Closed Bug 489675 Opened 15 years ago Closed 15 years ago

Crash [@ nsAbsoluteContainingBlock::RemoveFrame] with tooltip, -moz-column-count and position: absolute

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase
348 bytes, application/xhtml+xml
Details
testcase2
684 bytes, application/xhtml+xml
Details
Attached file testcase 
See testcase, which crashes current trunk build after 100ms.

http://crash-stats.mozilla.com/report/index/009a6950-e8ea-4a14-81a8-886342090422?p=1
0  	xul.dll  	nsAbsoluteContainingBlock::RemoveFrame  	 layout/generic/nsAbsoluteContainingBlock.cpp:116
1 	xul.dll 	ViewportFrame::RemoveFrame 	layout/generic/nsViewportFrame.cpp:156
2 	xul.dll 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:714
3 	xul.dll 	xul.dll@0x39f20a
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Attached file testcase2 
Ok, this one still crashes with this stacktrace.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: blocking1.9.2?
For me, on mozilla-central and Mac, testcase2 crashes [@ GetChildListNameFor] dereferencing 0xdddddddd. This is the same crash as in bug 468563, which also involves -moz-column and position:absolute.
Group: core-security
Depends on: 468563
Whiteboard: [sg:critical?]
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → DUPLICATE
No longer depends on: 468563
On the Mac, I get this stack:
http://crash-stats.mozilla.com/report/index/c85bce9e-7cc3-4b1b-8c77-98b4a2090806?p=1
0  	XUL  	nsAbsoluteContainingBlock::RemoveFrame  	 layout/generic/nsIFrame.h:1178
1 	XUL 	ViewportFrame::RemoveFrame 	layout/generic/nsViewportFrame.cpp:157
2 	XUL 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:717
3 	XUL 	DeletingFrameSubtree 	layout/base/nsCSSFrameConstructor.cpp:7040
4 	XUL 	nsCSSFrameConstructor::ContentRemoved 	layout/base/nsCSSFrameConstructor.cpp:7271
5 	XUL 	PresShell::ContentRemoved 	layout/base/nsPresShell.cpp:5076
6 	XUL 	nsNodeUtils::ContentRemoved 	content/base/src/nsNodeUtils.cpp:179
7 	XUL 	nsGenericElement::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3320
8 	XUL 	nsDocument::RemoveChildAt 	content/base/src/nsDocument.cpp:3251
9 	XUL 	nsGenericElement::doRemoveChild 	content/base/src/nsGenericElement.cpp:3966
10 	XUL 	nsDocument::RemoveChild 	content/base/src/nsDocument.cpp:5501
11 	XUL 	nsIDOMNode_RemoveChild 	dom_quickstubs.cpp:4193
12 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5197
13 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1379
14 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:1451
15 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:5176
16 	XUL 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2097
17 	XUL 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:7935
18 	XUL 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:8269
19 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
20 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
21 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
22 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
23 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
24 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:413
25 	CoreFoundation 	CFRunLoopRunSpecific 	
26 	CoreFoundation 	CFRunLoopRunInMode 	
27 	HIToolbox 	RunCurrentEventLoopInMode 	
28 	HIToolbox 	ReceiveNextEventCommon 

..which is different than the [@ GetChildListNameFor] crash. So I'm reopening this bug for now and adding a dependancy on bug 468563.
Status: RESOLVED → REOPENED
Depends on: 468563
Resolution: DUPLICATE → ---
Hey roc, can we get someone to take a look at this one?
Looks like a virtual call on a deleted frame, should be covered by frame poisoning. Martijn, can you confirm that on trunk we crash with a dereference of  0xF0DEA7FF?
I'm getting this crash stacktrace with current trunk build on the 2nd testcase:
http://crash-stats.mozilla.com/report/index/52074d40-4567-4420-ae3b-6b2912091012
0  	XUL  	nsFrameManager::RemoveFrame  	 layout/base/nsFrameManager.cpp:736
1 	XUL 	DeletingFrameSubtree 	layout/base/nsCSSFrameConstructor.cpp:7048
2 	XUL 	nsCSSFrameConstructor::ContentRemoved 	layout/base/nsCSSFrameConstructor.cpp:7276
3 	XUL 	PresShell::ContentRemoved 	layout/base/nsPresShell.cpp:5083
4 	XUL 	nsNodeUtils::ContentRemoved 	content/base/src/nsNodeUtils.cpp:181
5 	XUL 	nsGenericElement::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3393
6 	XUL 	nsDocument::RemoveChildAt 	content/base/src/nsDocument.cpp:3319
7 	XUL 	nsGenericElement::doRemoveChild 	content/base/src/nsGenericElement.cpp:4039
8 	XUL 	nsDocument::RemoveChild 	content/base/src/nsDocument.cpp:5571
9 	XUL 	nsIDOMNode_RemoveChild 	dom_quickstubs.cpp:4427
10 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:2269
11 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1373
12 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:1428
13 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:5096
14 	XUL 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2092
15 	XUL 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:8032
16 	XUL 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:8366
17 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
18 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
19 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
20 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
21 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
22 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:417
WFM on trunk (mozilla-central, Mac).  I bet this got fixed along with bug 468563.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsAbsoluteContainingBlock::RemoveFrame]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: