Closed Bug 283385 Opened 21 years ago Closed 21 years ago

Crash [@ nsBlockBandData::Init] using position:fixed on embed with unknown plugin

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 2 obsolete files)

Testcase (crashes on load)
231 bytes, text/html
Details
Stack
4.77 KB, text/plain
Details
Tested and all
17.75 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
See upcoming testcase. talkback ID: 3894316 nsBlockBandData::Init [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockBandData.cpp, line 70] nsBlockFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 694] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 957] nsObjectFrame::HandleChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsObjectFrame.cpp, line 1473] nsObjectFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsObjectFrame.cpp, line 1074] nsAbsoluteContainingBlock::ReflowAbsoluteFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 689] nsAbsoluteContainingBlock::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 208] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 300] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 908] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6368] ReflowEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6194] PL_HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/xpcom/threads/plevent.c, line 699] SHELL32.dll + 0x520c24 (0x778b0c24)
Severity: normal → critical
Summary: Crash [@ nsBlockBandData::Init] using position:fixed on embed with unknown plugin → Crash [@ nsBlockBandData::Init] using position:fixed on embed with unknown plugin
I don't crash with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050104 Firefox/1.0+ 7:58am I do crash with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050105 Firefox/1.0+ 8:11am http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-01-04+07%3A00%3A00&maxdate=2005-01-05+09%3A00%3A00&cvsroot=%2Fcvsroot There is a difference between Firefox and Mozilla here. In latest Firefox trunk builds, I crash directly with the testcase. In latest Mozilla trunk build, I have to do a reload and after that it usually crashes.
Keywords: regression
I would guess thats a followup of the pluginfinder landing from bug 244125
So the problem here is the following frame structure: Viewport Object Block The block doesn't have the space manager bit set, because it's inserted dynamically and GetFloatContainingBlock will fall back on mInitialContainingBlock if it doesn't find anything else. So in ConstructBlockFrame we don't set the space manager bit here... Then when we reflow we have a null space manager, and crash. The only reason this doesn't bite "normal" fixed-pos blocks is that they create a NS_NewAbsoluteItemWrapperFrame, which sets the SPACE_MGR and MARGIN_ROOT flags. Now in all this, I think the behavior of GetFloatContainingBlock is wrong. As things stand, mInitialContainingBlock can be a box, or a table, or an svg outer. Falling back to it as a containing block for floats is wrong, especially because it leads to different behavior between a full frame construct from the top (which only pushes actual block roots as the float containing block) and dynamic insertions (which use GetFloatContainingBlock).
Flags: blocking1.8b2?
OK, just fixing that does not help enough... The next problem is that GetFloatContainingBlock() assumes anything with BLOCK or LIST_ITEM display is a good float containing block. That's clearly not true in this case... The problem then is what we really want to look for here. Clearly frames of type block and area are ok. Probably need legend. And fieldset. And so forth... Perhaps we should have a virtual "IsFloatContainingBlock()" on nsIFrame? And only return true from block frames? That's the only way I see short of hardcoding a list of all possible frame types that floats could live inside.
Attached file Stack
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050227 Firefox/1.0+ The testcase crashes for me.
Ben, we know it crashes, why it crashes, and event what the right fix should probably be.... see bug comments.
(In reply to comment #5) > Perhaps we should have a virtual "IsFloatContainingBlock()" on nsIFrame? And > only return true from block frames? That's the only way I see short of > hardcoding a list of all possible frame types that floats could live inside. yeah
Blocks: 286111
Attached patch Patch (obsolete) — Splinter Review
Untested thus far... but should also fix the issues in bug 285165.
Blocks: 285165
Attached patch This should do it.... (obsolete) — Splinter Review
Attachment #177711 - Flags: superreview?(roc)
Attachment #177711 - Flags: review?(roc)
Note, even with that patch the testcase will crash when you _leave_ the page (that's bug 286004, as far as I can tell).
Comment on attachment 177711 [details] [diff] [review] This should do it.... Actually, this doesn't help, because the object hack doesn't even use the frame constructor...
Attachment #177711 - Flags: superreview?(roc)
Attachment #177711 - Flags: superreview-
Attachment #177711 - Flags: review?(roc)
Attachment #177711 - Flags: review-
Attached patch Tested and allSplinter Review
The nsObjectFrame change is the only change strictly necessary for this bug, I guess... but the rest of it really does need to happen too.
Attachment #177701 - Attachment is obsolete: true
Attachment #177711 - Attachment is obsolete: true
Attachment #177769 - Flags: superreview?(roc)
Attachment #177769 - Flags: review?(roc)
Attachment #177769 - Flags: superreview?(roc)
Attachment #177769 - Flags: superreview+
Attachment #177769 - Flags: review?(roc)
Attachment #177769 - Flags: review+
Assignee: nobody → bzbarsky
Fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta2
Flags: blocking1.8b2?
*** Bug 304332 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsBlockBandData::Init]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: