepareAndDispatch	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
PrepareAndDispatch	
nsEventListenerManager::HandleEventSubType	content/events/src/nsEventListenerManager.cpp:1079
nsEventListenerManager::HandleEvent	content/events/src/nsEventListenerManager.cpp:1176
nsEventTargetChainItem::HandleEvent	content/events/src/nsEventDispatcher.cpp:227
nsEventTargetChainItem::HandleEventTargetChain	content/events/src/nsEventDispatcher.cpp:291
nsEventDispatcher::Dispatch	content/events/src/nsEventDispatcher.cpp:508
DocumentViewerImpl::LoadComplete	layout/base/nsDocumentViewer.cpp:997
nsDocShell::EndPageLoad	docshell/base/nsDocShell.cpp:5243
nsWebShell::EndPageLoad	docshell/base/nsWebShell.cpp:1015
nsDocShell::OnStateChange	docshell/base/nsDocShell.cpp:5139
nsDocLoader::FireOnStateChange	uriloader/base/nsDocLoader.cpp:1235
nsDocLoader::doStopDocumentLoad	uriloader/base/nsDocLoader.cpp:858
nsDocLoader::DocLoaderIsEmpty	uriloader/base/nsDocLoader.cpp:763
nsDocLoader::OnStopRequest	uriloader/base/nsDocLoader.cpp:679
nsLoadGroup::RemoveRequest	netwerk/base/src/nsLoadGroup.cpp:688
nsDocument::DoUnblockOnload	content/base/src/nsDocument.cpp:7080
nsDocument::DispatchContentLoadedEvents	content/base/src/nsDocument.cpp:3983
nsRunnableMethod<nsDocument>::Run	nsThreadUtils.h:264
nsThread::ProcessNextEvent	xpcom/threads/nsThread.cpp:510
NS_ProcessPendingEvents_P	nsThreadUtils.cpp:180
nsBaseAppShell::NativeEventCallback	widget/src/xpwidgets/nsBaseAppShell.cpp:121
nsAppShell::ProcessGeckoEvents	widget/src/cocoa/nsAppShell.mm:381
CoreFoundation@0x735f4	
CoreFoundation@0x73cd7	
HIToolbox@0x302bf	
HIToolbox@0x300d8	
HIToolbox@0x2ff4c	
AppKit@0x40d7c	
AppKit@0x4062f	
AppKit@0x3966a	
nsAppShell::Run	widget/src/cocoa/nsAppShell.mm:700
nsAppStartup::Run	toolkit/components/startup/src/nsAppStartup.cpp:192
XRE_main	toolkit/xre/nsAppRunner.cpp:3216
main	browser/app/nsBrowserApp.cpp:156

Comment 1

[Mats Palmgren (inactive)]

Attachment: stack from a Linux debug build

Comment 2

[Jesse Ruderman]

I'll try to make a reduced testcase.

The crash looks a lot like the one in bug 473410.

Comment 3

[Jesse Ruderman]

Attachment: slightly reduced testcase

Lithium was not able to remove much, despite the heterogeneity of the testcase.  Weird!

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Does the patch in bug 454276 fix this?

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Both testcases work for me in a 64-bit Linux debug build and both 32-bit and 64-bit Linux nightlies.

Comment 6

[Robert O'Callahan (:roc) (email my personal email if necessary)]

I don't crash on Mac debug either.

Jesse, what's your configuration these days?

Comment 8

[Olli Pettay [:smaug][bugs@pettay.fi]]

I can reproduce the crash (64bit linux / debug), and the patch for bug 454276
does fix it.

Comment 9

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Any chance you could check that the new "alternative patch" (attachment 363493 [details] [diff] [review]) there also fixes it?

Comment 10

[Mats Palmgren (inactive)]

Yes, the new "alternative patch" fixes it.

Comment 11

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Fixed by checkin of bug 454276.

Comment 12

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Fixed for 1.9.0.8 by checkin to CVS trunk of bug 454276, 2009-03-08 12:16 -0700.

Comment 13

[Al Billings [:abillings - ex-MoCo]]

This requires debug builds to repro the crash? I've tried it on OS X and Linux non-debug and get no crash with the testcase 2.

Comment 14

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

I could never reproduce the crash, and I was using debug builds.

Comment 15

[Carsten Book [:Tomcat]]

verified fixed 1.9.0.9 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.0.9pre) Gecko/2009040221 Firefox/3.0.9pre (debug build) + : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040214 Minefield/3.0.9pre - no crash on testcases

Comment 16

[Jesse Ruderman]

in-testsuite- because we were never able to make a reduced testcase.

Comment 17

[Aakash Desai [:aakashd]]

verified FIXED on builds: 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090421 Minefield/3.6a1pre ID:20090421032809

and

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090421 Shiretoko/3.5b4pre ID:20090421030848