Crash when float:left is applied to a p:first-letter [@ nsHTMLReflowState::Init]

RESOLVED FIXED in mozilla1.0.1

Status

()

Core
Layout
P2
critical
RESOLVED FIXED
16 years ago
4 years ago

People

(Reporter: Kevin Cook, Assigned: karnaze (gone))

Tracking

(4 keywords)

Trunk
mozilla1.0.1
x86
All
crash, regression, testcase, topcrash+
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [PATCH], crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
Mozilla crashes at http://www.lynuxworks.com/products/lynxos/lynxos.php3.  The
CSS style named "dropcap", found in the style sheet synergy-v5.css, appears to
be teh cause of the crash, when it applies float:left to the p.first-letter
pseudo-element.

Comment 1

16 years ago
wfm with Build 2002052809 on Win XP Pro

Comment 2

16 years ago
URL crashes for me too, using trunk 2002053008 on win2k - TB6844196K
confirming
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, stackwanted

Comment 3

16 years ago
Created attachment 85688 [details]
testcase

reduced test case. seems first-letter and first-line styles are both need to
cause crash, although it doesn't matter what style is applied to first-line.
paragraph needs at least 2 letters.

Updated

16 years ago
Keywords: testcase

Comment 4

16 years ago
wfm win2k sp2, m1 rc3
Stephend, could you get the stack?  TB6844196K
nsHTMLReflowState::Init [nsHTMLReflowState.cpp, line 316]
nsHTMLReflowState::nsHTMLReflowState [nsHTMLReflowState.cpp, line 256]
nsFirstLetterFrame::Reflow [nsFirstLetterFrame.cpp, line 236]
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570]
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348]
nsBlockFrame::ReflowFloater [nsBlockFrame.cpp, line 5286]
nsBlockReflowState::FlowAndPlaceFloater [nsBlockReflowState.cpp, line 879]
nsBlockReflowState::AddFloater [nsBlockReflowState.cpp, line 681]
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1177]
nsInlineFrame::ReflowInlineFrame [nsInlineFrame.cpp, line 717]
nsInlineFrame::ReflowFrames [nsInlineFrame.cpp, line 522]
nsFirstLineFrame::Reflow [nsInlineFrame.cpp, line 1066]
nsLineLayout::ReflowFrame [nsLineLayout.cpp, line 1104]
nsBlockFrame::ReflowInlineFrame [nsBlockFrame.cpp, line 3775]
nsBlockFrame::DoReflowInlineFrames [nsBlockFrame.cpp, line 3601]
nsBlockFrame::DoReflowInlineFramesAuto [nsBlockFrame.cpp, line 3491]
nsBlockFrame::ReflowInlineFrames [nsBlockFrame.cpp, line 3436]
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2594]
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238]
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947]
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570]
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348]
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3197]
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460]
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238]
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947]
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570]
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348]
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3197]
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460]
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238]
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
nsTableCellFrame::Reflow [nsTableCellFrame.cpp, line 946]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
nsTableRowFrame::ReflowChildren [nsTableRowFrame.cpp, line 1040]
nsTableRowFrame::Reflow [nsTableRowFrame.cpp, line 1458]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
nsTableRowGroupFrame::ReflowChildren [nsTableRowGroupFrame.cpp, line 447]
nsTableRowGroupFrame::Reflow [nsTableRowGroupFrame.cpp, line 1211]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
nsTableFrame::ReflowChildren [nsTableFrame.cpp, line 3313]
nsTableFrame::Reflow [nsTableFrame.cpp, line 2007]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
nsTableOuterFrame::OuterReflowChild [nsTableOuterFrame.cpp, line 1027]
nsTableOuterFrame::Reflow [nsTableOuterFrame.cpp, line 1612]
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570]
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348]
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3197]
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460]
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238]
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947]
nsBlockReflowContext::DoReflowBlock [nsBlockReflowContext.cpp, line 570]
nsBlockReflowContext::ReflowBlock [nsBlockReflowContext.cpp, line 348]
nsBlockFrame::ReflowBlockFrame [nsBlockFrame.cpp, line 3197]
nsBlockFrame::ReflowLine [nsBlockFrame.cpp, line 2460]
nsBlockFrame::ReflowDirtyLines [nsBlockFrame.cpp, line 2238]
nsBlockFrame::Reflow [nsBlockFrame.cpp, line 947]
nsContainerFrame::ReflowChild [nsContainerFrame.cpp, line 806]
CanvasFrame::Reflow [nsHTMLFrame.cpp, line 566]
nsBoxToBlockAdaptor::Reflow [nsBoxToBlockAdaptor.cpp, line 886]
nsBoxToBlockAdaptor::DoLayout [nsBoxToBlockAdaptor.cpp, line 627]
nsBox::Layout [nsBox.cpp, line 1052]
nsScrollBoxFrame::DoLayout [nsScrollBoxFrame.cpp, line 394] 
Keywords: stackwanted
To layout....
Assignee: dbaron → attinasi
Component: Style System → Layout
QA Contact: ian → petersen

Updated

16 years ago
Summary: Crash when float:left is applied to a p:first-letter → Crash when float:left is applied to a p:first-letter [@ nsHTMLReflowState::Init]

Updated

16 years ago
QA Contact: petersen → moied

Updated

16 years ago
Priority: -- → P2

Comment 8

16 years ago
Adding topcrash+ keyword, this is a topcrasher on the MozillaTrunk and we have a
testcase.
Keywords: topcrash+

Comment 9

16 years ago
i'm unable to repro the crash with a debug trunk build from 6/1 under linux.  i
tried both test cases.

Comment 10

16 years ago
nominating. Added impact. 
Keywords: nsbeta1
Whiteboard: [ADT1 RTM]
-> Karnaze
Assignee: attinasi → karnaze

Comment 12

16 years ago
*** Bug 150216 has been marked as a duplicate of this bug. ***

Comment 13

16 years ago
regression occurred between 2002052808 and 2002052809 (trunk)
backing out bug 145305 fixes the crash
OS=>All
Keywords: regression
OS: Windows 98 → All

Comment 14

16 years ago
*** Bug 150459 has been marked as a duplicate of this bug. ***

Comment 15

16 years ago
*** Bug 150656 has been marked as a duplicate of this bug. ***

Comment 16

16 years ago
Bug 150656 showed that this crash also happens on Shaver's blog:

http://off.net/~shaver/diary/
(Assignee)

Updated

16 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0.1
(Assignee)

Comment 17

16 years ago
Created attachment 87226 [details] [diff] [review]
patch to fix the bug
(Assignee)

Updated

16 years ago
Whiteboard: [ADT1 RTM] → [ADT1 RTM][PATCH]

Comment 18

16 years ago
*** Bug 150890 has been marked as a duplicate of this bug. ***
Any idea why you're ending up with an incomplete reflow status when the height
is unconstrained?  Shouldn't that never happen?
(Assignee)

Comment 20

16 years ago
I think the notion of an incomplete status and the naming of prev-in-flow and 
next-in-flow must have originated to handle spans (and the like) which didn't 
fit horizontally within a constrained space. And it appears that the concept was 
later applied to blocks and tables when they didn't fit vertically within a 
constrained space. But the two concepts seem different to me. In the 
horizontally incomplete case the span's continuation needs to go on the 
beginning of the next line, whereas in the vertically incomplete case, the 
table's continuation needs to go directly under its prev-in-flow (e.g. a 
continued floated table). 

Bug 145305 deals with splitting floaters, that are vertically incomplete. In the 
patch I attached here, I must only handle the vertically incomplete cases, 
because the first letter frame is horizontally incomplete, and it shouldn't be 
split. I also added code to not split first letters that are vertically 
incomplete because the effort is not worth the benefit (i.e the only case this 
would be necessary is if a first letter were larger than a page).  

So dbaron, yes it appears that the first letter frame is horizontally 
incomplete. 
It seems to me that the two concepts are pretty much the same, except one is
within an inline reflow context and the other within a block reflow context.  It
seems here that nsFirstLetterFrame is incorrect in propagating the status from
an inline reflow context into a block reflow context.

Comment 22

16 years ago
Karnaze say:

"This bug is a direct result of my patch to bug 145305 (floaters do not split
when printing). Consequently, I don't think the first letter frame is at fault.
As I tried to explain, I need to know when a floater is incomplete because of
vertical constraints, and the first letter frame was incomplete because of
horiziontal constraints. So, basically, I'm fixing the problems that I introduced."


Waterson say: "ok, sr=waterson"

Comment 23

16 years ago
*** Bug 150950 has been marked as a duplicate of this bug. ***

Comment 24

16 years ago
*** Bug 151510 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 25

16 years ago
The patch is in.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 26

16 years ago
*** Bug 152578 has been marked as a duplicate of this bug. ***

Comment 27

16 years ago
*** Bug 152948 has been marked as a duplicate of this bug. ***

Comment 28

16 years ago
*** Bug 154148 has been marked as a duplicate of this bug. ***

Comment 29

16 years ago
removing adt1 rtm since this was trunk only.
Whiteboard: [ADT1 RTM][PATCH] → [PATCH]
nsbeta1-. The crash does not affect the Moz1.0 branch because the fix for bug
145305 which causes this crash is not on the branch.

Comment 31

9 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsHTMLReflowState::Init]
You need to log in before you can comment on or make changes to this bug.