Closed Bug 478527 Opened 11 years ago Closed 11 years ago

Crash [@ BuildTextRunsScanner::ScanFrame] with ireflow, word-wrap:break-word

Categories

(Core :: Layout, defect, P2, critical)

x86
macOS
defect

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

Steps to reproduce:
1. Apply the ireflow patch (bug 67752 comment 56).
2. Set the following environment variables:
  export GECKO_REFLOW_INTERRUPT_MODE=counter
  export GECKO_REFLOW_INTERRUPT_CHECKS_TO_SKIP=1
  export GECKO_REFLOW_INTERRUPT_FREQUENCY=1
3. Load the testcase
4. Wait a few seconds

Result:

###!!! ASSERTION: Could not find frame to remove!: 'NS_SUCCEEDED(rv)', file /Users/jruderman/central/layout/generic/nsContainerFrame.cpp, line 230

WARNING: Scanning overflow inline frames is something we should avoid: '!result.mOverflowFrameToScan', file /Users/jruderman/central/layout/generic/nsTextFrameThebes.cpp, line 868

Crash [@ BuildTextRunsScanner::ScanFrame]
I saw this crash once in a way that was very much not a null deref.
Group: core-security
Whiteboard: [sg:critical]
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x?
Isn't this an ireflow issue, how does this affect 1.9.0 (and 1.9.1, if it doesn't end up landing, which so far seems to be the case).
Imo it doesn't.
Attached file testcase2
This testcase seems to crash with the same stacktrace. It regressed between 2009-05-05 and 2009-05-07, so also a regression from bug 67752, probably.
You need to have the dom.disable_window_move_resize pref set to true, to see the crash happening. Also, selecting some text, moving the mouse over the document may speed up the crash from happening.

http://crash-stats.mozilla.com/report/index/0e9524f4-6f99-4afc-95ff-a502a2090629?p=1
0  	xul.dll  	BuildTextRunsScanner::ScanFrame  	 layout/generic/nsTextFrameThebes.cpp:1360
1 	xul.dll 	BuildTextRunsScanner::ScanFrame 	layout/generic/nsTextFrameThebes.cpp:1407
2 	xul.dll 	BuildTextRuns 	layout/generic/nsTextFrameThebes.cpp:1122
3 	xul.dll 	nsTextFrame::EnsureTextRun 	layout/generic/nsTextFrameThebes.cpp:2001
4 	xul.dll 	nsTextFrame::Reflow 	layout/generic/nsTextFrameThebes.cpp:6100
5 	xul.dll 	nsLineLayout::ReflowFrame 	layout/generic/nsLineLayout.cpp:844
6 	xul.dll 	nsInlineFrame::ReflowInlineFrame 	layout/generic/nsInlineFrame.cpp:636
7 	xul.dll 	nsInlineFrame::ReflowFrames 	layout/generic/nsInlineFrame.cpp:501
8 	xul.dll 	nsInlineFrame::Reflow 	layout/generic/nsInlineFrame.cpp:385
9 	xul.dll 	nsLineLayout::ReflowFrame 	layout/generic/nsLineLayout.cpp:844
10 	xul.dll 	nsBlockFrame::ReflowInlineFrame 	layout/generic/nsBlockFrame.cpp:3712
11 	xul.dll 	nsBlockFrame::DoReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3528
12 	xul.dll 	nsBlockFrame::ReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3378
13 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2422
14 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1919
15 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:958
16 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:825
17 	xul.dll 	CanvasFrame::Reflow 	layout/generic/nsHTMLFrame.cpp:654
18 		@0x33cc17f
Hmm.  So I can't reproduce a crash with the testcase in comment 0.

I _can_ reproduce it with Martijn's testcase, though not reliably.

On the testcase in comment 0, if I open view-source I can also reproduce an assertion.  I've filed bug 505482 on that.  I strongly suspect that this assertion indicates exactly what's going on in this bug.
Flags: blocking1.9.2?
Should be fixed by checkin for bug 505482.

Removing the branch "wanted?" nominations, since this is ireflow-specific.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x?
Resolution: --- → FIXED
Oh, not sure how to write a sane test for this....
Flags: in-testsuite?
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Keywords: regression
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Verified fixed on the 1.9.2 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b2pre) Gecko/20091027 Namoroka/3.6b2pre. I tried both test cases - no crashes. Also tested on Win XP equivalent build.
Keywords: verified1.9.2
Group: core-security
Flags: in-testsuite? → in-testsuite-
Crash Signature: [@ BuildTextRunsScanner::ScanFrame]
You need to log in before you can comment on or make changes to this bug.