Closed
Bug 189751
Opened 22 years ago
Closed 20 years ago
mozilla crashes when rendering <input type="browse"> nested inside a table
Categories
(Core :: Layout: Tables, defect, P2)
Tracking
()
RESOLVED
FIXED
Future
People
(Reporter: isomer, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [patch])
Attachments
(2 files, 1 obsolete file)
86 bytes,
text/html
|
Details | |
1.72 KB,
patch
|
john
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126 code below will crash mozilla: <form method="post"> <table><tr><td><input type="browse"></td></tr></table> </form> put it in a webpage somewhere, goto that page with mozilla, note that mozilla is no longer running. Swear, Curse. Reproducible: Always Steps to Reproduce: Expected Results: Something other than a crash, I dunno what <input type="browse"> is supposed to do, but presumably not crash.
Comment 1•22 years ago
|
||
Comment 2•22 years ago
|
||
Confirming on XP.
Assignee: form-submission → form
Status: UNCONFIRMED → NEW
Component: Form Submission → Layout: Form Controls
Ever confirmed: true
Keywords: crash
OS: Linux → All
QA Contact: vladimire → tpreston
Comment 3•22 years ago
|
||
This is a tables bug: #0 nsTableFrame::IsBorderCollapse (this=0x0) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableFrame.h:1088 #1 0x40f08652 in nsTableOuterFrame::InitChildReflowState (this=0x87cded4, aPresContext=@0x86cbca0, aReflowState=@0xbfffc818) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:483 #2 0x40f08752 in nsTableOuterFrame::GetMarginPadding (this=0x87cded4, aPresContext=0x86cbca0, aOuterRS=@0xbfffcc04, aChildFrame=0x0, aAvailWidth=13636, aMargin=@0xbfffc90c, aMarginNoAuto=@0xbfffc9ec, aPadding=@0xbfffca0c) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:513 #3 0x40f08cac in nsTableOuterFrame::GetInnerTableAvailWidth (this=0x87cded4, aPresContext=0x86cbca0, aInnerTable=0x0, aOuterRS=@0xbfffcc04, aCaptionWidth=0xbfffc990, aInnerMargin=@0xbfffc9ec, aInnerPadding=@0xbfffca0c) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:731 #4 0x40f0b931 in nsTableOuterFrame::Reflow (this=0x87cded4, aPresContext=0x86cbca0, aDesiredSize=@0xbfffcdc8, aOuterRS=@0xbfffcc04, aStatus=@0xbfffcbf4) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:1984 #5 0x40e2f518 in nsBlockReflowContext::ReflowBlock (this=0xbfffcd84, aSpace=@0xbfffccbc, aApplyTopMargin=0, aPrevBottomMargin=@0xbfffd28c, aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffcccc, aFrameRS=@0xbfffcc04, aFrameReflowStatus=@0xbfffcbf4) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsBlockReflowContext.cpp:546 #6 0x40e2821c in nsBlockFrame::ReflowBlockFrame (this=0x87cdc94, aState=@0xbfffd224, aLine={mCurrent = 0x87ce91c, mListLink = 0x87cdcd0}, aKeepReflowGoing=0xbfffcf48) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/base/src/nsBlockFrame.cpp:3330 #7 0x40e26cef in nsBlockFrame::ReflowLine (this=0x87cdc94, aState=@0xbfffd224, aLine= {mCurrent = 0x87ce91c, mListLink = 0x87cdcd0}, aKeepReflowGoing=0xbfffcf48, aDamageDirtyArea=0) (gdb) frame 0 #0 nsTableFrame::IsBorderCollapse (this=0x0) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableFrame.h:1088 1088 return (PRBool)mBits.mIsBorderCollapse; (gdb) p this $4 = (nsTableFrame *) 0x0 (gdb) frame 1 #1 0x40f08652 in nsTableOuterFrame::InitChildReflowState (this=0x87cded4, aPresContext=@0x86cbca0, aReflowState=@0xbfffc818) at /home/bzbarsky/mozilla/xlib/mozilla/layout/html/table/src/nsTableOuterFrame.cpp:483 483 if ((aReflowState.frame == mInnerTableFrame) && (mInnerTableFrame->IsBorderCollapse())) { (gdb) p mInnerTableFrame $5 = (nsTableFrame *) 0x0
Assignee: form → table
Component: Layout: Form Controls → Layout: Tables
QA Contact: tpreston → amar
>I dunno what <input type="browse"> is supposed to do, but presumably not crash.
nsCSSFrameConstructor.cpp also does not know what to do with that and asserts.
this patch only protects the reflow from a failing frame construction, in a next step two things should happen a) the input frames should be fixed b) the table frame construction should be changed with respect to the handling of the return values, in this case only the input should be not rendered and not the whole table marked as invalid.
Attachment #112312 -
Attachment is obsolete: true
Attachment #112538 -
Flags: review?(jkeiser)
Comment 7•22 years ago
|
||
Comment on attachment 112538 [details] [diff] [review] patch revised this might look nicer if you did NS_ENSURE_TRUE(!mFrames.IsEmpty() && mInnerTableFrame, NS_ERROR_FAILURE); though you don't have to--you'd lose the (IMO useless) "incomplete children" comment. r=jkeiser, your call whether you want to do that.
Attachment #112538 -
Flags: review?(jkeiser) → review+
Comment on attachment 112538 [details] [diff] [review] patch revised David, could you please sr if you think we should take this into 1.3b.?
Attachment #112538 -
Flags: superreview?(dbaron)
Updated•22 years ago
|
Priority: -- → P2
Whiteboard: [patch]
Target Milestone: --- → Future
Comment 10•22 years ago
|
||
Um.. how about also removing that browse stuff?
Comment 11•22 years ago
|
||
I dont undertstand what you mean. Could you be a little bit more verbose. Do you mean that the frame construction should not verify the return values? I am somehow reluctant to fiddle with frame construction in a freeze phase. The patch is wallpaper, but my intention was to work on it in 1.4.
Comment 12•22 years ago
|
||
What I meant is that NS_FORM_BROWSE should be removed and any places that use it fixed to not do that. It does not correspond to anything useful. Not for 1.3, of course....
+ // At this point, we must have an inner table frame, and we might have a caption + // due to the logic at nsCSSFrameConstructor::ConstructTableFrame we can end + // here without inner table frame This should be // At this point, we need an inner table frame, and we might have a caption. // Due to the logic in nsCSSFrameConstructor::ConstructTableFrame, we can end // here without an inner table frame. right??
Comment 14•21 years ago
|
||
Robert, yes this is better, I am very gratefull for every language correction. English is not my first language.
Sure, no problem. Your English is a whole lot better than my German :-).
Comment on attachment 112538 [details] [diff] [review] patch revised with the wording change, sr=roc+moz
Attachment #112538 -
Flags: superreview?(dbaron) → superreview+
Comment 17•21 years ago
|
||
patch checked in, now there are two task remaining: 1.) make table frame construction less vulnerable to bad frames, they should simply remove the offending frames but return success for their own task and not propagate endless the error condition. I will do this. 2.) remove the offending frames at all: <input type="browse"> should be simply ignored, I would like to leave that for John.
Comment 18•21 years ago
|
||
On winXP today's trunk build, the testcase attachment 112088 [details] does not crash the
browser
Keywords: testcase
Comment 19•20 years ago
|
||
Bug 242873 filed on the removal. Do we want a separate bug on the frame construction?
Comment 20•20 years ago
|
||
>Do we want a separate bug on the frame construction?
not really, what would that bug be? "Write nice code in frame constructor" ;-).
The only sensible bug would be "table frame construction should try to handle
NS_FAILED(rv) at the lowest possible level" But I dont see any gain from such a
bug report, if somebody would like to rewrite the frame construction code she/he
will do that anyway.
Comment 21•20 years ago
|
||
Yeah, the bug there would be "handle failed rv in frame construction in a sane way".... We should probably spin that off and mark this fixed.
Comment 22•20 years ago
|
||
The frame construction changes discussed happened in bug 237760. Marking this fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 23•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•