Crash [@ nsLineBreaker::AppendText] with mathml, margin and popup

RESOLVED WORKSFORME

Status

()

Core
Layout
--
critical
RESOLVED WORKSFORME
8 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Windows 7
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

680 bytes, application/mathml+xml
Details
(Reporter)

Description

8 years ago
Created attachment 432849 [details]
testcase

See testcase, which crashes in current trunk build.

http://crash-stats.mozilla.com/report/index/02082b1e-9ddf-43c7-8f12-fa9e22100316
0  	xul.dll  	_chkstk  	 chkstk.asm:99
1 	xul.dll 	nsLineBreaker::AppendText 	content/base/src/nsLineBreaker.cpp:268
2 	xul.dll 	gfxFont::RunMetrics::CombineWith 	gfx/thebes/src/gfxFont.cpp:805
3 		@0x1 	
4 		@0x80000009
(Reporter)

Updated

8 years ago
Attachment #432849 - Attachment mime type: application/octet-stream → text/mathml
(Reporter)

Updated

8 years ago
Attachment #432849 - Attachment mime type: text/mathml → application/mathml+xml
On Linux, I'm seeing a hang rather than a crash.

Comment 2

8 years ago
1.9.3 10.5 ppc analyzing minidump gives:

Operating system: Mac OS X 10.5.8 9L34 CPU: ppc 2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash address: 0xffffffffbf7ffff0

Thread 0 (crashed)
 0  XUL!nsTArray_base::IsAutoArray() [nsTArray.h : 147 + 0x4]
   srr0 = 0x03af1114    r1 = 0xbf800020

1.9.3 10.5 x86 gdb gives:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xbf7fffdc
0x03892a87 in nsTArray_base::GetAutoArrayBuffer (this=0xbf8001a0) at nsTArray.h:159
159	    Header* GetAutoArrayBuffer() {

with a huge number of

#28086 0x03bf1f9a in PresShell::DidDoReflow (this=0x1b4d2f10, aInterruptible=1) at /work/mozilla/builds/1.9.3/mozilla/layout/base/nsPresShell.cpp:7080
#28087 0x03c057d1 in PresShell::ProcessReflowCommands (this=0x1b4d2f10, aInterruptible=1) at /work/mozilla/builds/1.9.3/mozilla/layout/base/nsPresShell.cpp:7343

looks like it recursed to death and ate the stack.
Blocks: 532972
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsLineBreaker::AppendText]

Comment 3

6 years ago
Martijn, I can't reproduce on Beta/11, Aurora/12, Nightly/13. wfm ?
(Reporter)

Comment 4

6 years ago
Let's mark it wfm then.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.