Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 223064 - browser crashes or locks up when visiting (position: absolute div inside <a>) [@ nsHTMLReflowState::CalculateHypotheticalBox ]
: browser crashes or locks up when visiting (position: absolute ...
: crash, regression, testcase, topcrash
Product: Core
Classification: Components
Component: Layout: Block and Inline (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: ---
Assigned To: Mats Palmgren (:mats)
: Hixie (not reading bugmail)
: Jet Villegas (:jet)
: 223070 223171 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2003-10-21 02:21 PDT by Pavel
Modified: 2009-02-11 01:16 PST (History)
10 users (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Stack trace (7.77 KB, text/plain)
2003-10-21 05:10 PDT, Piotr Wajnberg
no flags Details
testcase (247 bytes, text/html)
2003-10-21 17:49 PDT, Jason Barnabe (np)
no flags Details
Patch rev. 1 (2.47 KB, patch)
2003-10-21 19:54 PDT, Mats Palmgren (:mats)
bzbarsky: review+
bzbarsky: superreview+
Details | Diff | Splinter Review

Description Pavel 2003-10-21 02:21:12 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031020

Whenever I load mozilla either crashes or locks-up. If it
locks-up browser is still responsive, but clicking on any link does nothing and
new windows  can not be opened. It happens with todays build (2003102004) and
the site was working fine few days ago.

Reproducible: Always

Steps to Reproduce:
1. Visit

Actual Results:  
Browser crashes or locks up

Expected Results:  
Load the page.

Talkback ID: TB24607740Y
Comment 1 Guenter Huerkamp 2003-10-21 03:47:29 PDT
crash for me to on XPProf.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031020
Comment 2 Piotr Wajnberg 2003-10-21 04:35:00 PDT
Linux version also crashes:

Starting program: /home/petevine/MozillaFirebird/MozillaFirebird-bin
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 1024 (LWP 25719)]
Type Manifest File: /home/petevine/MozillaFirebird/components/xpti.dat
nsNativeComponentLoader: autoregistering begins.
nsNativeComponentLoader: autoregistering succeeded
nNCL: registering deferred (0)
[New Thread 2049 (LWP 25721)]
[New Thread 1026 (LWP 25722)]
GFX: dpi=90 t2p=0,0625 p2t=16 depth=24
[New Thread 2051 (LWP 25726)]
[New Thread 3076 (LWP 25728)]
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp,
line 3190
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file nsChromeRegistry.cpp,
line 3190
Note: verifyreflow is disabled
Note: styleverifytree is disabled
Note: frameverifytree is disabled
[New Thread 4101 (LWP 25729)]
[New Thread 5126 (LWP 25730)]
CSS Error ( :126.103): Expected
color but found 'none'.  Error in parsing value for property 'background-color'.
 Declaration dropped.
JavaScript error:;cat=vnunet_home;page=home;pos=top;sz=468x60;tile=1;ptile=1;ord=807138944?
line 1: illegal character

WARNING: Couldn't add reflow command, so splitting.
WARNING: Couldn't add reflow command, so splitting.
WARNING: Couldn't add reflow command, so splitting.
###!!! ASSERTION: Must reach our placeholder before end of list!: 'firstFrame',
file nsHTMLReflowState.cpp, line 870
Break: at file nsHTMLReflowState.cpp, line 870

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 25719)]
0x410f6344 in nsHTMLReflowState::CalculateHypotheticalBox(nsIPresContext*,
nsIFrame*, nsIFrame*, nsMargin&, nsIFrame*, nsHypotheticalBox&) ()
   from /home/petevine/MozillaFirebird/components/
Comment 3 Olivier Cahagne 2003-10-21 04:58:23 PDT
No dupes found, marking NEW.
Can you attach full stack (using 'backtrace' when in GDB and Mozilla has
crashed) via "create a new attachment" ?
Comment 4 Joseph Wright 2003-10-21 05:06:45 PDT
Seems to be okay with 1.5 (Win2k)
Comment 5 Piotr Wajnberg 2003-10-21 05:10:03 PDT
Created attachment 133754 [details]
Stack trace

Here's the stack trace you requested. BTW, only gtk2 version is affected.
Comment 6 Hermann Schwab 2003-10-21 08:24:03 PDT
I just had a crash using Trunk BuildID 2003102004.
DocWatson came up, but there was no talkback in the sea.exe-package.

Stack summary of DocWatson was showing 37 calls to GKLAYOUT.DLL and one call to
XPCOM, no others.

WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007
WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Didn´t find Flash on this page.
Comment 7 Charles Fenwick 2003-10-21 08:44:24 PDT
Checked this out on recent nightlies on WIN XP...
20031017 : no crash
20031018 and later: crash
Comment 8 Olivier Cahagne 2003-10-21 08:49:46 PDT
Charles, great info, can you even reduce more by mentioning the build ID (like
"2003101705") in the title bar ?
Comment 9 Charles Fenwick 2003-10-21 09:01:00 PDT
Oliver: 2003101704 and 2003101804

Looking at CVS checkins, BZ touched 
mozilla/ layout/ html/ base/ src/ nsHTMLReflowState.cpp 
a few times during that time period.
Comment 10 Hermann Schwab 2003-10-21 09:15:42 PDT
TB24618351G Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031019
Comment 11 Hermann Schwab 2003-10-21 09:39:17 PDT
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031018 BuildID 2003101804

TB24618983G crash on loading URL
TB24618895X crash on loading local copy of URL saved with BuildID 2003101704

tested Build ID2003101704 only once, to save the page, no crash
all later builds are crashing, some don´t have talkback, though I selected
complete install (SEA.EXE).

Comment 12 Jason Barnabe (np) 2003-10-21 17:49:54 PDT
Created attachment 133800 [details]

This javascript causes the crash:

document.writeln("<A><DIV STYLE=\"position:absolute;\">" + "</DIV></A>");
Comment 13 David Baron :dbaron: ⌚️UTC-7 (busy until November 7) 2003-10-21 19:07:39 PDT
bz, see comments in bug 223017 isolating this to recent nsHTMLReflowState.cpp
Comment 14 Mats Palmgren (:mats) 2003-10-21 19:26:50 PDT
*** Bug 223171 has been marked as a duplicate of this bug. ***
Comment 15 Mats Palmgren (:mats) 2003-10-21 19:40:16 PDT
Rolling back nsHTMLReflowState.cpp to -r1.174 makes the crash disappear so the
culprit is the checkin for bug 94468.
I think the real problem is in the frame splitting code in
nsCSSFrameConstructor.cpp though, it has a lot of concerned comments [1] about
not handling abs.pos. blocks (and floats) correctly.  I think this could lead to
the situation where the placeholder has a different parent than the block where
the frame is on the abs.pos. list.  (So the assertion on line 870 triggers and
we will dereference null on line 872).

[1] e.g. read XXX_kin comments in AdjustOutOfFlowFrameParentPtrs()
Comment 16 Mats Palmgren (:mats) 2003-10-21 19:54:04 PDT
Created attachment 133807 [details] [diff] [review]
Patch rev. 1

This fixes the crash without regressing bug 94468.
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2003-10-22 00:02:13 PDT
To Mats.
Comment 18 Boris Zbarsky [:bz] (still a bit busy) 2003-10-22 00:03:08 PDT
Comment on attachment 133807 [details] [diff] [review]
Patch rev. 1

r+sr=bzbarsky.	This even leads to correct positioning of positioned
blocks-inside-inlines, since they have to start a new line normally and since
the placeholder remains in the first line.
Comment 19 Boris Zbarsky [:bz] (still a bit busy) 2003-10-22 00:04:03 PDT
I just checked this in, and the tree was even still open for 1.6a.  ;)

Mats, thanks a ton for debugging this and for the patch!
Comment 20 Piotr Wajnberg 2003-10-22 04:17:16 PDT
*** Bug 223070 has been marked as a duplicate of this bug. ***
Comment 21 Olivier Cahagne 2003-10-22 06:13:50 PDT
I just wanted to comment that this bug report is impressive in the way it features:
 - crash report with an URL and Talkback ID,
 - fix in less than 24hr,
 - reduced testcase,
 - stacks and verification on multiple OS,
 - regression window,
 - debugging explanation in comment 15,
 - and, of course, the patch, from someone else than where the regression came from,
 - teamwork: all of these were provided by different people,

PS: Sorry for the spam, let's not start a discussion here, I simply wanted to
express my happy feelings on bugzilla today :)
Comment 22 Jesse Ruderman 2009-02-11 01:16:12 PST
Crashtest added as part of

Note You need to log in before you can comment on or make changes to this bug.