Closed Bug 191246 Opened 22 years ago Closed 21 years ago

[FIX]Crash [@ nsObjectFrame::GetDesiredSize] when object is fixed pos

Categories

(Core :: Layout: Positioned, defect, P1)

Product:
Core
Component:
Layout: Positioned
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files, 2 obsolete files)

testcase
162 bytes, text/html
Details
Version 1.1
27.57 KB, patch
peterlubczynski-bugs
: review+
roc
: superreview+
Details | Diff | Splinter Review 
STEPS TO REPRODUCE: Click the link in the "url" field

ACTUAL RESULTS: crash

EXPECTED RESULT: act like a browser instead of wimping out

PROBLEM: Bug 131065 introduced the following code in nsObjectFrame::GetDesiredSize:

904     else {// unconstrained percent case
905       nsCOMPtr<nsIAtom>  fType;
906       const nsHTMLReflowState* cbrs = aReflowState.parentReflowState;
907       nsIFrame* f = cbrs->parentReflowState->frame;
908       f->GetFrameType(getter_AddRefs(fType));

This code has one little problem -- it's missing some major null-checking,
starting with the fact that for fixed-positioned frames there _is_ no parent
reflow state (this coule be construed as a bug in the viewport frame, but read
on).  If there were, you're getting the _grandparent_ too and not checking it.
jerry, please let me know asap if you won't have time to fix this, ok?  Thank you.
Flags: blocking1.3b?
Oh, and the code that does

936         else NS_ASSERTION(containingBlockRS, "no containing block");

is 1)  Silly (just use NS_ERROR) and 2) Wrong (since that's a perfectly valid
situation to be in).

Finally, I can't shake the feeling that when you do

const nsHTMLReflowState* containingBlockRS = aReflowState.parentReflowState;

you mean mCBReflowState, not parentReflowState (and that should save you all
that manual state-chain walking too, since it's all rolled into
mCBReflowState)... but I can't figure out what "problem" this code is trying to
solve (some documentation as to _why_ you're doing as opposed to _what_ you're
doing would have been mighty nice here)...
Attached file testcase 

    
    

    
  
I am tempted to back out bug 131065 and reopen it for a real fix, since the
patch that landed just seems incredibly bogus to me.  Anyone have any better
suggestions?

    
    

    
  
This crasher is pretty low in the talkback data. I don't think we should hold
1.3b for this. That's not to say we wouldn't take a fix if we had one.
Flags: blocking1.3b? → blocking1.3b-

    
    

    
  
assign it to me.
Assignee: position → jerry.tan

    
    

    
  
bz, add a null check maybe easy,
but I dont know what is the size of the object if its position is fixed,
and with percent height.
Status: NEW → ASSIGNED

    
    

    
  
Shouldn't the layout engine be dealing with all this on a generic basis? Why on
earth does the <object> element need to know about any of this? Calculating
one's width from a percentage is a hugely complicated problem (think inlines,
run-in, etc) and you can't just take your parent or grandparent to work it out.

    
    

    
  
Ian is right.  The mComputedHeight in the reflow state should not be
unconstrained, imo, if the height is a percentage value for a fixed-pos element.
 It should be that percentage of the viewport, which is its containing block.

Which brings me to the question... why is this code ignoring the
mComputedHeight/mComputedWidth in the reflow state???  Is there a reason the
reflow state is not useful in this case?  nsImageFrame seems to do just fine
with using it....  And I suspect if you just used them when they are not
unconstrained things would work just fine.

Let's fix this correctly, ok?  Just a null-check is _not_ the right fix.

Again, what is this code trying to do?  Can someone explain that in words?  What
is the problem we are trying to solve, at least?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch for it (obsolete)
        — Splinter Review
      

    


  
Let's explain bug 131065 's history 
  It is a regresstion caused by 106602
  Here is some code from its patch.
   ...
    if (NS_UNCONSTRAINEDSIZE != aReflowState.availableHeight)
      aMetrics.height = NSToCoordRound (factor * aReflowState.availableHeight);

    else // unconstrained percent case
      aMetrics.height = (NS_UNCONSTRAINEDSIZE == aReflowState.mComputedHeight)
? 0 : aReflowState.mComputedHeight;
  }
 
it works well in some case.

but it ignor some other case, 
you can see http://bugzilla.mozilla.org/show_bug.cgi?id=131065#c75

so bug 131065 exists.

after reading bz's comments, I notice that I make a mistake,
I can use aReflowState.mComputedHeight, if it is not zero.

    
    

    
  
mComputedHeight should already have the factor and all that stuff in it.  You
shouldn't have to be doing any of that "check my own style" stuff at all....

That, and as I said you want to walk the containing block reflow state chain,
not the parentReflowState chain, no?

    
    

    
  
See bug 131065 comment 91 and bug 131065 comment 92.

Basically, the patch in bug 131065 completely broke sizing of percentage-sized
<object> elements, even in standards mode.

The cause, I suspect, is once again the lack of use of the mComputedHeight/Width.

Jerry, can you possibly get a patch for this working in time for 1.3?  If not,
do we want to back out bug 131065?  It seems to me that the cure is worse than
the disease, unless I'm missing something major here.
Flags: blocking1.3?

    
    

    
  
We're not seeing this in topcrash data. Does this break real-world sites. If
this is a regression for september then this made it into at least one major
release and still hasn't generated lots of dupes or topcrash data. 
I thikn we'd take a safe fix for a crash but we're not going to hold the release
for this. 
Flags: blocking1.3? → blocking1.3-

    
    

    
  
> Does this break real-world sites.

Yes.  This crash was initially noted on a real-world site (forget the fact that
it breaks layout on real-world sites).

Could someone involved in the initial fix please give me an evaluation of how
many sites would break if we backed out bug 131065?
QA Contact: ian → nobody

    
    

    
  
Jerry says he has no plans to work on this.... I'll try to get to it sometime....
Assignee: jerry.tan → bzbarsky
Status: ASSIGNED → NEW
Priority: -- → P1
Target Milestone: --- → mozilla1.4beta

    
  
Blocks: 196280

    
    

    
  
jkeiser, this is the bug you were interested in....

I've put some testcases in
http://web.mit.edu/bzbarsky/www/testcases/object-layout/ -- the actual testcases
are in the four subdirs; the toplevel dir just has some template files and a
script to generate the testcases.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch (obsolete)
        — Splinter Review
      

    


  
This fixes this crash, the sizing issues raised in bug 131065, the
sizing/placement issues in bug 196280.	It doesn't seem to break anything too
badly, except the case of %-height plugins in standards mode in auto-height
parents (they get 0 height).  Which I'd be happy to fix if someone can come up
with a reasonable way to get the intrinsic size of a plugin (hint, hint; can we
add this to the plugin API??)

        Attachment #113942 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 119538 [details] [diff] [review]
Proposed patch

Peter, David, would you review?

David, this is largely your patch from bug 131065 (I still don't understand why
it did not get used!), but I made the case when we have a child frame a little
more predictable (should reflow like the <object> frame isn't there, more or
less).

        Attachment #119538 -
        Flags: superreview?(dbaron)

        Attachment #119538 -
        Flags: review?(peterl)

    
    

    
  
Oh, this fixes some other sizing issues too (eg look at the iframe/image
testcases in a current nightly on the various table testcases....)

    
  
Summary: Crash [@ nsObjectFrame::GetDesiredSize] when object is fixed pos → [FIX]Crash [@ nsObjectFrame::GetDesiredSize] when object is fixed pos

    
    

    
  
Why can't %-height plugins in standards mode be treated like auto-height plugins?

    
    

    
  
They are.  Auto-height plugins get 0 height (both before my patch and after it).
 See
http://web.mit.edu/bzbarsky/www/testcases/object-layout/object-layout-flash-with-width/simpleUnconstrained.html
for the testcase.

I suppose we could just make up a random height for auto-height plugins... Or we
could fix the plugin API to allow asking the plugin for its preferred size.

    
    

    
  
Comment on attachment 119538 [details] [diff] [review]
Proposed patch

I want to make a few tweaks here....

        Attachment #119538 -
        Flags: superreview?(dbaron)

        Attachment #119538 -
        Flags: review?(peterl)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Version 1.1Splinter Review
      

    


  
Better comments, more cleanup, better HandleChild code...

        Attachment #119538 -
        Attachment is obsolete: true

    
  

        Attachment #119582 -
        Flags: superreview?(dbaron)

        Attachment #119582 -
        Flags: review?(peterl)

    
    

    
  
Comment on attachment 119582 [details] [diff] [review]
Version 1.1

Note, the nsIWidget include needs to move from the cpp to the header....

    
  

        Attachment #119582 -
        Flags: superreview?(dbaron) → superreview?(roc+moz)

    
    

    
  
Looks good basically, but one question: if we can't get an intrinsic size,
wouldn't it make more sense to use the EMBED_DEF default size instead of "0"?
For Web authors, at least, the former lets you know that the plugin is there
even if it has the wrong size ... somewhat less confusing than just failing to
appear.

    
    

    
  
I considered doing that...  If Peter is OK with it, I'll do it, sure. The only
danger is things sizing "too big", and since it seems that IE gives some sort of
default size to things, I'm not sure how much of a danger that is....



    
    

    
  
I'm pulling a tree now and I'll need to run through a few sites to test the patch.

See bug 70976 about intrinsic sizing for plugins. The old XPCOM Plugin API
provided a method called SetWindowSize that was never implemented in
nsPluginInstancePeer.cpp.

Also, would it be possible for the default size to be specified in CSS?



    
    

    
  
We can specify the default size in CSS, but the author can always override
it to "auto" in the author style sheet.  So we need the fallback in
the C++ anyway....

    
    

    
  
I don't think we can specify a default size in CSS just for plugins, right? It
would apply to all OBJECTs including images and IFRAMEs. So we probably don't
want to do that.

    
    

    
  
Yeah, that too.

    
    

    
  
Comment on attachment 119582 [details] [diff] [review]
Version 1.1

r=peterl

        Attachment #119582 -
        Flags: review?(peterl) → review+

    
    

    
  
Comment on attachment 119582 [details] [diff] [review]
Version 1.1

oh...I think nsObjectFrame.h needs a #include "nsIWidget.h" now that it's a
COMPtr, seems that accessible depends on it.

    
    

    
  
Yes, see comment 24.  ;)

    
    

    
  
Comment on attachment 119582 [details] [diff] [review]
Version 1.1

roc, I think I'd like to go with this for now and find someone with IE to test
before I try to do a default size for <object>....

That said, Peter and I have been talking about trying to get real intrinsic
sizing working.

Anyway, let me know please if you really want default nonzero size as part of
this patch....

        Attachment #119582 -
        Flags: superreview?(roc+moz) → superreview+

    
    

    
  
Checked in.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
    

    
  
This fixing lead to regression, see:
http://www.mozilla.org/quality/browser/front-end/testcases/oji/test7.html

the x% height don't work.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
That was done on purpose.  Per spec, those percent heights should do absolutely
nothing in this case.  If you feel that we must absolutely have a quirk for this
in quirks mode (we already have some quirks for the common case of 100% height
<applet>/<object> in a table cell), please file a separate bug requesting such a
quirk.  But I'd need to see sites that actually break due to lack of said quirk...

In general, please file new bugs for regressions (and comment in the bug that
caused the regression, but do not reopen it).
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED

    
  
Blocks: 211530
Crash Signature: [@ nsObjectFrame::GetDesiredSize]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: