Closed
Bug 478527
Opened 17 years ago
Closed 16 years ago
Crash [@ BuildTextRunsScanner::ScanFrame] with ireflow, word-wrap:break-word
Categories
(Core :: Layout, defect, P2)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Unassigned)
References
Details
(5 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(2 files)
Steps to reproduce:
1. Apply the ireflow patch (bug 67752 comment 56).
2. Set the following environment variables:
export GECKO_REFLOW_INTERRUPT_MODE=counter
export GECKO_REFLOW_INTERRUPT_CHECKS_TO_SKIP=1
export GECKO_REFLOW_INTERRUPT_FREQUENCY=1
3. Load the testcase
4. Wait a few seconds
Result:
###!!! ASSERTION: Could not find frame to remove!: 'NS_SUCCEEDED(rv)', file /Users/jruderman/central/layout/generic/nsContainerFrame.cpp, line 230
WARNING: Scanning overflow inline frames is something we should avoid: '!result.mOverflowFrameToScan', file /Users/jruderman/central/layout/generic/nsTextFrameThebes.cpp, line 868
Crash [@ BuildTextRunsScanner::ScanFrame]
|
||
Comment 1•16 years ago
|
||
There was a talos crash here too:
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1242418856.1242420445.31191.gz
|
Reporter | |
Comment 2•16 years ago
|
||
I saw this crash once in a way that was very much not a null deref.
Group: core-security
Whiteboard: [sg:critical]
|
||
Updated•16 years ago
|
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x?
|
||
Comment 3•16 years ago
|
||
Isn't this an ireflow issue, how does this affect 1.9.0 (and 1.9.1, if it doesn't end up landing, which so far seems to be the case).
|
||
Comment 4•16 years ago
|
||
Imo it doesn't.
|
||
Comment 5•16 years ago
|
||
This testcase seems to crash with the same stacktrace. It regressed between 2009-05-05 and 2009-05-07, so also a regression from bug 67752, probably.
You need to have the dom.disable_window_move_resize pref set to true, to see the crash happening. Also, selecting some text, moving the mouse over the document may speed up the crash from happening.
http://crash-stats.mozilla.com/report/index/0e9524f4-6f99-4afc-95ff-a502a2090629?p=1
0 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrameThebes.cpp:1360
1 xul.dll BuildTextRunsScanner::ScanFrame layout/generic/nsTextFrameThebes.cpp:1407
2 xul.dll BuildTextRuns layout/generic/nsTextFrameThebes.cpp:1122
3 xul.dll nsTextFrame::EnsureTextRun layout/generic/nsTextFrameThebes.cpp:2001
4 xul.dll nsTextFrame::Reflow layout/generic/nsTextFrameThebes.cpp:6100
5 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:844
6 xul.dll nsInlineFrame::ReflowInlineFrame layout/generic/nsInlineFrame.cpp:636
7 xul.dll nsInlineFrame::ReflowFrames layout/generic/nsInlineFrame.cpp:501
8 xul.dll nsInlineFrame::Reflow layout/generic/nsInlineFrame.cpp:385
9 xul.dll nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:844
10 xul.dll nsBlockFrame::ReflowInlineFrame layout/generic/nsBlockFrame.cpp:3712
11 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:3528
12 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3378
13 xul.dll nsBlockFrame::ReflowLine layout/generic/nsBlockFrame.cpp:2422
14 xul.dll nsBlockFrame::ReflowDirtyLines layout/generic/nsBlockFrame.cpp:1919
15 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:958
16 xul.dll nsContainerFrame::ReflowChild layout/generic/nsContainerFrame.cpp:825
17 xul.dll CanvasFrame::Reflow layout/generic/nsHTMLFrame.cpp:654
18 @0x33cc17f
|
|
||
Comment 6•16 years ago
|
||
Hmm. So I can't reproduce a crash with the testcase in comment 0.
I _can_ reproduce it with Martijn's testcase, though not reliably.
On the testcase in comment 0, if I open view-source I can also reproduce an assertion. I've filed bug 505482 on that. I strongly suspect that this assertion indicates exactly what's going on in this bug.
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.2?
|
|
||
Comment 7•16 years ago
|
||
Should be fixed by checkin for bug 505482.
Removing the branch "wanted?" nominations, since this is ireflow-specific.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x?
Resolution: --- → FIXED
|
|
||
Updated•16 years ago
|
|
||
Updated•16 years ago
|
Keywords: regression
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
|
||
Comment 9•16 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
|
||
Updated•16 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
||
Comment 10•16 years ago
|
||
Verified fixed on the 1.9.2 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b2pre) Gecko/20091027 Namoroka/3.6b2pre. I tried both test cases - no crashes. Also tested on Win XP equivalent build.
Keywords: verified1.9.2
|
|
||
Updated•15 years ago
|
Group: core-security
|
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite? → in-testsuite-
|
Assignee | |
Updated•14 years ago
|
Crash Signature: [@ BuildTextRunsScanner::ScanFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•