Last Comment Bug 702897 - crash nsLineBox::IndexOf
: crash nsLineBox::IndexOf
Status: RESOLVED FIXED
: crash, regression
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: -- critical with 1 vote (vote)
: mozilla11
Assigned To: Scott Johnson (:jwir3)
:
:
Mentors:
http://www.humans-enabled.com/2009/12...
: 702998 (view as bug list)
Depends on:
Blocks: 666446
  Show dependency treegraph
 
Reported: 2011-11-16 00:15 PST by Chris Jones [:cjones] inactive; ni?/f?/r? if you need me
Modified: 2012-02-01 13:57 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
b702897 - Restore destruct functionality (996 bytes, patch)
2011-11-18 23:45 PST, Scott Johnson (:jwir3)
roc: review+
Details | Diff | Splinter Review

Description Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2011-11-16 00:15:59 PST
This bug was filed from the Socorro interface and is 
report bp-77464faf-df98-4a05-9457-3b50f2111116 .
============================================================= 

STR
 (1) Load URL.  Crash.

This reproduced for me 2/2 and then I didn't want to try anymore ;).
Comment 1 Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2011-11-16 00:17:32 PST
(The crash is a null pointer deref, so not marking s-s.)
Comment 2 Alice0775 White 2011-11-16 04:32:05 PST
Also this site crashes on windows7 , but crash sig is not a same.

bp-e7c5222c-0528-41da-b83c-0fe252111116
[@ nsBlockInFlowLineIterator::nsBlockInFlowLineIterator(nsBlockFrame*, nsIFrame*, bool*)]

Regression window(m-c)
Works:
http://hg.mozilla.org/mozilla-central/rev/c60535115ea1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111110 Firefox/11.0a1 ID:20111110031403
Crashes:
http://hg.mozilla.org/mozilla-central/rev/9ce43912891b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111110 Firefox/11.0a1 ID:20111110024128
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c60535115ea1&tochange=9ce43912891b


Regression window(m-i)
Works:
http://hg.mozilla.org/integration/mozilla-inbound/rev/f7ea68d2d546
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111109 Firefox/11.0a1 ID:20111109132229
Crashes:
http://hg.mozilla.org/integration/mozilla-inbound/rev/aef0684ac019
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111109 Firefox/11.0a1 ID:20111109142329
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f7ea68d2d546&tochange=aef0684ac019
Suspected: Bug 666446
Comment 3 Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2011-11-16 08:59:32 PST
Thanks!
Comment 4 Scoobidiver (away) 2011-11-16 11:43:58 PST
*** Bug 702998 has been marked as a duplicate of this bug. ***
Comment 5 Robert Kaiser 2011-11-16 11:54:22 PST
Crashes with the nsLineBox::IndexOf(nsIFrame*) signature seem to have been around since at least 3.6.x judging from https://crash-stats.mozilla.com/report/list?signature=nsLineBox%3A%3AIndexOf%28nsIFrame*%29 but they have been rising on 11.0a1 trunk in yesterday's data.
Comment 6 Daniel Holbert [:dholbert] 2011-11-16 13:39:22 PST
Looks indeed like a regression from bug 666446, especially given the m-i regression range from comment 2.

The stack in comment 0's crash report has frame-destruction code calling into image code, which calls into more layout code (which possibly assumes our frames _aren't_ being destroyed, and triggers the crash as a result).

(Also: I reproduced this on the first attempt, using Nightly on Ubuntu Linux 11.10)
Comment 7 Scott Johnson (:jwir3) 2011-11-18 23:45:46 PST
Created attachment 575631 [details] [diff] [review]
b702897 - Restore destruct functionality

I just restored the order of the mFrame = nsnull call in order to prevent a dangling pointer, which is causing this crash. I'm working on a crashtest, but the site's pretty complicated and I can't get it to reliably reproduce yet with a simple test case. 

Also, have an awesome birthday party, Roc!
Comment 8 Thomas Ahlblom 2011-11-20 15:07:06 PST
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111120 Firefox/11.0a1

I get the same Crash Signature if I visit this URL with a new, clean profile:
http://ridingpython.blogspot.com/2011/11/aws-sns-how-to-send-out-messages-to-e.html

bp-14075859-041f-4436-8075-ff9cc2111120
Comment 9 Daniel Holbert [:dholbert] 2011-11-20 15:16:18 PST
Yup, that looks like an instance of this bug.  Crash is within nsImageLoader::OnStopRequest, and the animation is the same, and the page source looks similar.

That site & the original URL here must be built with the same toolkit or something.
Comment 10 Scoobidiver (away) 2011-11-21 00:16:26 PST
It seems the patch hasn't landed yet in m-c.
Comment 11 Robert Kaiser 2011-11-21 05:19:07 PST
(In reply to Scoobidiver from comment #10)
> It seems the patch hasn't landed yet in m-c.

That's also why it isn't marked fixed yet.
Comment 12 Scott Johnson (:jwir3) 2011-11-21 10:10:54 PST
(In reply to Scoobidiver from comment #10)
> It seems the patch hasn't landed yet in m-c.

Yes, I was working on a crashtest to verify that this doesn't happen in the future, but the site's toolkit is taking too long for me to understand what's going on. So, I'll push this patch in a few minutes and write another bug to create a crashtest.
Comment 13 Scott Johnson (:jwir3) 2011-11-21 10:57:50 PST
Pushed to inbound:

https://hg.mozilla.org/integration/mozilla-inbound/rev/380444ff2108
Comment 14 Ed Morley [:emorley] 2011-11-21 19:09:56 PST
https://hg.mozilla.org/mozilla-central/rev/380444ff2108

Note You need to log in before you can comment on or make changes to this bug.