Closed Bug 291520 Opened 19 years ago Closed 19 years ago

Crash [@ nsFrameList::DestroyFrames] with evil testcase using float:right and display:table-caption

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

Testcase
361 bytes, text/html
Details
Possible patch
13.41 KB, patch
Details | Diff | Splinter Review
Test some stuff
13.41 KB, text/html
Details
alternative crash fix
1.59 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b2+
Details | Diff | Splinter Review 
The upcoming testcase crashes Mozilla when hovering over the text.
Also happens in Mozilla1.7, so no recent regression.

Talkback ID: TB5285309E

nsFrameList::DestroyFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp,
line 131]
nsTableOuterFrame::RemoveFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/tables/nsTableOuterFrame.cpp,
line 284]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9793]
nsCSSFrameConstructor::RecreateFramesForContent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11599]
nsCSSFrameConstructor::RestyleElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10181]
nsCSSFrameConstructor::ProcessOneRestyle 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13553]
nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13601]
nsCSSFrameConstructor::RestyleEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13654]
SHELL32.dll + 0x520c24 (0x778b0c24)
Attached file Testcase 

    
    

    
  
Oops, almost forgot to CC you Bernd, which I promised I would do.

    
    

    
  
The reason this crashes, in general, is that floats get pretty confused when
inside a table-caption.  The reason is that the table-caption is a nsBlockFrame,
but doesn't push itself as the float containing block before processing
children.  As a result, thanks to the wonders of BuildFloatList, we end up with
frames on multiple frame lists at once, etc.

So the short-term fix is to push the float containing block here too.

A better fix is to maybe use ConstructBlock here (note that I think passing in
the table creator as we do in ConstructTableCaptionFrame is wrong, so that's not
an obstacle to using ConstructBlock).  That would also have the quite salutary
(imo) effect of making overflow, columns, etc work on table captions.  It
_would_ mean that tables can't assume the thing on the caption list is an
nsTableCaptionFrame, though...  But I don't see any casts in the code to that
concrete class, so that may be ok.

Finally, I still think that we should move all float-containing-block pushing
down into ProcessChildren() itself (conditioned on IsFloatContainingBlock())....
Blocks: 282173

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Possible patchSplinter Review
      

    


  
This fixes the crash for me (and some other asserts too, in the testcase I'm
about to attach).

        Attachment #181719 -
        Flags: superreview?(roc)

        Attachment #181719 -
        Flags: review?(bernd_mozilla)

    
    

    
  

      
      
      
      

        Attached file
          
        Test some stuff
      

    


  
I still get:

###!!! ASSERTION: We have to create a continuation, but the block doesn't want
us to reflow it?: 'aStatus & NS_FRAME_REFLOW_NEXTINFLOW', file
/home/bzbarsky/mozilla/xlib/mozilla/layout/generic/nsColumnSetFrame.cpp, line
519

with this testcase, but that may be due to me misusing column styles?  But the
assert about not being able to find a placeholder is gone and the abs pos text
is in the right place...

    
    

    
  
Note that with that patch we _will_ end up with a column-set frame constructed
by ConstructCaptionFrame as needed, which may confuse our
ContentAppended/ContentInserted logic...  bernd, you know that code best; will it?

Also notice that this still doesn't handle scrolling for captions....

    
    

    
  


  
I think the root of this bug is rather that the caption is not correctly marked
as a float containing block. I don't see how attachment 181719 [details] [diff] [review] addresses this
problem. <rant>I thought yesterday evening, hey you can code this tomorrow
morning, get out of bed, code it, test it and there is allready a patch
attached to the bug. Life can be brutal</rant>

    
    

    
  
s/I don't see how/It seems to me that we do to much with this patch, especially
now that I think I killed nearly all these small caption crashes/

    
    

    
  
> I think the root of this bug is rather that the caption is not correctly marked
> as a float containing block.

That's true.  Using ConstructBlock() to construct it would solve this problem
(because ConstructBlock() does the right thing), as well as fixing various other
issues with captions... The problem, as I said, is that it may put, say, a
column set frame in the caption list.  But since we need columns in captions
anyway, we need to make that work.

I guess I'd be ok with the limited change to ConstructTableCaptionFrame for now
and a followup bug filed to use ConstructBlock for captions.

    
    

    
  
Boris your testcase seems to be a patch rather than html

    
    

    
  
<sigh>... so it is.  And I no longer have the original file I was trying to
attach...   Briefly, the following _should_ work on captions but do not:

overflow:scroll
position:relative (becoming an abs pos containing block)
columns
being a float containing block

Your patch fixes #4.  My patch fixes #2, part of #3, and #4.  But yes, it's a
lot more invasive.  Perhaps better as 1.9 material.

    
    

    
  
Comment on attachment 181732 [details] [diff] [review]
alternative crash fix

lets take the small ride now and do the heavy lifting in  1.9

        Attachment #181732 -
        Flags: superreview?(bzbarsky)

        Attachment #181732 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 181719 [details] [diff] [review]
Possible patch

this will go into the followup bug

        Attachment #181719 -
        Flags: superreview?(roc)

        Attachment #181719 -
        Flags: review?(bernd_mozilla)

    
    

    
  
Comment on attachment 181732 [details] [diff] [review]
alternative crash fix

>Index: nsCSSFrameConstructor.cpp

>+  HaveSpecialBlockStyle(aContent, aStyleContext,
>+                          &haveFirstLetterStyle, &haveFirstLineStyle);

Fix the indent.

        Attachment #181732 -
        Flags: superreview?(bzbarsky)

        Attachment #181732 -
        Flags: superreview+

        Attachment #181732 -
        Flags: review?(bzbarsky)

        Attachment #181732 -
        Flags: review+

    
  
Assignee: nobody → bernd_mozilla

    
  
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 181732 [details] [diff] [review]
alternative crash fix

The patch is medium risk, we postponed the heavy lifting towards 1.9. I
rtest'ed the patch.

        Attachment #181732 -
        Flags: approval1.8b2?

    
    

    
  
I filed bug 291854 on the "Finally" part of comment 3.

    
    

    
  
Comment on attachment 181732 [details] [diff] [review]
alternative crash fix

a=asa

        Attachment #181732 -
        Flags: approval1.8b2? → approval1.8b2+

    
    

    
  
fix checked in, the followup for the bigger solution is bug 282173
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050429
Firefox/1.0+ 0251PDT

Testcase 1 behaviour has changed , it does not crash , but doesn't work good either.

this "regressed" beween the 20050428 16:58PDT build and 20050429 0251PDT build
which fits the checkin time

(I haven't got any other builds to get a more accurate time)


    
    

    
  
> but doesn't work good either.

Meaning what, exactly?

> this "regressed" beween the 20050428 16:58PDT build and 20050429 0251PDT build

Meaning what?  Before that, you couldn't even tell what the testcase looked
like, could you?  Since it crashed?

Bernd, bug 282173 isn't really a followup to this bug.  That bug covers float
issues, which are already fixed.  We need a followup on having captions be
blocks like any other block, with support for columns, absolute positioning,
etc...  I can file one if you don't have time; just let me know.

    
    

    
  
(In reply to comment #20)
> > but doesn't work good either.
> 
> Meaning what, exactly?
I don't know if it is supposed to wrap every word

    
    

    
  
Boris: for you I have always time, just ask :-) (There will be always a tomorrow
when I need help on irc). I will file one.
The wrapping of the caption is incr. reflow bug what happens is that the caption
thinks that it has a table with width 0 below it (so it tries to go to the
minimum width. We had  this in the other caption crashers too. I am not certain
that we dont allready have a bug on it. Peter if you dont find one, file one it
should be something

<table><caption> foo bar baz</caption> document.body.offsetHeight</table>

mabee it needs another empty row group after the layout breakpoint. The code for
it is in nsTableOuterFrame.cpp if you like to fix it.

    
    

    
  
(In reply to comment #22)
> The wrapping of the caption is incr. reflow bug what happens is that the caption
> thinks that it has a table with width 0 below it (so it tries to go to the
> minimum width. We had  this in the other caption crashers too. I am not certain
> that we dont allready have a bug on it. Peter if you dont find one, file one it
> should be something
> 
> <table><caption> foo bar baz</caption> document.body.offsetHeight</table>
> 
> mabee it needs another empty row group after the layout breakpoint. The code for
> it is in nsTableOuterFrame.cpp if you like to fix it.
The CSS goes well beyond what I know about what it supposed to do and why Bernd.
If a dupe bug was filed in technical terms i wouldn't even recognise it if I'd
be staring at it.



    
    

    
  
Note to self: bug 292756 is the followup bernd filed.
Crash Signature: [@ nsFrameList::DestroyFrames]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: