Closed Bug 331679 Opened 18 years ago Closed 18 years ago

Crash involving ::-moz-table-row-group, overflow, position, and opacity [@ nsIView::GetOffsetTo]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: bernd_mozilla)

References

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(5 files)

reduced testcase for crash [@ nsIView::GetOffsetTo]
652 bytes, application/xhtml+xml
Details
reduced tectase that triggers assertion
312 bytes, text/xml
Details
testcase without abs.pos. which triggers the assert
383 bytes, text/xml
Details
patch
5.79 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
roc
: approval-branch-1.8.1+
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review
1.0.x patch
3.85 KB, patch
Details | Diff | Splinter Review 
[sg:critical] because before I reduced the testcase, I got crashes with random addresses on top.  The only reduced testcases I managed to make were for nondeterministic null dereferences, so I will retest with the original file once this is fixed.

Stack signatures (functions on top of the stack) included:

[@ nsIView::GetOffsetTo] 
[@ nsCSSFrameConstructor::BeginBuildingScrollFrame] -- with random at top 
[@ nsCSSFrameConstructor::ContentInserted] 
[@ nsHTMLContainerFrame::CreateViewForFrame] 
[@ IncrementalReflow::AddCommand] 
[@ nsHTMLReflowState::InitConstraints]
Usually crashes after about 10 reloads.
Whiteboard: [sg:critical]
###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached',
file d:/moz_src/mozilla/layout/generic/nsContainerFrame.cpp, line 108

This happens on the scroll frame around the rowgroup which is a abs. containing block.
Blocks: randomclasses
So what's GetAbsoluteContainingBlock returning here, and why?
Depends on: 330909
Flags: blocking1.9a1?
rowgroup pseudos are the parent frames at pseudoFrames.mRowGroup.mFrame. If we build however a scrollframe for the rowgroup, we have the scrollframe there and then we put the row on the childlist of the.... scrollframe allready occupied by the rowgroupframe. (The typical case of: NOBODY expects the Spanish Inquisition!)
No longer depends on: 330909
Attached patch patchSplinter Review 
This code is wrong since it has been written, the typical effect is that we loose the rowframe and all its children. Then its only a question what you stuffed inside this row to determine where we crash, abs. pos with opacity, seems nice, the abs.pos animated gif should work too. I guess we need to get this, once it has baked, back to branches.
Attachment #219269 - Flags: superreview?(bzbarsky)
Attachment #219269 - Flags: review?(bzbarsky)
Attachment #219269 - Flags: superreview?(bzbarsky)
Attachment #219269 - Flags: superreview+
Attachment #219269 - Flags: review?(bzbarsky)
Attachment #219269 - Flags: review+
fix checked in, open for some stress tests by Jesse
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → bernd_mozilla
Status: REOPENED → NEW
Status: NEW → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Depends on: 336291
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Attachment #219269 - Flags: approval-branch-1.8.1?(roc)
Attachment #219269 - Flags: approval-branch-1.8.1?(roc) → approval-branch-1.8.1+
Comment on attachment 219269 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #219269 - Flags: approval1.8.0.5+
fix checked in into branches
Keywords: fixed1.8.0.5, fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase.
Keywords: fixed1.8.0.5verified1.8.0.5
(In reply to comment #0)
> [sg:critical] because before I reduced the testcase, I got crashes with random
> addresses on top.  The only reduced testcases I managed to make were for
> nondeterministic null dereferences, so I will retest with the original file
> once this is fixed.

Jesse: Do you still have the original testcase, and if so did this really fix it?

asac: I don't think anyone tested this on the 1.7 branch.
I think I tested the original testcase (and various intermediate testcases) shortly after this was fixed and didn't hit any more crashes.  I think the more recent fix for bug 331883 affects how Gecko thinks about this testcase.
Attached patch 1.0.x patchSplinter Review 

    
    

    
  
https://bugzilla.mozilla.org/attachment.cgi?id=216197
ff2b2 no crash windows, linux, macppc

https://bugzilla.mozilla.org/attachment.cgi?id=216414&action=view
ff2b2 windows, linux, macppc no crash; windows, linux no assert

https://bugzilla.mozilla.org/attachment.cgi?id=219177
ff2b2 windows, linux, macppc; windows, linux no assert
Keywords: fixed1.8.1verified1.8.1

    
    

    
  
verified fixed 1.8
Flags: blocking1.9a1?
Group: security
Flags: in-testsuite?

    
    

    
  
Crashtests checked in.
Flags: in-testsuite? → in-testsuite+

    
    

    
  
The crashtests trigger CSS errors because bug 331883 has been fixed -- web pages cannot reference these internal pseudo-elements at all.
Crash Signature: [@ nsIView::GetOffsetTo]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: