Bugzilla@Mozilla – Bug 467881
Crash [@ IsBindingAncestor] with frameset, iframe, {ib}
Last modified: 2009-04-26 23:34:29 PDT
Summon comment box
Created attachment 351325 [details] testcase (crashes Firefox when loaded) ###!!! ASSERTION: reflow roots should never split: 'status == NS_FRAME_COMPLETE', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 6347 ###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file /Users/jruderman/central/layout/generic/nsBlockFrame.cpp, line 5385 Crash [@ IsBindingAncestor] trying to access memory at 0xdddddded.
Looks like we have destroyed frames in the frame tree. That's really bad. That second assertion is pretty much summing up why _that_ happens, and I bet the first one explains the second one. roc, this seems like something up your alley.
What's the reflow root in question?
ViewportFrame.
This bug shows up with a few different crash assertions and crash signatures, so it kinda gets in the way of fuzzing.
Crashes my Linux mozilla-central build, too, with the assertions mentioned in comment 0. Platform --> All/All
Setting a breakpoint on nsBlockFrame::SetOverflowLines (it split because it had overflow lines) shows that we have overflow lines because aState.mBottomEdge was 0 in nsBlockFrame::PlaceLine (when it should have been NS_UNCONSTRAINEDSIZE).
So I think the basic problem is something like this: * we often reflow the viewport with a constrained height, but we trust that its child scroll frame won't pass this further. * when we have a frameset, the viewport doesn't have a child scroll frame * we don't have anything to prevent mixing framesets with other things, or changing the structure at the top of the document when the frameset is gone (Need to investigate all these points in a little more detail, though.) What's happening here is that the constrained available height that we give the viewport is making its way all the way down the tree. There are probably two ways to fix this: * stop using constrained available heights * maintain the frame tree invariants We probably ought to do both.
Created attachment 358727 [details] [review] patch to stop using constrained heights for viewport reflow This seems to just work, although I need to do a good bit more testing.
Created attachment 358737 [details] [review] patch to stop using constrained heights for viewport reflow Needed a few additional changes to fix resizing.
This is a common fuzz blocker, raising the priority slightly (p2) to try to keep it in the release. Since it's mostly patched I hope I'm not overstepping here.
http://hg.mozilla.org/mozilla-central/rev/ea3adcdfa653
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5ce32275362a
Comment on attachment 358737 [details] [review] patch to stop using constrained heights for viewport reflow Approved for 1.9.0.8, a=dveditz for release-drivers
I was sort of hoping we'd ship this in a 1.9.1 beta release to make sure it didn't break anything before we shipped it in a 1.9.0.* release, but I suppose we're probably ok based on nightly testing.
Checked in to CVS trunk for 1.9.0.8, 2009-02-22 19:21/22 -0800.
Verified on OS X and Windows with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a debug build or does the testcase not work on 1.9.0?
(In reply to comment #17) > The testcase doesn't crash 1.9.0.7 on OS X or Windows XP. Does this require a > debug build or does the testcase not work on 1.9.0? I don't suppose someone could reply to this since I asked this almost two weeks ago? :-)
I don't know. You could see what happens in a 1.9.0.* debug build if you want (or try under valgrind). Hard to give more details without knowing what you're trying to do.
Al, the testcase crashes reliably in a debug build, where we mark deallocated memory with the 0xdddddddd pattern. In a non-debug build, it will randomly either crash or not crash or let someone run arbitrary code depending on the values that happen to be in the deallocated memory.
The testcase constantly crashes 01/30 Shiretoko builds on Windows and OS X. With the fix no more crashes happen with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) ID:20090305152042
Doesn't crash using Firefox 2.0.0.20.
verified fixed 1.9.0.9 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.9pre) Gecko/2009040221 Firefox/3.0.9pre (debug build) + : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040214 Minefield/3.0.9pre - no crash on testcase
Crashtest added: http://hg.mozilla.org/mozilla-central/rev/ea128fc02710