Last Comment Bug 490410 - Another Crash on testcase from 489647 with accessibility enabled in [@nsTextFrame::ClearTextRun()]
: Another Crash on testcase from 489647 with accessibility enabled in [@nsTextF...
Status: VERIFIED FIXED
: [sg:dupe 472776]
: verified1.9.0.11
Product: Core
Classification: Components
Component: Layout
: 1.9.0 Branch
: x86 Linux
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: layout
:
: 472776
: CVE-2009-1313
  Show dependency treegraph
 
Reported: 2009-04-27 23:13 PDT by Alexander Sack
Modified: 2009-06-11 14:50 PDT (History)
11 users (show)
dveditz: blocking1.9.0.11+
dveditz: wanted1.9.0.x+
samuel.sidler+old: wanted1.8.1.x-
See Also:
Crash Signature:


Attachments
testcase, uses enhanced privileges (564 bytes, text/html)
2009-04-28 14:58 PDT, Martijn Wargers [:mw22] (QA - IRC nick: mw22)
no flags Details

Summon comment box

Description Alexander Sack 2009-04-27 23:13:43 PDT
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042315
Firefox/3.0.10

Seems, I can still make firefox 3.0.10 crash by enabling accessibility in gnome
on ubuntu jaunty, like:

1.  gconftool-2 --set --type=bool /desktop/gnome/interface/accessibility true
2.  ./firefox https://bugzilla.mozilla.org/attachment.cgi?id=374249

Sample Crash:
 
http://crash-stats.mozilla.com/report/index/34ac9c9a-9a6d-4ce6-b4e7-7ace62090427
Comment 1 jamie 2009-04-28 07:17:11 PDT
FYI for automated testing-- the above doesn't always crash immediately. Eg, I would use a file:/// URL and most of the time I would need to click 'Reload' to trigger the crash (though occasionally I wouldn't).
Comment 2 Daniel Holbert [:dholbert] 2009-04-28 07:33:02 PDT
FWIW, I couldn't reproduce this, after a minute or two of repeated reloading, using latest-mozilla1.9.0:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090426 Minefield/3.6a1pre
Comment 3 Samuel Sidler (old account; do not CC) 2009-04-28 10:16:22 PDT
Since bug 489647 was blocking, if we can reproduce this, it should block too.
Comment 4 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2009-04-28 14:58:54 PDT
Created attachment 374954 [details]
testcase, uses enhanced privileges

Just enabling accessibility is enough to get this crash, as was already said.
Comment 5 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2009-04-28 15:00:19 PDT
(In reply to comment #2)
> FWIW, I couldn't reproduce this, after a minute or two of repeated reloading,
> using latest-mozilla1.9.0:
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090426
> Minefield/3.6a1pre

Daniel, the build id you posted wasn't from a 1.9.0.x build, but from a trunk build, so I guess you tested with a trunk build and not with a 1.9.0.x build.
Comment 6 Daniel Holbert [:dholbert] 2009-04-28 16:21:35 PDT
Ah, good catch on that build ID... I'd swear I tested with a 1.9.0.x nightly on that machine, but maybe I forgot the "-no-remote" command-line arg or something.

In any case, I've downloaded a 1.9.0.x nightly on my laptop now, and I can definitely reproduce the bug here, both with the old bug's testcase (with accessibility enabled) and with Martijn's new automatic-accessibility-enabling testcase attached on this bug.

Sample crash report:
http://crash-stats.mozilla.com/report/index/acf72021-9bb1-49de-96d0-adefa2090428

Build ID:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009042804 GranParadiso/3.0.11pre
Comment 7 Daniel Holbert [:dholbert] 2009-04-28 16:34:28 PDT
In theory, we should be able to hit this crash with a mozilla-central build/nightly from just after bug 467150's patch landed, and then track down a fix range from there, to see what patch fixed this additional crash.
Comment 8 Daniel Holbert [:dholbert] 2009-04-28 17:40:19 PDT
(In reply to comment #7)
> In theory, we should be able to hit this crash with a mozilla-central
> build/nightly from just after bug 467150's patch landed

Cool -- I tried the mozilla-central nightly build from 2008/12/17 (right after bug 467150 landed), and it crashed on this bug's testcase, after reloading repeatedly for ~10 sec.

I tried the 2008/12/20 nightly (a few days later) to make sure the 12/17 one wasn't just particularly crashy, and the 12/20 build crashed on this bug's testcase, too.

Sadly, the crash report doesn't seem to have symbols available.
http://crash-stats.mozilla.com/report/index/c62340e5-896a-40d6-a3c5-a975a2090428
http://crash-stats.mozilla.com/report/index/b72d40c7-c4b2-45c3-8d20-7110b2090428

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081217 Minefield/3.2a1pre
Comment 9 Daniel Holbert [:dholbert] 2009-04-28 21:37:28 PDT
I traced the crash to being fixed in mozilla-central between these nightlies:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090223 Minefield/3.2a1pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090224 Minefield/3.2a1pre

That yields this regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b84ee6f45b08&tochange=69c86f3acc5a

That range includes the fix for bug 472776, which I think is the exact same as this bug -- it's a crash [@ UnhookTextRunFromFrames] and [@ ClearAllTextRunReferences], which exactly matches the stacks I've been getting from Martijn's testcase here, e.g.
http://crash-stats.mozilla.com/report/index/d005a5b3-613e-46ba-8fce-503602090428

So, I think this crash here is effectively a dupe of bug 472776.
Comment 10 Daniel Holbert [:dholbert] 2009-04-30 09:32:24 PDT
The patch in bug 472776 applies cleanly on 1.9.0.x (aside from 'crashtests.list') -- I tried it out, and it does indeed fix this crash.
Comment 11 Daniel Holbert [:dholbert] 2009-04-30 09:36:29 PDT
(Though FWIW, I haven't ever been able to reproduce the shutdown crash from bug 472776's testcase in a 1.9.0.x build.  That's not a huge deal, though -- it just means there are additional factors involved that caused that particular testcase to fail on mozilla-central.)
Comment 12 Daniel Holbert [:dholbert] 2009-05-02 16:58:50 PDT
The fix for bug 472776 just landed on 1.9.0.x, so this should now be fixed.
Comment 13 Al Billings [:abillings] 2009-05-11 14:39:49 PDT
I verified this on Ubuntu 8.10 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. I also verified the crash with 1.9.0.10 on the same system. So this is fixed.

Note You need to log in before you can comment on or make changes to this bug.