Closed Bug 171334 Opened 22 years ago Closed 22 years ago

Unusual non-nested containing blocks causes crash in views [@ nsView::GetClippedRect]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: stephend, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, topcrash+)

Crash Data

Attachments

(3 files, 2 obsolete files)

simplified testcase
478 bytes, text/html
Details
insanity
485 bytes, text/html
Details
Views patch
17.07 KB, patch
roc
: review+
kinmoz
: superreview+
asa
: approval+
Details | Diff | Splinter Review
Build ID: 2002-09-27-08, Windows 2000. Summary / Steps to Reproduce: According to my Talkback stack, trying to view http://www.wheelhouse.com, crashes in: 1021 zParentChain->ConvertFromParentCoords(&ancestorX, &ancestorY); Robert, sorry to implicate you, but looks like you were last here ;-( Probably fallout from bug 168294. sView::GetClippedRect [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 1021] nsViewManager::UpdateView [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1610] nsViewManager::UpdateView [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1479] nsViewManager::SetViewContentTransparency [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2899] nsHTMLContainerFrame::CreateViewForFrame [c:/builds/seamonkey/mozilla/layout/html/base/src/nsHTMLContainerFrame.cpp, line 667] nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6382] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7435] nsCSSFrameConstructor::ConstructFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7284] nsCSSFrameConstructor::ProcessChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 12254] nsCSSFrameConstructor::ConstructTableCellFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 2929] nsCSSFrameConstructor::TableProcessChild [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3192] nsCSSFrameConstructor::TableProcessChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3087] nsCSSFrameConstructor::ConstructTableRowFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 2773] nsCSSFrameConstructor::TableProcessChild [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3178] nsCSSFrameConstructor::TableProcessChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3087] nsCSSFrameConstructor::ConstructTableRowGroupFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 2664] nsCSSFrameConstructor::TableProcessChild [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3172] nsCSSFrameConstructor::TableProcessChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 3087] nsCSSFrameConstructor::ConstructTableFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 2545] nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6603] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7435] nsCSSFrameConstructor::ConstructFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7284] nsCSSFrameConstructor::ProcessInlineChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13743] nsCSSFrameConstructor::ConstructInline [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13519] nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6476] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7435] nsCSSFrameConstructor::ConstructFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7284] nsCSSFrameConstructor::ProcessBlockChildren [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13438] nsCSSFrameConstructor::ConstructBlock [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 13387] nsCSSFrameConstructor::ConstructFrameByDisplayType [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 6545] nsCSSFrameConstructor::ConstructFrameInternal [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7435] nsCSSFrameConstructor::ConstructFrame [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 7284] nsCSSFrameConstructor::ContentAppended [c:/builds/seamonkey/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 8537] StyleSetImpl::ContentAppended [c:/builds/seamonkey/mozilla/content/base/src/nsStyleSet.cpp, line 1527] PresShell::ContentAppended [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 5286] nsDocument::ContentAppended [c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 2113] nsHTMLDocument::ContentAppended [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1407] HTMLContentSink::NotifyAppend [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 5271] SinkContext::FlushTags [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2228] HTMLContentSink::OpenHead [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3246] CNavDTD::OpenHead [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 3115] CNavDTD::AddHeadLeaf [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 3840] CNavDTD::HandleStartToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 1763] CNavDTD::HandleToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 913] CNavDTD::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 530] nsParser::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1890] nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1754] nsParser::OnDataAvailable [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2390] nsDocumentOpenInfo::OnDataAvailable [c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 246] nsHttpChannel::OnDataAvailable [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3035] nsOnDataAvailableEvent::HandleEvent [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerProxy.cpp, line 204] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 647] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 580] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 1330] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1538] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1886] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1906] WinMainCRTStartup() KERNEL32.DLL + 0x1ca90 (0x77e9ca90) Additional Info: x86 Registers: EAX: 00000000 EBX: 02da7158 ECX: 00000000 EDX: 029419c8 ESI: 00000000 EDI: 00000000 ESP: 0012e548 EBP: 0012e56c EIP: 61381ede CF pf AF zf SF of IF df nt RF vm IOPL: 0 CS: 001b DS: 0023 SS: 0023 ES: 0023 FS: 0038 GS: 0000 Code Around the PC: 61381ede 2b792c sub edi,[ecx+0x2c] 61381ee1 8b7130 mov esi,[ecx+0x30] 61381ee4 8b4908 mov ecx,[ecx+0x8] 61381ee7 2975fc sub [ebp-0x4],esi 61381eea 3bcb cmp ecx,ebx 61381eec 75f0 jnz 61381ede 61381eee 897df8 mov [ebp-0x8],edi 61381ef1 8bda mov ebx,edx 61381ef3 85db test ebx,ebx 61381ef5 746c jz 61381f63 61381ef7 8b5358 mov edx,[ebx+0x58] 61381efa 33f6 xor esi,esi 61381efc 8bca mov ecx,edx
Yes, this is mine.
Status: NEW → ASSIGNED
QA Contact: petersen → amar
Priority: -- → P2
Attached file simplified testcase
This testcase demonstrates the bug. You may not be able to get it to crash, but it constructs the same invalid view hierarchy as at wheelhouse.com.
What appears to be happening is that the block-in-inline code is moving the outer TABLE frame to be a sibling of the relatively-positioned SPAN. However, the absolutely-positioned SPAN inside the TABLE still gets the relatively-positioned SPAN as its containing block. Thus the absolutely-positioned SPAN's containing block is NOT one of its ancestors, which screws up views (and probably other things).
OK ... so here's more analysis: The table is align="left", so it gets style "float:left". This triggers the code if (isFloating) { geometricParent = aState.mFloatedItems.containingBlock; } in nsCSSFrameConstructor::ConstructFrameByDisplayType. The problem is that now we have set the table's geometric parent to the containing block for floaters (which is the BODY, I think), but the frame construction state has a different idea of what the containing block for absolutes should be --- in this case, a child block of the floater containing block. So it seems we should reset aState.mAbsoluteItems.containingBlock inside the above "if (isFloating)".
Attached file insanity
This insane testcase shows how ugly things can get. There is no proper nesting of containing blocks in CSS2.1.
Here's what has to be done: -- We have to create a view for each float, so we can record in the view what the "zParent" (aka content parent) view is for the float. This should also fix a bug we undoubtedly have where floats inside relatively-positioned elements aren't put into the right z-index stacking context. -- We have to modify nsCSSFrameConstructor so that the contentParent frame is passed everywhere, including into TABLE construction, where it can be handed to nsHTMLContainerFrame::CreateViewForFrame. -- We have to modify the view system to not rely on the assumption that a view's containing parent view is an containing ancestor of (or equal to) the view's content parent view. (It is, however, a content ancestor of the view's content parent view.)
I will do the last step first (remove the view system's invalid assumption about containing block containment), which will fix the crasher and make these examples work. Then I'll do the other two steps in a separate patch.
Summary: Crash in [@ nsView::GetClippedRect] at http://www.wheelhouse.com → Unusual non-nested containing blocks causes crash in views
Attached patch Proposed patch (obsolete) — Splinter Review
This needs a bit more testing. In particular it's hard to see if the new logic in nsView.cpp is working, because there are other bugs which make absolutely positioned content inside relatives not display.
Attached patch comprehensive fix (obsolete) — Splinter Review
This patch fixes the bug completely. The 'insanity' testcase now works 100% correctly! (OK, some assertions in layout fire, but the result is correct.) The patch does a few things: -- Get rid of nsView "compositor flags" and change the only use of them to something much simpler -- The main point: remove the assumption in views that the geometric parent of a view is a geometric ancestor of the view's content parent. This accounts for the changes in CreateDisplayList and nsView::GetClippedRect. The main idea is to not reparent during CreateDisplayList but to do all reparenting in one pass over the entire tree at the end. We also modify an optimization that's unsafe in the presence of arbitrary reparenting. This is what actually fixes the crasher. -- To actually test this properly and make sure that reparenting was working in evil cases like the 'insanity' test, I had to fix a longstanding bug involving relatively positioned elements with absolutely positioned children. It turned out to be simply a matter of turning back on some code that was turned off two and a half years ago... This fix should fix a lot of bugs reported against relative positioning.
Attachment #101508 - Attachment is obsolete: true
My last comment is not quite true. As you can see, to fix the problems with relative positioning, I had to change a call to SyncFrameViewAfterReflow to PositionFrameView. The SyncFrameViewAfterReflow call was passing in "null" for the overflowarea, basically chopping off any overflow.
Note that we don't need to call SyncFrameViewAfterReflow because it only sizes and positions the view, and the size has already been set by a call to ResizeView when the inline frame was reflowed.
r=karnaze for the changes to nsBlockFrame and nsInlineFrame. I think the patch I'm working on for splitting abs pos frames does the same thing to nsInlineFrame, and it sounds like this patch will help that effort in other ways. I'm not as familar with the change to nsBlockFrame, but comment #11 sounds like a reasonable explanation.
Comment on attachment 101658 [details] [diff] [review] comprehensive fix r=kmcclusk@netscape.com for view module changes
Attachment #101658 - Flags: review+
*** Bug 173062 has been marked as a duplicate of this bug. ***
topcrash on the the Trunk && testcase -> topcrash+. (Just a formality for the automation.)
Keywords: topcrash+
Summary: Unusual non-nested containing blocks causes crash in views → Unusual non-nested containing blocks causes crash in views [@ nsView::GetClippedRect]
kin found a problem in the patch. I'll post another patch soon.
To simplify things I have decided to split the patch into two orthogonal pieces: a views patch which fixes the crasher here, and a layout patch which fixes the views-on-inlines issues. I will attach the layout patch to 131475. The patches are independent.
Attached patch Views patchSplinter Review
This is just the changes to the view system. Alone, they fix the crasher.
Attachment #101658 - Attachment is obsolete: true
Comment on attachment 102411 [details] [diff] [review] Views patch carrying forward r=kmcclusk
Attachment #102411 - Flags: review+
Comment on attachment 102411 [details] [diff] [review] Views patch sr=kin@netscape.com ==== Make sure the lines in your new comments are less than 80 chars. ==== Can you put some returns between the NS_VIEW_FLAG_* defines in nsView.h. so that they are a bit easier to read? ==== I must admit that this was a bit confusing to me (how can something be totally opaque and transparent) until you explained the use of the NS_VIEW_FLAG_TRANSPARENT flag to me. Perhaps the comment for this flag in nsView.h should mention how it is used? - mVFlags = 0; + mVFlags = NS_VIEW_FLAG_TRANSPARENT; mOpacity = 1.0f;
Attachment #102411 - Flags: superreview+
*** Bug 173787 has been marked as a duplicate of this bug. ***
Comment on attachment 102411 [details] [diff] [review] Views patch a=asa for checkin to 1.2beta (on behalf of drivers)
Attachment #102411 - Flags: approval+
fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Reproduced using FizzillaCFM/2002100308. Setting All/All.
OS: Windows 2000 → All
Hardware: PC → All
WFM on Windows NT with build 2002101108
Verified FIXED with trunk 2002-10-13-08 builds on RedHat 8.0, Windows 2000 and Mac OS X 10.1.5
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsView::GetClippedRect]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: