Closed
Bug 11633
Opened 25 years ago
Closed 25 years ago
[Crash] Removing absolute positioned table via DOM causes crash
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
M11
People
(Reporter: hhedberg, Assigned: troy)
References
()
Details
(Whiteboard: [TESTCASE] removing abs pos table causes crash)
Attachments
(1 file)
|
551 bytes,
text/html
|
Details |
If document includes absolute positioned table (or maybe something other absoulete positioned elements) and this table or it's ancestor are being removed by removeChild or replaceChild etc. application crashes. No matter if the table is in html or made dynamically. The only thing that seems to affect is absolute positioning CSS2 style attribute. Steps to reproduce: 1) View http://www.iki.fi/hhedberg/bugzilla/removecrash.html or code included. 2) Click header labeled "Press here to crash!". Code tries to remove table from document, but crashes when removeChild is executed. Occurs on both viewer and apprunner at least on Linux, build 1999081001 and M8. ----8<---- <html> <head> <title>Bug</title> <script language="JavaScript"> function clickListener(e) { node = document.getElementById( "crashtable" ); node.parentNode.removeChild( node ); } function setup() { document.getElementById( "crashbutton" ).onclick = clickListener; } </script> </head> <body onload="setup()"> <h1 id="crashbutton">Click here to crash!</h1> <table id="crashtable" style="position:absolute"> <tr> <td>Table cell </td> </tr> </table> </body> </html>
|
||
Comment 1•25 years ago
|
||
|
|
||
Updated•25 years ago
|
Summary: Removing absolute positioned table via DOM causes crash → [Crash] Removing absolute positioned table via DOM causes crash
Whiteboard: [TESTCASE] removing abs pos table causes crash
|
|
||
Comment 2•25 years ago
|
||
Tried this out on Win98 19980816 nightly build. Crash.
In a debug build (from sometime last week, I think), I see the following assertions when I load the (most recent) testcase: Assertion: "no placeholder frame" (nsnull != placeholderFrame) at file nsHTMLReflowState.cpp, line 408 Note: verifyreflow is disabled Assertion: "no placeholder frame" (nsnull != placeholderFrame) at file nsHTMLReflowState.cpp, line 408 Assertion: "no placeholder frame" (nsnull != placeholderFrame) at file nsHTMLReflowState.cpp, line 408 and the following when I click the 'crash' button. Assertion: "no placeholder frame" (nsnull != placeholderFrame) at file nsHTMLReflowState.cpp, line 408 Assertion: "no placeholder frame" (nsnull != placeholderFrame) at file nsHTMLReflowState.cpp, line 408 Assertion: "can't find deleted frame in lines" (nsnull != line) at file nsBlockFrame.cpp, line 4325 Assertion: "bad prevSibling" (tmp == aDeletedFrame) at file nsBlockFrame.cpp, line 4329 Assertion: "whoops, continuation without a parent" (nsnull != flow) at file nsBlockFrame.cpp, line 4430
Crashes are all M11/P1/critical.
|
||
Updated•25 years ago
|
Assignee: vidur → karnaze
|
|
||
Comment 5•25 years ago
|
||
Handing over to karnaze to take a look, though the stack for the eventual crash
seems block layout related:
nsBlockFrame::DoRemoveFrame(nsIPresContext * 0x017e90a0, nsIFrame * 0x01790210)
line 4714 + 3 bytes
nsBlockFrame::RemoveFrame(nsBlockFrame * const 0x01781510, nsIPresContext &
{...}, nsIPresShell & {...}, nsIAtom * 0x00000000, nsIFrame * 0x01790210) line
4550 + 16 bytes
nsAreaFrame::RemoveFrame(nsAreaFrame * const 0x01781510, nsIPresContext & {...},
nsIPresShell & {...}, nsIAtom * 0x00000000, nsIFrame * 0x01790210) line 179 + 25
bytes
FrameManager::RemoveFrame(FrameManager * const 0x01777660, nsIPresContext &
{...}, nsIPresShell & {...}, nsIFrame * 0x01781510, nsIAtom * 0x00000000,
nsIFrame * 0x01790210) line 381
nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x01777b40,
nsIPresContext * 0x017e90a0, nsIContent * 0x0177905c, nsIContent * 0x0178323c,
int 3) line 6133 + 61 bytes
StyleSetImpl::ContentRemoved(StyleSetImpl * const 0x01777be0, nsIPresContext *
0x017e90a0, nsIContent * 0x0177905c, nsIContent * 0x0178323c, int 3) line 907
PresShell::ContentRemoved(PresShell * const 0x01777a38, nsIDocument *
0x017e3970, nsIContent * 0x0177905c, nsIContent * 0x0178323c, int 3) line 1746 +
50 bytes
nsDocument::ContentRemoved(nsDocument * const 0x017e3970, nsIContent *
0x0177905c, nsIContent * 0x0178323c, int 3) line 1652
nsHTMLDocument::ContentRemoved(nsHTMLDocument * const 0x017e3970, nsIContent *
0x0177905c, nsIContent * 0x0178323c, int 3) line 1071
nsGenericHTMLContainerElement::RemoveChildAt(int 3, int 1) line 2844
nsGenericHTMLContainerElement::RemoveChild(nsIDOMNode * 0x01783230, nsIDOMNode *
* 0x0012ebb0) line 2647 + 14 bytes
nsHTMLBodyElement::RemoveChild(nsHTMLBodyElement * const 0x01779050, nsIDOMNode
* 0x01783230, nsIDOMNode * * 0x0012ebb0) line 170 + 22 bytes
NodeRemoveChild(JSContext * 0x015e2360, JSObject * 0x00e297d0, unsigned int 1,
long * 0x00d86fe4, long * 0x0012ec6c) line 561 + 25 bytes
...
|
||
Updated•25 years ago
|
Assignee: karnaze → troy
|
|
||
Comment 6•25 years ago
|
||
Troy, I'm getting the following crash on loading the page. If the table code
needs to do something special when it is absolutely positioned, please let me
know.
nsDebug::Assertion(const char * 0x018633ec, const char * 0x018633d0, const char
* 0x01863398, int 439) line 181 + 13 bytes
nsHTMLReflowState::InitAbsoluteConstraints(nsIPresContext & {...}, const
nsHTMLReflowState * 0x0012f3d0, int 9120, int 1073741824) line 439 + 32 bytes
nsHTMLReflowState::InitConstraints(nsIPresContext & {...}, int 9120, int
1073741824) line 1102
nsHTMLReflowState::Init(nsIPresContext & {...}, int -1, int -1) line 177
nsHTMLReflowState::nsHTMLReflowState(nsIPresContext & {...}, const
nsHTMLReflowState & {...}, nsIFrame * 0x01b10530, const nsSize & {width=9120
height=1073741824}) line 134
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x01b16034, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 898
nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame * 0x01afded0,
nsIPresContext & {...}, const nsHTMLReflowState & {...}, int -1, int -1,
nsIFrame * 0x01b16030, int 0, unsigned int & 0) line 276 + 34 bytes
nsAbsoluteContainingBlock::Reflow(nsIFrame * 0x01afded0, nsIPresContext & {...},
const nsHTMLReflowState & {...}, int -1, int -1) line 146
nsAreaFrame::Reflow(nsAreaFrame * const 0x01afded4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 450 + 34 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x01afded0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 372 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x01afc044, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 330
There are a couple of problems here. The first problem is that you seem to be giving both the outer table frame and the inner table frame the same style contexts That's bad and it means that the inner table frame style suggests that it is also absolutely positioned. That's why we hit the assert. I will add some code to the HTML reflow state logic so it checks to make sure the frame has the NS_FRAME_OUT_OF_FLOW bit set. If not, it will assume the frame was not actually moved out of the flow You really need to fix this problem
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
||
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 8•25 years ago
|
||
verified
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•