Closed Bug 291520 Opened 20 years ago Closed 20 years ago

Crash [@ nsFrameList::DestroyFrames] with evil testcase using float:right and display:table-caption

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

Testcase
361 bytes, text/html
Details
Possible patch
13.41 KB, patch
Details | Diff | Splinter Review
Test some stuff
13.41 KB, text/html
Details
alternative crash fix
1.59 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b2+
Details | Diff | Splinter Review
The upcoming testcase crashes Mozilla when hovering over the text. Also happens in Mozilla1.7, so no recent regression. Talkback ID: TB5285309E nsFrameList::DestroyFrames [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp, line 131] nsTableOuterFrame::RemoveFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/tables/nsTableOuterFrame.cpp, line 284] nsCSSFrameConstructor::ContentRemoved [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9793] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11599] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10181] nsCSSFrameConstructor::ProcessOneRestyle [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13553] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13601] nsCSSFrameConstructor::RestyleEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13654] SHELL32.dll + 0x520c24 (0x778b0c24)
Attached file Testcase
Oops, almost forgot to CC you Bernd, which I promised I would do.
The reason this crashes, in general, is that floats get pretty confused when inside a table-caption. The reason is that the table-caption is a nsBlockFrame, but doesn't push itself as the float containing block before processing children. As a result, thanks to the wonders of BuildFloatList, we end up with frames on multiple frame lists at once, etc. So the short-term fix is to push the float containing block here too. A better fix is to maybe use ConstructBlock here (note that I think passing in the table creator as we do in ConstructTableCaptionFrame is wrong, so that's not an obstacle to using ConstructBlock). That would also have the quite salutary (imo) effect of making overflow, columns, etc work on table captions. It _would_ mean that tables can't assume the thing on the caption list is an nsTableCaptionFrame, though... But I don't see any casts in the code to that concrete class, so that may be ok. Finally, I still think that we should move all float-containing-block pushing down into ProcessChildren() itself (conditioned on IsFloatContainingBlock())....
Blocks: 282173
Attached patch Possible patchSplinter Review
This fixes the crash for me (and some other asserts too, in the testcase I'm about to attach).
Attachment #181719 - Flags: superreview?(roc)
Attachment #181719 - Flags: review?(bernd_mozilla)
Attached file Test some stuff
I still get: ###!!! ASSERTION: We have to create a continuation, but the block doesn't want us to reflow it?: 'aStatus & NS_FRAME_REFLOW_NEXTINFLOW', file /home/bzbarsky/mozilla/xlib/mozilla/layout/generic/nsColumnSetFrame.cpp, line 519 with this testcase, but that may be due to me misusing column styles? But the assert about not being able to find a placeholder is gone and the abs pos text is in the right place...
Note that with that patch we _will_ end up with a column-set frame constructed by ConstructCaptionFrame as needed, which may confuse our ContentAppended/ContentInserted logic... bernd, you know that code best; will it? Also notice that this still doesn't handle scrolling for captions....
I think the root of this bug is rather that the caption is not correctly marked as a float containing block. I don't see how attachment 181719 [details] [diff] [review] addresses this problem. <rant>I thought yesterday evening, hey you can code this tomorrow morning, get out of bed, code it, test it and there is allready a patch attached to the bug. Life can be brutal</rant>
s/I don't see how/It seems to me that we do to much with this patch, especially now that I think I killed nearly all these small caption crashes/
> I think the root of this bug is rather that the caption is not correctly marked > as a float containing block. That's true. Using ConstructBlock() to construct it would solve this problem (because ConstructBlock() does the right thing), as well as fixing various other issues with captions... The problem, as I said, is that it may put, say, a column set frame in the caption list. But since we need columns in captions anyway, we need to make that work. I guess I'd be ok with the limited change to ConstructTableCaptionFrame for now and a followup bug filed to use ConstructBlock for captions.
Boris your testcase seems to be a patch rather than html
<sigh>... so it is. And I no longer have the original file I was trying to attach... Briefly, the following _should_ work on captions but do not: overflow:scroll position:relative (becoming an abs pos containing block) columns being a float containing block Your patch fixes #4. My patch fixes #2, part of #3, and #4. But yes, it's a lot more invasive. Perhaps better as 1.9 material.
Comment on attachment 181732 [details] [diff] [review] alternative crash fix lets take the small ride now and do the heavy lifting in 1.9
Attachment #181732 - Flags: superreview?(bzbarsky)
Attachment #181732 - Flags: review?(bzbarsky)
Comment on attachment 181719 [details] [diff] [review] Possible patch this will go into the followup bug
Attachment #181719 - Flags: superreview?(roc)
Attachment #181719 - Flags: review?(bernd_mozilla)
Comment on attachment 181732 [details] [diff] [review] alternative crash fix >Index: nsCSSFrameConstructor.cpp >+ HaveSpecialBlockStyle(aContent, aStyleContext, >+ &haveFirstLetterStyle, &haveFirstLineStyle); Fix the indent.
Attachment #181732 - Flags: superreview?(bzbarsky)
Attachment #181732 - Flags: superreview+
Attachment #181732 - Flags: review?(bzbarsky)
Attachment #181732 - Flags: review+
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED
Comment on attachment 181732 [details] [diff] [review] alternative crash fix The patch is medium risk, we postponed the heavy lifting towards 1.9. I rtest'ed the patch.
Attachment #181732 - Flags: approval1.8b2?
I filed bug 291854 on the "Finally" part of comment 3.
Comment on attachment 181732 [details] [diff] [review] alternative crash fix a=asa
Attachment #181732 - Flags: approval1.8b2? → approval1.8b2+
fix checked in, the followup for the bigger solution is bug 282173
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050429 Firefox/1.0+ 0251PDT Testcase 1 behaviour has changed , it does not crash , but doesn't work good either. this "regressed" beween the 20050428 16:58PDT build and 20050429 0251PDT build which fits the checkin time (I haven't got any other builds to get a more accurate time)
> but doesn't work good either. Meaning what, exactly? > this "regressed" beween the 20050428 16:58PDT build and 20050429 0251PDT build Meaning what? Before that, you couldn't even tell what the testcase looked like, could you? Since it crashed? Bernd, bug 282173 isn't really a followup to this bug. That bug covers float issues, which are already fixed. We need a followup on having captions be blocks like any other block, with support for columns, absolute positioning, etc... I can file one if you don't have time; just let me know.
(In reply to comment #20) > > but doesn't work good either. > > Meaning what, exactly? I don't know if it is supposed to wrap every word
Boris: for you I have always time, just ask :-) (There will be always a tomorrow when I need help on irc). I will file one. The wrapping of the caption is incr. reflow bug what happens is that the caption thinks that it has a table with width 0 below it (so it tries to go to the minimum width. We had this in the other caption crashers too. I am not certain that we dont allready have a bug on it. Peter if you dont find one, file one it should be something <table><caption> foo bar baz</caption> document.body.offsetHeight</table> mabee it needs another empty row group after the layout breakpoint. The code for it is in nsTableOuterFrame.cpp if you like to fix it.
(In reply to comment #22) > The wrapping of the caption is incr. reflow bug what happens is that the caption > thinks that it has a table with width 0 below it (so it tries to go to the > minimum width. We had this in the other caption crashers too. I am not certain > that we dont allready have a bug on it. Peter if you dont find one, file one it > should be something > > <table><caption> foo bar baz</caption> document.body.offsetHeight</table> > > mabee it needs another empty row group after the layout breakpoint. The code for > it is in nsTableOuterFrame.cpp if you like to fix it. The CSS goes well beyond what I know about what it supposed to do and why Bernd. If a dupe bug was filed in technical terms i wouldn't even recognise it if I'd be staring at it.
Note to self: bug 292756 is the followup bernd filed.
Crash Signature: [@ nsFrameList::DestroyFrames]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: