Closed
Bug 696175
Opened 13 years ago
Closed 13 years ago
Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containing block
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla10
| Tracking | Status | |
|---|---|---|
| firefox10 | - | --- |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [qa!])
Crash Data
Attachments
(4 files)
Opt stack: bp-42918735-b72d-489c-9a40-3b5742111020
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
The nsLineBox here has been deleted.
The dtor stack is:
Breakpoint 8, nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
86 MOZ_COUNT_DTOR(nsLineBox);
#0 nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
#1 0x000000010165c6d5 in nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:85
#2 0x000000010165c90c in nsLineBox::Destroy (this=0x108035f70, aPresShell=0x12098f540) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:116
#3 0x00000001015e3a3a in nsBlockReflowState::FreeLineBox (this=0x7fff5fbf0398, aLine=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowState.cpp:163
#4 0x00000001015d2ca8 in nsBlockFrame::PullFrameFrom (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine=0x108035aa0, aFromContainer=0x108034ee8, aFromOverflowLine=false, aFromLine={mCurrent = 0x108035f70, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2668
#5 0x00000001015d2541 in nsBlockFrame::PullFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2561
#6 0x00000001015d46aa in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3625
#7 0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#8 0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#9 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
Crash stack is:
0 0x000000010165d49e in nsLineBox::IsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:274
#1 0x000000010165d580 in nsLineBox::CachedIsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:295
#2 0x000000010164425f in nsHTMLReflowState::CalculateHypotheticalBox (this=0x7fff5fbee068, aPresContext=0x120954a00, aPlaceholderFrame=0x108035a40, aContainingBlock=0x108034ee8, aBlockLeftContentEdge=0, aBlockContentWidth=480, cbrs=0x7fff5fbee9e8, aHypotheticalBox=@0x7fff5fbed928, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:957
#3 0x0000000101644a61 in nsHTMLReflowState::InitAbsoluteConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, cbrs=0x7fff5fbee9e8, containingBlockWidth=0, containingBlockHeight=960, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1125
#4 0x0000000101642fab in nsHTMLReflowState::InitConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1812
#5 0x00000001016413c1 in nsHTMLReflowState::Init (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:289
#6 0x000000010164188c in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:179
#7 0x00000001016414c3 in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:137
#8 0x00000001015c30d0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aKidFrame=0x108035900, aStatus=@0x7fff5fbee468, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:422
#9 0x00000001015c24bf in nsAbsoluteContainingBlock::Reflow (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aReflowStatus=@0x7fff5fbeed7c, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aCBWidthChanged=true, aCBHeightChanged=true, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:155
#10 0x0000000101605f9b in nsFrame::ReflowAbsoluteFrames (this=0x108035810, aPresContext=0x120954a00, aDesiredSize=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsFrame.cpp:3899
#11 0x0000000101659156 in nsInlineFrame::Reflow (this=0x108035810, aPresContext=0x120954a00, aMetrics=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsInlineFrame.cpp:417
#12 0x00000001016618ef in nsLineLayout::ReflowFrame (this=0x7fff5fbef238, aFrame=0x108035810, aReflowStatus=@0x7fff5fbeed7c, aMetrics=0x0, aPushedFrame=@0x7fff5fbeed7b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineLayout.cpp:860
#13 0x00000001015d50b1 in nsBlockFrame::ReflowInlineFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFrame=0x108035810, aLineReflowStatus=0x7fff5fbef0e8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3801
#14 0x00000001015d4747 in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3632
#15 0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#16 0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#17 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#18 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034ee8, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf0e40, aReflowState=@0x7fff5fbf0b90, aStatus=@0x7fff5fbf0b74) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#19 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf0e10, aSpace=@0x7fff5fbf0c88, aApplyTopMargin=false, aPrevMargin=@0x7fff5fbf1f78, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108035ae0, aFrameRS=@0x7fff5fbf0b90, aFrameReflowStatus=@0x7fff5fbf0b74, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294
#20 0x00000001015d0e16 in nsBlockFrame::ReflowBlockFrame (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3173
#21 0x00000001015cf4e6 in nsBlockFrame::ReflowLine (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2480
#22 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034dc0, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#23 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034dc0, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf2960, aReflowState=@0x7fff5fbf26b0, aStatus=@0x7fff5fbf2694) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#24 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf2930, aSpace=@0x7fff5fbf27a8, aApplyTopMargin=true, aPrevMargin=@0x7fff5fbf3a98, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108034e60, aFrameRS=@0x7fff5fbf26b0, aFrameReflowStatus=@0x7fff5fbf2694, aState=@0x7fff5fbf39d8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294
They diverge at nsBlockFrame::DoReflowInlineFrames (frame 6/14 respectively).
The placeholder frame (PresContext->PresShell()->FrameManager()->GetPlaceholderFrameFor) for frame 0x108035900, is still holding a pointer to the same line box as was destroyed via PullFrame.
Anyone know more about the lifetimes of these objects?
|
Assignee | |
Comment 3•13 years ago
|
||
Line box lifetime is "as long as there is stuff on the line"...
|
|
||
Comment 4•13 years ago
|
||
Sorry, I meant in particular, why we're deleting the line box, when a pointer to it is still held by the placeholder frame.
|
|
Assignee | |
Comment 5•13 years ago
|
||
Hmm. Is this the mCachedLineBox pointer? That working correctly is predicated that the placeholder is always reflowed before the nsAbsoluteContainingBlock::ReflowAbsoluteFrame for its out-of-flow; nsPlaceholderFrame::Reflow updates mCachedLineBox. Sounds like that's failing for some reason. Do you want to debug that, or want me to?
|
|
||
Comment 6•13 years ago
|
||
It is indeed. It might be easier for you to debug it if you know this code. I'll give it a shot if you're busy though.
|
|
Assignee | |
Comment 7•13 years ago
|
||
OK. So in this case the transformed inline is the absolute containing block. And it has the placeholder on its overflow list when the abs pos element is being reflowed! There's actually an XXX comment about that in CalculateHypotheticalBox: // XXXbz the placeholder is not fully reflowed yet if our containing block is // relatively positioned... When I added mCachedLineBox, I'd thought that in that code aContainingBlock was actually the CSS containing block. But it's not. It's the containing block of the _placeholder_, which in this case is the nsBlockFrame. roc, do you think we can just go through the "no line box" case for an inline parent? Or should I try to reinstate the slow block iterator path for that case?
|
|
Assignee | |
Updated•13 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 8•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Summary: Crash [@ nsLineBox::CachedIsEmpty] with scale3d transform → Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containing block
(In reply to Boris Zbarsky (:bz) from comment #7) > roc, do you think we can just go through the "no line box" case for an > inline parent? That would break auto positioning of abs-pos children of inlines, would it not? > Or should I try to reinstate the slow block iterator path > for that case? Seems to me the best thing to do would be to fix layout of abs-pos elements whose container is a rel-pos inline. Although it's not clear how that should actually work in general ... consider an inline that breaks across a page, for example, with an abs-pos child with left:0, bottom:0. Which page should it be on? left:0, top:auto, where the placeholder ends up on the second page, is also interesting.
Our layout of this testcase is wrong too. We really need to change abs-pos layout so that the abs-pos children are not positioned until we've reflowed the last continuation for the container element. That would give us the problem of not having the right overflow areas calculated when the non-last-continuations finish Reflow(). But we can probably fix those up reusing the work in bug 524925.
|
|
Assignee | |
Comment 12•13 years ago
|
||
> That would break auto positioning of abs-pos children of inlines, would it not? Well... "break" in that it would use the placeholder position instead of the line box extents. How much do those differ in practice? > But we can probably fix those up reusing the work in bug 524925. Yes. Once that lands I'd sort of like to move to a model where we do all the abs pos reflow off a post-reflow callback or equivalent, once all the in-flow stuff is done. That would fix a bunch of bugs we have with rel pos inlines as containing blocks. For Firefox 10, that's not happening. The options there are to back out bug 641341 on Aurora after the branchpoint or one of the options from comment 7. I'm tempted to restore the slow path for the rel-pos inline case, myself.
|
|
Assignee | |
Comment 13•13 years ago
|
||
OK, talked to roc; I'm going to back bug 641341 out until we can do it right....
|
|
Assignee | |
Comment 14•13 years ago
|
||
Backout done:
http://hg.mozilla.org/integration/mozilla-inbound/rev/5b3aeb566a97
http://hg.mozilla.org/integration/mozilla-inbound/rev/81583c38f47e
|
||
Comment 15•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5b3aeb566a97 https://hg.mozilla.org/mozilla-central/rev/81583c38f47e Boris, should this bug be resolved after the backout?
|
|
Assignee | |
Comment 16•13 years ago
|
||
Yes. Thanks for merging that!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 17•13 years ago
|
||
Verified as fixed with the first attached test case on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111117 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111116 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20100101 Firefox/9.0 Verified as fixed with the last two attached test cases on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111114 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111115 Firefox/11.0a1
Status: RESOLVED → VERIFIED
Component: Layout → Keyboard: Navigation
Whiteboard: [qa!]
|
|
||
Comment 18•13 years ago
|
||
sorry, changed the component by mistake...
Component: Keyboard: Navigation → Layout
|
||
Updated•13 years ago
|
Target Milestone: --- → mozilla10
You need to log in
before you can comment on or make changes to this bug.
Description
•