Closed Bug 982166 Opened 11 years ago Closed 11 years ago

crash in nsIFrame::StyleVisibility() const

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- unaffected
firefox30 - fixed
fennec 30+ ---

People

(Reporter: kbrosnan, Assigned: seth)

References

Details

(Keywords: crash, Whiteboard: [native-crash])

Crash Data

This bug was filed from the Socorro interface and is report bp-9fbd2907-647b-4517-8fb0-b7b322140310. ============================================================= This crash spiked in nightly Firefox for Android recently. 0 libxul.so nsIFrame::StyleVisibility() const obj-firefox/dist/include/nsStyleStructList.h 1 libxul.so nsIFrame::GetWritingMode() const layout/generic/nsIFrame.h 2 libxul.so nsHTMLReflowState::nsHTMLReflowState(nsPresContext*, nsIFrame*, nsRenderingContext*, nsSize const&, unsigned int) layout/generic/nsHTMLReflowState.h 3 libxul.so nsTableFrame::FixupPositionedTableParts(nsPresContext*, nsHTMLReflowState const&) layout/tables/nsTableFrame.cpp 4 libxul.so nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp 5 libxul.so nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp 6 libxul.so nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp 7 libxul.so nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp 8 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 9 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 10 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 11 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 12 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 13 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 14 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 15 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 16 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 17 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 18 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 19 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 20 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 21 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 22 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 23 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 24 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 25 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 26 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 27 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 28 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 29 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 30 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 31 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 32 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 33 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 34 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 35 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 36 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 37 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 38 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 39 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 40 libxul.so nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp 41 libxul.so nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp 42 libxul.so nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp 43 libxul.so nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp 44 libxul.so nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp 45 libxul.so nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp 46 libxul.so nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp 47 libxul.so nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp 48 libxul.so nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp 49 libxul.so nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp 50 libxul.so nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp 51 libxul.so ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp 52 libxul.so PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp 53 libxul.so PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp 54 libxul.so PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp 55 libxul.so PresShell::FlushPendingNotifications(mozFlushType) layout/base/nsPresShell.cpp 56 libxul.so nsDocument::FlushPendingNotifications(mozFlushType) content/base/src/nsDocument.cpp 57 libxul.so mozilla::dom::Element::GetPrimaryFrame(mozFlushType) content/base/src/Element.cpp 58 libxul.so mozilla::dom::Element::GetBoundingClientRect() content/base/src/Element.cpp 59 libxul.so mozilla::dom::ElementBinding::getBoundingClientRect obj-firefox/dom/bindings/ElementBinding.cpp 60 libxul.so mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp 61 @0x69139e3e
From the crash report: > Crash Address 0xf0dea837 which I think is a frame-poisoning address (per bug 507294 comment 28). Assuming that's right, this should be hard to exploit, at least. (Not to minimize the suckiness of crashing)
URLs currently are either wunderground or html5test. Crash is not device specific or Android API specific. http://html5test.com/ http://www.wunderground.com/US/CA/San_Francisco.html http://beta.html5test.com/
Was this the bug that spiked and went away with the first landing of bug 63895, or was it something still present in the second landing?
(In reply to Kevin Brosnan [:kbrosnan] from comment #0) > 3 libxul.so nsTableFrame::FixupPositionedTableParts(nsPresContext*, > nsHTMLReflowState const&) layout/tables/nsTableFrame.cpp This function was introduced in https://hg.mozilla.org/integration/mozilla-inbound/rev/677d07d6cadb ; that's why I'm reasonably confident this is related.
Blocks: 63895
I don't see any crashes after 20140307030202 and loading the URLs and navigating the sites does not lead to a reproducible crash.
The question is whether it came back today, though... Seth might know if this is something that was fixed in the new version of the patches.
Flags: needinfo?(seth)
Based on Comment 5 and my own attempt to reproduce I'm not seeing this and don't think we need to track this.
tracking-firefox30: ?-
fixed by backout (and relanding)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee: nobody → seth
status-firefox29: affectedunaffected
status-firefox30: affectedfixed
Target Milestone: --- → mozilla30
tracking-fennec: ? → 30+
Flags: needinfo?(seth)
You need to log in before you can comment on or make changes to this bug.