Closed Bug 467914 Opened 16 years ago Closed 16 years ago

Crash [@ nsIFrame::GetOverflowRectRelativeToSelf] with clip-path and -moz-transform on MathML

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(3 files)

testcase
457 bytes, application/vnd.mozilla.xul+xml
Details
simplified testcase
258 bytes, application/vnd.mozilla.xul+xml
Details
fix
1.84 KB, patch
dbaron
: review+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build on load. http://crash-stats.mozilla.com/report/index/5c0a33de-da70-4e65-bb5b-f3a472081204?p=1 0 xul.dll nsIFrame::GetOverflowRectRelativeToSelf layout/generic/nsFrame.cpp:3946 1 xul.dll nsDisplaySVGEffects::nsDisplaySVGEffects layout/base/nsDisplayList.cpp:1323 2 xul.dll nsIFrame::BuildDisplayListForStackingContext layout/generic/nsFrame.cpp:1307 3 xul.dll nsIFrame::BuildDisplayListForChild layout/generic/nsFrame.cpp:1528 4 xul.dll nsBoxFrame::BuildDisplayListForChildren layout/xul/base/src/nsBoxFrame.cpp:1317 5 xul.dll nsBoxFrame::BuildDisplayList layout/xul/base/src/nsBoxFrame.cpp:1299 6 xul.dll BuildDisplayListWithOverflowClip layout/generic/nsFrame.cpp:1141 7 xul.dll nsIFrame::BuildDisplayListForChild layout/generic/nsFrame.cpp:1509 8 xul.dll nsBoxFrame::BuildDisplayListForChildren layout/xul/base/src/nsBoxFrame.cpp:1317 9 xul.dll nsRootBoxFrame::BuildDisplayList layout/xul/base/src/nsRootBoxFrame.cpp:250 10 xul.dll nsIFrame::BuildDisplayListForChild layout/generic/nsFrame.cpp:1511 11 xul.dll ViewportFrame::BuildDisplayList layout/generic/nsViewportFrame.cpp:109 12 xul.dll nsIFrame::BuildDisplayListForStackingContext layout/generic/nsFrame.cpp:1228 13 xul.dll PresShell::RenderDocument layout/base/nsPresShell.cpp:4986 14 xul.dll nsCanvasRenderingContext2D::DrawWindow content/canvas/src/nsCanvasRenderingContext2D.cpp:3400 15 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 16 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2013 17 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2422 18 xul.dll XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1477 19 js3250.dll js_Invoke js/src/jsinterp.cpp:1313 20 js3250.dll js_Interpret js/src/jsinterp.cpp:5135 21 js3250.dll js_Invoke js/src/jsinterp.cpp:1331 22 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1610 23 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:563 24 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 25 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 26 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1091
Flags: blocking1.9.1?
Looks like a null-dereference: GetProperty(nsGkAtoms::preEffectsBBoxProperty) is returning null, so we crash trying to copy-construct the null. The frame in question is an nsMathMLmunderFrame.
(It wouldn't surprise me if the cause is that the frame in question doesn't call FinishAndStoreOverflow during its reflow.)
Flags: blocking1.9.1? → wanted1.9.1+
Component: Layout → MathML
OS: Windows XP → All
QA Contact: layout → mathml
Hardware: PC → All
Summary: Crash [@ nsIFrame::GetOverflowRectRelativeToSelf] with clip-path, mathml and binding → Crash [@ nsIFrame::GetOverflowRectRelativeToSelf] with clip-path and -moz-transform on MathML
Flags: blocking1.9.2?
Blocks: 473278
No longer blocks: 473278
Whiteboard: [sg:dos] null deref
Flags: wanted1.9.2?
Assignee: nobody → roc
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Attached patch fixSplinter Review
It doesn't seem wise to be vulnerable to a crash anytime a frame fails to call FinishAndStoreOverflow. In particular, error exits from Reflow could easily get us into this situation. So let's just tolerate the missing preEffectsBBox. Also, there's really no guarantee that there is a preEffectsBBox; it just so happens that the only current caller of GetOverflowRectRelativeToSelf is nsDisplaySVGEffects. So this fixes that bad assumption too.
Attachment #391275 - Flags: review?(dbaron)
Comment on attachment 391275 [details] [diff] [review] fix I'd think failing to call FinishAndStoreOverflow at least deserves an NS_WARNING, though. r=dbaron with that
Attachment #391275 - Flags: review?(dbaron) → review+
We can't easily check for that here. There will be legitimate callers of GetOverflowRectRelativeToSelf that find there is no preEffectsBBox.
http://hg.mozilla.org/mozilla-central/rev/25dff0b211a9
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Crash Signature: [@ nsIFrame::GetOverflowRectRelativeToSelf]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: