Closed Bug 131008 Opened 22 years ago Closed 18 years ago

Crash with 1 line of XUL [@ nsHTMLContainerFrame::CreateViewForFrame ][@ nsIFrame::GetView ]

Categories

(Core :: Layout, defect, P4)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: mike, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Minimal testcase
334 bytes, application/vnd.mozilla.xul+xml
Details
Mac OS X crash
10.13 KB, text/plain
Details 
... or maybe it isn't XUL. First off, this is almost certainly invalid markup,
but it gives me definite, 100% repeatable crashes on 0.9.9 Win98:

<?xml-stylesheet href="chrome://global/skin" type="text/css"?>

<window xmlns:html="http://www.w3.org/1999/xhtml"
	xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
	xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
	id="MainWindow"
	title="IWindow Test">
	

	<div style="width: 200px; height: 200px; background: lightblue; display:float;
position:absolute">abc</div>


</window>

Okay, there's almost certainly something wrong with that style, it's ages since
I did any CSS and I was never especially good at it anyway ;) Talkback IDs for
this one are:

TB4049014W
TB4049006H
email: mike@theoretic.com
Keywords: crash
Stack trace from talkback (both id's have identical stacks):

nsHTMLContainerFrame::CreateViewForFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
555]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6103]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7107]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6963]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 12048]
nsCSSFrameConstructor::ConstructDocElementFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3296]
nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8598]
StyleSetImpl::ContentInserted
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1452]
PresShell::InitialReflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2633]
nsXULDocument::StartLayout
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp, line 4403]
nsXULDocument::ResumeWalk
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp, line 5945]
nsXULDocument::OnStreamComplete
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp, line 6162]
nsStreamLoader::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamLoader.cpp, line 163]
nsFileChannel::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\protocol\file\src\nsFileChannel.cpp, line 483]
nsOnStopRequestEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591]
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 524]
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line
1072]
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00648c16
Attached file Minimal testcase 
All that's needed is the "position:absolute"
Also crashing build 2002031221 on Linux.
OS -> All.
Keywords: testcase
OS: Windows 98 → All
Hardware: PC → All
Changing QA contact
QA Contact: petersen → moied
Priority: -- → P4
Target Milestone: --- → Future
still crashing using Linux build 20021128, same stack as comment 1.
Keywords: clean-report
Summary: Crash with 1 line of XUL → Crash with 1 line of XUL [@ nsHTMLContainerFrame::CreateViewForFrame ]
reassign
Assignee: attinasi → other
QA Contact: moied → ian
ran into this myself, nasty.
So the problem here is that nsCSSFrameConstructor::ConstructDocElementFrame only
pushes the root element as an absolute containing block if isBlockFrame is set.
 For XUL, it is _not_ set (it's not a blockframe).

The result is that we end up constructing an abs pos frame with a null parent
later on, and nsHTMLContainerFrame::CreateViewForFrame does not null-check the
result of GetParent().

It's not clear to me, frankly, how exactly a XUL box would go about being an
absolute containing block (I think I can see how it would have to act; we would
need a lot of work to get that working, though...).
(My crashes (TB23304148, TB23287311) on minimal testcase were with
nsIFrame::GetView signature, so adding it to summary)
Summary: Crash with 1 line of XUL [@ nsHTMLContainerFrame::CreateViewForFrame ] → Crash with 1 line of XUL [@ nsHTMLContainerFrame::CreateViewForFrame ][@ nsIFrame::GetView ]
Attached file Mac OS X crash 
same crash, but on Mac OS X 10.2.8

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7a) Gecko/20031223
Oh I see, that it's probably the same as bug 229263
Blocks: 229263
wfm winxp 2004111204
This is covered over on trunk by some null-checks that effectively disable
positioning in XUL....  Those really need to be removed, though.
Depends on: 137216
The Minimal testcase WFM using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060526 Minefield/3.0a1 ID:2006052604
The testcase is also wfm with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060916
Minefield/3.0a1
Most likely fixed by bug 231776.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsHTMLContainerFrame::CreateViewForFrame ] [@ nsIFrame::GetView ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: