Closed
Bug 145171
Opened 22 years ago
Closed 22 years ago
Layout crash on loading http://gdargaud.net/Photo/index.html#Sygma [@IsPercentageAwareChild]
Categories
(Core :: Layout, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
Future
People
(Reporter: yaneti, Assigned: waterson)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
|
711 bytes,
text/html
|
Details | |
|
5.58 KB,
patch
|
Details | Diff | Splinter Review | |
|
189 bytes,
text/html
|
Details |
from galeon bug http://bugzilla.gnome.org/show_bug.cgi?id=82018 Go to http://gdargaud.net/Photo/index.html#Sygma Mozilla 1.0rc2 (20020513) crashes with: #0 0x40e3fabf in IsPercentageAwareChild () from /usr/lib/mozilla/components/libgklayout.so #1 0x40e42ccf in nsBlockFrame::ReflowInlineFrame () from /usr/lib/mozilla/components/libgklayout.so #2 0x40e42bff in nsBlockFrame::DoReflowInlineFrames () from /usr/lib/mozilla/components/libgklayout.so #3 0x40e42997 in nsBlockFrame::DoReflowInlineFramesAuto () from /usr/lib/mozilla/components/libgklayout.so #4 0x40e4283c in nsBlockFrame::ReflowInlineFrames () from /usr/lib/mozilla/components/libgklayout.so #5 0x40e413c8 in nsBlockFrame::ReflowLine () from /usr/lib/mozilla/components/libgklayout.so #6 0x40e40b96 in nsBlockFrame::ReflowDirtyLines () from /usr/lib/mozilla/components/libgklayout.so #7 0x40e3f640 in nsBlockFrame::Reflow () from /usr/lib/mozilla/components/libgklayout.so #8 0x40e4c41b in nsContainerFrame::ReflowChild () from /usr/lib/mozilla/components/libgklayout.so #9 0x40eaa351 in nsFieldSetFrame::Reflow () from /usr/lib/mozilla/components/libgklayout.so #10 0x40e46a1a in nsBlockReflowContext::DoReflowBlock () from /usr/lib/mozilla/components/libgklayout.so #11 0x40e46576 in nsBlockReflowContext::ReflowBlock () from /usr/lib/mozilla/components/libgklayout.so #12 0x40e421a1 in nsBlockFrame::ReflowBlockFrame () from /usr/lib/mozilla/components/libgklayout.so #13 0x40e4101b in nsBlockFrame::ReflowLine () from /usr/lib/mozilla/components/libgklayout.so #14 0x40e40b96 in nsBlockFrame::ReflowDirtyLines () from /usr/lib/mozilla/components/libgklayout.so #15 0x40e3f640 in nsBlockFrame::Reflow () from /usr/lib/mozilla/components/libgklayout.so #16 0x40e4c41b in nsContainerFrame::ReflowChild () .......
|
||
Comment 2•22 years ago
|
||
confirmed with Linux CVS from 20020517 debug build complains as follows: ###!!! ASSERTION: bad geometric parent: 'mFrames.ContainsFrame(aChild)', file nsContainerFrame.cpp, line 922 Break: at file nsContainerFrame.cpp, line 922 ###!!! ASSERTION: failed to remove frame: 'result', file nsContainerFrame.cpp, line 960 Break: at file nsContainerFrame.cpp, line 960 ###!!! ASSERTION: No style context found!: 'mStyleContext', file ../../../../dist/include/layout/nsIFrame.h, line 564 Break: at file ../../../../dist/include/layout/nsIFrame.h, line 564 severity critical, crash keyword.
|
|
||
Comment 3•22 years ago
|
||
|
|
||
Comment 4•22 years ago
|
||
The crash started occurring due to the innocuous checkin for bug 139989. Note that the image extends out of the fieldset. That started occurring between 2002012911 and 2002013108, due to bug 120958. Unfortunately, backing that patch out of current CVS doesn't fix the crash.
|
Assignee | |
Comment 5•22 years ago
|
||
I'm unable to reproduce this with a current trunk build. Is this still a problem?
|
|
Assignee | |
Comment 6•22 years ago
|
||
Okay, I take that back. Just reproduced. Looking...
Assignee: attinasi → waterson
Priority: -- → P2
Target Milestone: --- → mozilla1.0.1
|
|
Assignee | |
Comment 7•22 years ago
|
||
Something funky going on here around the time we get that first assertion. The
child (Inline(a)(3)@0x87242f4) thinks its parent is the fieldset frame, not the
fieldset's content frame:
FieldSet(fieldset)(1)@0x8723838 [parent=0x871e858] next=0x8724414
{38,0,1543,4721} [state=00800005] [content=0x871fed0] [sc=0x8723708]<
Area(fieldset)(1)@0x872388c [parent=0x8723838] {0,0,1159,4275}
[state=0090000d] sc=0x8723908(i=6,b=0)<
line 0x87243e8: count=2 state=inline,clean,prevmarginclean,not
impacted,wrapped,nobr[0x2020] mew=1159 {0,0,874,266} ca={0,0,6836,4275} <
Placeholder(img)(1)@0x8724138 [parent=0x8723838] {0,209,0,0}
[state=00000004] outOfFlowFrame=Frame(img)(1)@0x8723ff4
Text(2)@0x872419c [parent=0x8723838][0,9,F] next=0x873b200
next-in-flow=0x873b200 {0,0,874,266} [state=20000024] sc=0x8724168<
"over the "
>
> floaters <
placeholder@0x8724138 Frame(img)(1) cl region={1136,0,5700,4275}
combinedArea={0,0,5700,4275}
>
line 0x873b248: count=1
state=inline,clean,prevmarginclean,impacted,wrapped,nobr[0x1028] {0,266,665,266} <
Text(2)@0x873b200 [parent=0x872388c][9,7,F] next=0x873b274
prev-in-flow=0x872419c next-in-flow=0x873b274 {0,266,665,266} [state=20000024]
sc=0x8724168<
"years, "
>
>
line 0x873b2bc: count=1
state=inline,clean,prevmarginclean,impacted,wrapped,nobr[0x1028] {0,532,684,266} <
Text(2)@0x873b274 [parent=0x872388c][16,7,F] next=0x873b2e8
prev-in-flow=0x873b200 next-in-flow=0x873b2e8 {0,532,684,266} [state=20000024]
sc=0x8724168<
"mainly "
>
>
line 0x873b330: count=1
state=inline,clean,prevmarginclean,impacted,wrapped,nobr[0x1028] {0,798,912,266} <
Text(2)@0x873b2e8 [parent=0x872388c][23,10,F] next=0x873b35c
prev-in-flow=0x873b274 next-in-flow=0x873b35c {0,798,912,266} [state=20000024]
sc=0x8724168<
"featuring "
>
>
line 0x873b3a4: count=2 state=inline,dirty,prevmarginclean,not impacted,not
wrapped,nobr[0x2001] {0,1064,1159,266} <
Text(2)@0x873b35c [parent=0x872388c][33,33,T] next=0x87242f4
prev-in-flow=0x873b2e8 {0,1064,3496,266} [state=40000024] sc=0x8724168<
"Antarctica, mountain climbing or "
>
Inline(a)(3)@0x87242f4 [parent=0x8723838] next=0x873b52c
next-in-flow=0x873b52c {0,1862,1444,266} [state=00000004] [content=0x87200d8]
[sc=0x8724264]<
Text(0)@0x8724360 [parent=0x87242f4][0,14,T] {0,0,1444,266}
[state=40000024] sc=0x872432c<
"other pictures"
>
>
>
line 0x873b564: count=2 state=inline,dirty,prevmargindirty,impacted,not
wrapped,nobr[0x200b] {0,2128,893,266} <
Inline(a)(3)@0x873b52c [parent=0x8723838] next=0x87243a4
prev-in-flow=0x87242f4 {0,2128,836,266} [state=00000004] [content=0x87200d8]
[sc=0x8724264]<>
Text(4)@0x87243a4 [parent=0x8723838][0,12,T] {836,2128,57,266}
[state=74000024] sc=0x8724168<
".\n "
>
>
Floater-list<
Frame(img)(1)@0x8723ff4 [parent=0x8723838] {1136,0,5700,4275}
[state=00000124] [content=0x8720d08] [src=http://gdargaud.net/300/AdelieBlueSky.jpg]
>
>
>
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•22 years ago
|
||
The fieldset frame overrides the frame manipulation code to append, insert, and replace frames into its child `content frame'. The problem is that it doesn't fix the new frames' parent pointers before doing so. This patch does the fixup, and adds an assertion in the block code to ensure that we can catch this sort of problem earlier.
|
|
Assignee | |
Comment 9•22 years ago
|
||
rods, could you r=? dbaron, you too? alex: do you know of any other fieldset bugs like this? (I thought that I'd seen a few...)
Comment on attachment 84956 [details] [diff] [review] fix r=dbaron. Presumably there aren't any issues with views, are there? (mContentFrame presumably doesn't have a view. Should that be an NS_ASSERTION?)
Attachment #84956 -
Flags: review+
|
|
Assignee | |
Comment 11•22 years ago
|
||
cc'ing kin for sr=?
|
|
Assignee | |
Comment 12•22 years ago
|
||
Oops, my assertion trips over the {ib} code.
dbaron, although I don't _think_ that views would be an issue in this specific
case, it might be nice to consolidate this logic. For example, the {ib} code
does a bunch of junk like this.
Let me run with this patch for a few more days to see what other assertions I
hit.
Attachment #84956 -
Attachment is obsolete: true
|
||
Comment 13•22 years ago
|
||
nop, i don't know any (important) fieldset bugs right now although i recall there was something sometime ago, hmmm. (sorry for the late response) maybe attinasi's in-box has some (there must be some :-)
Target Milestone: mozilla1.0.1 → mozilla1.1beta
|
|
Assignee | |
Updated•22 years ago
|
Target Milestone: mozilla1.1beta → Future
|
||
Comment 14•22 years ago
|
||
*** Bug 175724 has been marked as a duplicate of this bug. ***
|
||
Comment 15•22 years ago
|
||
My post (Bug 175724) has been marked as a duplicate of this one, so I post here instead. I have made a very small HTML file that makes my browser crash: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <STYLE> <!-- H2:first-letter { float: left; font-size: 0% } --> </STYLE> </HEAD> <BODY> <H2>Crash</H2> </BODY> </HTML> If font-size: 0% is changed to ex. 10% the browser doesent crach. Unfortunately OpenOffice.org generates HTML with this H2:first-letter { float: left; font-size: 0% } I hope this helps.
|
|
||
Comment 16•22 years ago
|
||
|
||
Comment 17•22 years ago
|
||
WFM on 21/23 Linux Trunk build. With 6/11/02 Trunk build on Linux, I crash using the testcase Jacob added in #6.
Keywords: testcase
|
|
||
Comment 18•22 years ago
|
||
worksforme with URL and testcases from comment 3 and comment 16 using linux trunk 20030106
|
||
Comment 19•22 years ago
|
||
Marking so.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
|
||
Updated•13 years ago
|
Crash Signature: [@IsPercentageAwareChild]
You need to log in
before you can comment on or make changes to this bug.
Description
•