Closed
Bug 762494
Opened 13 years ago
Closed 13 years ago
crash in nsLineBox::IndexOf
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 789719
People
(Reporter: davidb, Unassigned)
References
Details
(Keywords: crash, regression, reproducible, Whiteboard: [sg:dupe 789719])
Crash Data
This bug was filed from the Socorro interface and is
report bp-16f2123b-a0e8-4152-923e-b78972120606 .
=============================================================
|
||
Comment 1•13 years ago
|
||
Looks a lot like bug 702897 but with SVG on the stack. A similar fix may be required here.
Any URLs or STR?
|
||
Comment 2•13 years ago
|
||
I can easily reproduce this crash:
1) Navigate to https://stat.ripe.net/195.250.56.0/24#object-browser
2) Click on any "Show all" link (for example "Show all" in Organization box).
I've sent some crash reports:
https://crash-stats.mozilla.com/report/index/bp-79641183-21e5-4d22-ba24-ef6b22120808
https://crash-stats.mozilla.com/report/index/bp-e2583c02-784d-47a1-9759-036e92120808
https://crash-stats.mozilla.com/report/index/bp-b3cf5fb0-3017-45f9-aade-967d82120808
https://crash-stats.mozilla.com/report/index/bp-b2a0d09a-e12f-4493-9234-5714d2120808
Keywords: regression,
reproducible
CR on Win 7:
https://crash-stats.mozilla.com/report/index/90ac2c96-8e12-4eaf-99ca-095132120826
Mozregression range:
m-c
good=2012-07-20
bad=2012-07-21
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a05d298599e&tochange=446b788ab99d
The changeset is pretty huge but a good suspected bug should be:
Mats Palmgren — Bug 774794 - Make the aLineList param for MarkLineDirty mandatory; make nsBlockInFlowLineIterator have a valid mLineList for its mLine. r=roc
Maybe a null pointer allocated.
Blocks: 774794
Crash Signature: [@ nsLineBox::IndexOf] → [@ nsLineBox::IndexOf]
[@ nsBlockInFlowLineIterator::nsBlockInFlowLineIterator(nsBlockFrame*, nsIFrame*, bool*) ]
Version: unspecified → 17 Branch
The weird thing is this current bug report has been filled before the patch from bug 774794 landed. So maybe there is a mix between 2 differents bugs with similar crash signature.
|
||
Comment 5•13 years ago
|
||
I can reproduce: bp-b16e1858-d97c-4fb5-8d07-0a2ad2120908.
OS: Mac OS X → All
|
||
Updated•13 years ago
|
Keywords: testcase-wanted
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
|
||
Updated•13 years ago
|
|
||
Comment 7•13 years ago
|
||
How can this be reproduced?
|
|
||
Comment 8•13 years ago
|
||
|
|
||
Comment 9•13 years ago
|
||
OK, I can reproduce this. A very short investigation shows that the next sibling for the frame at hand is garbage value:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
nsIFrame::GetNextSibling (this=0x7ffffffff0dea7ff) at nsIFrame.h:1106
warning: Source file is more recent than executable.
1106 // A special alias for kPrincipalList that do not request reflow.
(gdb) bt 20
#0 nsIFrame::GetNextSibling (this=0x7ffffffff0dea7ff) at nsIFrame.h:1106
#1 0x0000000101737554 in nsLineBox::IndexOf (this=0x152bda848, aFrame=0x151a338c0)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsLineBox.cpp:293
#2 0x00000001016b9a3a in nsLineBox::Contains (this=0x152bda848, aFrame=0x151a338c0) at nsLineBox.h:514
#3 0x00000001016b3b22 in nsBlockInFlowLineIterator::nsBlockInFlowLineIterator (this=0x7fff5fbe7b08, aFrame=0x152013700, aFindFrame=0x151a338c0,
aFoundValidLine=0x7fff5fbe7b2f) at /Users/ehsanakhgari/moz/inbound/layout/generic/nsBlockFrame.cpp:5259
#4 0x00000001016b38bd in nsBlockInFlowLineIterator::nsBlockInFlowLineIterator (this=0x7fff5fbe7b08, aFrame=0x152013700, aFindFrame=0x151a338c0,
aFoundValidLine=0x7fff5fbe7b2f) at /Users/ehsanakhgari/moz/inbound/layout/generic/nsBlockFrame.cpp:5295
#5 0x00000001016b6e06 in nsBlockFrame::ChildIsDirty (this=0x152013700, aChild=0x151a338c0)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsBlockFrame.cpp:6504
#6 0x000000010163563b in PresShell::FrameNeedsReflow (this=0x115aabcf0, aFrame=0x155aec420, aIntrinsicDirty=nsIPresShell::eResize, aBitToAdd=4096)
at /Users/ehsanakhgari/moz/inbound/layout/base/nsPresShell.cpp:2612
#7 0x0000000102631e2c in nsSVGUtils::ScheduleReflowSVG (aFrame=0x157958a28) at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGUtils.cpp:790
#8 0x0000000102631eac in nsSVGUtils::InvalidateAndScheduleReflowSVG (aFrame=0x157958a28)
at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGUtils.cpp:804
#9 0x00000001025fb83f in nsSVGMarkerProperty::DoUpdate (this=0x151b3a7f0) at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGEffects.cpp:281
#10 0x00000001025fb3aa in nsSVGRenderingObserver::InvalidateViaReferencedElement (this=0x151b3a7f0)
at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGEffects.cpp:164
#11 0x00000001025fc61b in nsSVGRenderingObserverList::InvalidateAll (this=0x157398790)
at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGEffects.cpp:544
#12 0x00000001025fc816 in nsSVGEffects::InvalidateDirectRenderingObservers (aElement=0x15792e680)
at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGEffects.cpp:643
#13 0x00000001025fc878 in nsSVGEffects::InvalidateDirectRenderingObservers (aFrame=0x157959630)
at /Users/ehsanakhgari/moz/inbound/layout/svg/base/src/nsSVGEffects.cpp:652
#14 0x00000001016d46f2 in nsFrame::DestroyFrom (this=0x157959630, aDestructRoot=0x118de33d8)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsFrame.cpp:592
#15 0x0000000101768cd4 in nsSplittableFrame::DestroyFrom (this=0x157959630, aDestructRoot=0x118de33d8)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsSplittableFrame.cpp:43
#16 0x00000001016c8918 in nsContainerFrame::DestroyFrom (this=0x157959630, aDestructRoot=0x118de33d8)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsContainerFrame.cpp:237
#17 0x00000001016f7dba in nsFrameList::DestroyFramesFrom (this=0x155aec700, aDestructRoot=0x118de33d8)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsFrameList.cpp:61
#18 0x00000001016c8841 in nsContainerFrame::DestroyFrom (this=0x155aec6a0, aDestructRoot=0x118de33d8)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsContainerFrame.cpp:217
#19 0x00000001016f7dba in nsFrameList::DestroyFramesFrom (this=0x155aec5e8, aDestructRoot=0x118de33d8)
---Type <return> to continue, or q <return> to quit---up
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsFrameList.cpp:61
(More stack frames follow...)
(gdb) up
#1 0x0000000101737554 in nsLineBox::IndexOf (this=0x152bda848, aFrame=0x151a338c0)
at /Users/ehsanakhgari/moz/inbound/layout/generic/nsLineBox.cpp:293
293 frame = frame->GetNextSibling();
(gdb) list
288 nsIFrame* frame = mFirstChild;
289 for (i = 0; i < n; i++) {
290 if (frame == aFrame) {
291 return i;
292 }
293 frame = frame->GetNextSibling();
294 }
295 return -1;
296 }
297
(gdb) p frame
$1 = (Cannot access memory at address 0x7ffffffff0dea7ff
(gdb) p *frame
Cannot access memory at address 0x7ffffffff0dea7ff
(gdb) p mFirstChild
$2 = (nsIFrame *) 0x152bda668
(gdb) p i
$3 = 1
(gdb) p n
$4 = 2
(gdb) p mFirstChild->GetNextSibling()
$5 = (Cannot access memory at address 0x7ffffffff0dea7ff
Now, David, why do you think I own this bug? :-)
|
|
||
Comment 10•13 years ago
|
||
Looks like the same underlying problem as in bug 789719.
Ehsan, does the patch in that bug fix the crash?
Group: core-security
|
|
||
Comment 12•13 years ago
|
||
moved tracking over to bug 789719
tracking-firefox17:
+ → ---
tracking-firefox18:
+ → ---
|
||
Updated•13 years ago
|
Whiteboard: [sg:dupe 789719]
|
|
||
Updated•11 years ago
|
Group: core-security
|
||
Updated•10 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•