Closed Bug 19494 Opened 25 years ago Closed 25 years ago

CRASH on page with missing glyphs, form, floats...

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ian, Assigned: buster)

References

(
URL
)

Details

(Whiteboard: fix in hand)

Attachments

(1 file)

patch
2.49 KB, patch
Details | Diff | Splinter Review
This page: http://www.bath.ac.uk/%7Epy8ieh/internet/eviltests/glyphs.html ...crashes Viewer and Mozilla on Windows 98 with the 1999111909 build. I haven't yet narrowed this down. I'll try to do it tomorrow. This is the "worst case scenario" test page used for bug 6585.
Blocks: 6585
Whiteboard: (py8ieh:will narrow down)
Assignee: troy → kipp
Something whacky in the block code and its handling of floaters nsBlockBandData::ComputeAvailSpaceRect() line 151 + 18 bytes nsBlockBandData::ClearFloaters(int 6393, unsigned char 3) line 253 nsBlockReflowState::ClearFloaters(int 6393, unsigned char 3) line 5306 + 28 bytes nsBlockReflowState::ClearPastFloaters(unsigned char 3) line 829 nsBlockReflowState::RecoverStateFrom(nsLineBox * 0x0261c750, int 1, int 0, nsRect * 0x0012e6d0) line 942 + 17 bytes nsBlockFrame::RecoverStateFrom(nsBlockReflowState & {...}, nsLineBox * 0x0261c750, int 0, nsRect * 0x0012e6d0) line 2287 nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2462 nsBlockFrame::Reflow(nsBlockFrame * const 0x024fd4e0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1490 + 15 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x024fd4e0, const nsRect & {...}, int 1, int 0, int 1, nsMargin & {...}, unsigned int & 0) line 259 + 45 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 0x024fd608, int * 0x0012efc0) line 3256 + 59 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x024fd608, int * 0x0012efc0, int 1) line 2622 + 20 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2433 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x024fc3d8, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1490 + 15 bytes nsAreaFrame::Reflow(nsAreaFrame * const 0x024fc3d8, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 289 + 25 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x024fc3d8, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 637 + 31 bytes RootFrame::Reflow(RootFrame * const 0x02533fc8, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 334 nsContainerFrame::ReflowChild(nsIFrame * 0x02533fc8, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 1, unsigned int & 0) line 637 + 31 bytes nsScrollFrame::Reflow(nsScrollFrame * const 0x0256e9a0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 624 nsContainerFrame::ReflowChild(nsIFrame * 0x0256e9a0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 637 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x02533ee0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 527 nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x02600a80, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 145 PresShell::ProcessReflowCommands(PresShell * const 0x025a4958) line 1650 PresShell::ExitReflowLock(PresShell * const 0x025a4958, int 1, int 1) line 709 PresShell::ContentAppended(PresShell * const 0x025a4960, nsIDocument * 0x01f0ec20, nsIContent * 0x0256119c, int 16) line 2100 nsDocument::ContentAppended(nsDocument * const 0x01f0ec20, nsIContent * 0x0256119c, int 16) line 1515 nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x01f0ec20, nsIContent * 0x0256119c, int 16) line 1041
The testcase for bug 17567 is also reproducibly crashing the browser before it displays. The latest comment on bug 6585 seem apropos here... if the "We need to write some more code" is in the midst of being addressed... The same sort of crashing/hanging problem has come and gone more than once for testcases for different sections of the HTML 4 Character entities DTDs http://bugzilla.mozilla.org/showattachment.cgi?attach_id=2617 (working now). At the time that bug 17958 was filed, ⟩ and ⟨ were the only culprits causing crashes there, and the ISO 8859-1 characters caused a hang, but a week earlier they weren't, and several other entities in other sections were. I wish I knew of something better than binary search for this...
No glyphs required to crash viewer -- here is a simplified test case: http://www.bath.ac.uk/%7Epy8ieh/internet/projects/mozilla/clear-crash.html The SELECT element, a long line of floaters and 'clear' all seem to be required to cause the crash. During simplification, some of the tests just hung instead of crashing, but I could not see a particular pattern.
Updating to default Layout Assignee...kipp no longer with us :-(
Why are you re-reassing layout bugs? Do NOT touch layout bugs. The bugs are assigned to Kipp so they can stay neatly organized until we have a new owner for the block/inline code.
mass moving all Kipp's pre-beta bugs to M15. Nisheeth and I will prioritize these and selectively move high-priority bugs into M13 and M14.
Target Milestone: M15 → M14
crashes moved up to M14
Priority: P3 → P1
Assignee: kipp → buster
Whiteboard: (py8ieh:will narrow down) → fix in hand
the problem was nsBlockBandData::ClearFloaters() bypassed the code that manages the mTrapezoids data structure relative to mCount and mSize. I fixed this by factoring out the management code into nsBlockBandData::GetBandData(), calling GetBandData() from ClearFloaters(), adding a bunch of assertions to catch this condition should it ever arise again, and adding a comment that nsBlockBandData should never call mSpaceManager->GetBandData() directly, only through nsBlockBandData::GetBandData().
Attached patch patchSplinter Review
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
if some other object (the space mgr) computed mCount to be more than twice the size of the current count, we immediately bump up the size to that count.  If more are needed later, the next call will give us twice this number anyway.
Status: RESOLVED → VERIFIED
With the latest build (200010308), the crash is not occuring when loading this url.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: