Closed Bug 2245 Opened 26 years ago Closed 26 years ago

Viewer crashes when I try to load this page

Categories

(Core Graveyard :: Viewer App, defect, P2)

Product:
Core Graveyard
Component:
Viewer App
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: emashian, Assigned: buster)

References

(
URL
)

Details

I have the link htpp://www.infoworld.com/ in a
simple web page on my local drive. Clicking on
this link crashes the viewer.
[Please note related bug #2159, "[PP] macweek, infoworld crashes Mac Viewer (same
root, but can't decompose further)".]
Here is a simple test case that duplicates the crash (for
www.infoworld.com). (Nightly build Jan 5 99 Win95 non-debug).

All tags and attributes in the test case are required in order to duplicate the
crash with the exception of 1) TABLE BORDER, and 2) IMG WIDTH and HEIGHT
(although removing these gives a little different flavor to the crash -- the
table is briefly displayed, without the IMG, and then it crashes).  Note that
the
FONT tag, while required, does not have any attributes yet, if you remove the
FONT tag, the crash is avoided.

   ------------------------------
<html><head></head><body>
<table border="1">
  <tr>
    <td width="170">
      Whatever ...
    </td>
    <td>
      <img src="http://www.infoworld.com/pageone/hedrgifs/weektop.gif"
           width=400 height=27 align=left>
      <font><br clear=all>Click for previous days' news</font>
    </td>
  </tr>
</table>
</body></html>
   ------------------------------
Assignee: rickg → troy
Troy -- this smells like a space manager bug, and hey, here's a neat stack trace
to illuminate the problem:

nsBlockBandData::ComputeAvailSpaceRect() line 186 + 18 bytes
nsBlockBandData::GetAvailableSpace(int 285) line 92
nsBlockBandData::ClearFloaters(int 285, unsigned char 3) line 276
nsBlockReflowState::ClearFloaters(int 285, unsigned char 3) line 3929 + 31 bytes
nsBaseIBFrame::PlaceLine(nsBlockReflowState & {...}, nsLineBox * 0x00962160, int
& 0) line 2692
nsBaseIBFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x00962160,
int & 0) line 1659 + 20 bytes
nsBaseIBFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1303 + 26 bytes
nsBaseIBFrame::Reflow(nsBaseIBFrame * const 0x00961b24, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 778 + 25 bytes
nsInlineReflow::ReflowFrame(int 1, nsHTMLReflowMetrics & {...}, unsigned int &
0) line 447
nsInlineReflow::ReflowFrame(nsIFrame * 0x00961b20, int 1, unsigned int & 0) line
269 + 20 bytes
nsBaseIBFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineBox *
0x00962260, nsIFrame * 0x00961b20, int & 1, int & 1) line 2264 + 31 bytes
nsBaseIBFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x00962260,
int & 1) line 1616 + 28 bytes
nsBaseIBFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1303 + 26 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 4889
nsBaseIBFrame::Reflow(nsBaseIBFrame * const 0x00961cb4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 778 + 25 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x00961cb4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 4515 + 25 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x00961cb4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 351 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00961cb0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x00961be4, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 426
nsContainerFrame::ReflowChild(nsIFrame * 0x00961be0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsTableRowFrame::ResizeReflow(nsTableRowFrame * const 0x00961590, nsIPresContext
& {...}, nsHTMLReflowMetrics & {...}, RowReflowState & {...}, unsigned int & 0)
line 596 + 37 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x00961594, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 1412 + 35 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00961590, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsTableRowGroupFrame::ReflowMappedChildren(nsTableRowGroupFrame * const
0x00961470, nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
RowGroupReflowState & {...}, unsigned int & 0, nsTableRowFrame * 0x00000000,
nsReflowReason eReflowReason_Resize, int 1) line 355 + 34 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x00961474,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 0) line 965 + 39 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00961470, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsTableFrame::ReflowMappedChildren(nsTableFrame * const 0x00961100,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, InnerTableReflowState &
{...}, unsigned int & 0) line 3273 + 31 bytes
nsTableFrame::ResizeReflowPass2(nsTableFrame * const 0x00961100, nsIPresContext
& {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 2608 + 31 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x00961104, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 2424 + 35 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00961100, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x00960eb4, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0) line 990 + 37 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x00960eb0, const nsRect & {x=0 y=0
width=8700 height=1073741824}, int 1, unsigned int & 0) line 153 + 39 bytes
nsBaseIBFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x00962b50, int & 1) line 2114 + 41 bytes
nsBaseIBFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x00962b50,
int & 1) line 1574 + 20 bytes
nsBaseIBFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1303 + 26 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 4889
nsBaseIBFrame::Reflow(nsBaseIBFrame * const 0x00960594, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
1240656) line 778 + 25 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x00960594, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
1240656) line 4515 + 25 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x00960590, const nsRect & {x=0 y=0
width=8940 height=1073741824}, int 1, unsigned int & 1240656) line 153 + 39
bytes
nsBaseIBFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x009606f0, int & 1) line 2114 + 41 bytes
nsBaseIBFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x009606f0,
int & 1) line 1574 + 20 bytes
nsBaseIBFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 1303 + 26 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 4889
nsBaseIBFrame::Reflow(nsBaseIBFrame * const 0x009602a4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 778 + 25 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x009602a4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 4515 + 25 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x009602a4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 351 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x009602a0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
nsScrollFrame::Reflow(nsScrollFrame * const 0x009403b4, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 328
nsContainerFrame::ReflowChild(nsIFrame * 0x009403b0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 395 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x0095f494, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 199
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x00962910,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {width=9180
height=4320}, nsIRenderingContext & {...}) line 167
PresShell::ProcessReflowCommands(PresShell * const 0x0095d9b0) line 868
PresShell::ExitReflowLock(PresShell * const 0x0095d9b0) line 526
PresShell::ContentAppended(PresShell * const 0x0095d9b8, nsIDocument *
0x00932870, nsIContent * 0x0095f42c, int 0) line 1021
nsDocument::ContentAppended(nsDocument * const 0x00932870, nsIContent *
0x0095f42c, int 0) line 909
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x00932870, nsIContent *
0x0095f42c, int 0) line 464
HTMLContentSink::WillInterrupt(HTMLContentSink * const 0x00935270) line 1445
CNavDTD::WillInterruptParse(CNavDTD * const 0x0095dd50) line 2489 + 18 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000) line 661
nsParser::OnDataAvailable(nsParser * const 0x00935204, nsIURL * 0x00937880,
nsIInputStream * 0x00938ea0, unsigned int 344) line 878 + 17 bytes
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x00937850,
nsIURL * 0x00937880, nsIInputStream * 0x00938ea0, unsigned int 344) line 1601 +
24 bytes
OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const
0x00938140) line 616
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x00938144) line 455 + 12
bytes
PL_HandleEvent(PLEvent * 0x00938144) line 395 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x008f9410) line 357 + 9 bytes
_md_EventReceiverProc(void * 0x01b50310, unsigned int 49336, unsigned int 0,
long 9409552) line 675 + 9 bytes
USER32! 77e71250()
Status: NEW → ASSIGNED
What's happening is that the call to the space manager's GetBandData() function
returns a 'count' of 0 trapezoids and ComputeAvailSpaceRect() doesn't check for
that case.

The reason a 'count' of 0 trapezoids is returned is because GetAvailableSpace()
passes in a max-size of {0, 405}, and so there are no trapezoids in the empty
space
*** Bug 2289 has been marked as a duplicate of this bug. ***
*** Bug 2159 has been marked as a duplicate of this bug. ***
Assignee: troy → kipp
Status: ASSIGNED → NEW
Kipp, this is all complicated by the fact that the block/inline code hasn't
switched over to using the new HTML reflow state "computed" values.

What seems to be happening is that during the reflow of the inline (see
nsInlineReflow::ReflowFrame() in the stack trace), we end up with a
"availableWidth" of 0 for the inline frame. That's because "mFrameAvailSize" has
a size of {0, 405}.

I don't know why that's happening and I don't have enough knowledge of how
block/inline reflow works.

Switching block/inline over to using the new computed values is something we
need to do anyway
*** Bug 2492 has been marked as a duplicate of this bug. ***
Setting all current Open/Normal to M4.
This crash is no longer occurring for Win95 non-debug builds.

                    | www.infoworld.com  |  test case (above) |
  ------------------+--------------------+--------------------+
  Jan 29 win95 opt  |     CRASHES        |     CRASHES        |
  Feb 02 win95 opt  |       OK           |       OK           |
  Feb 03 win95 opt  |       OK           |       OK           |
  ------------------+--------------------+--------------------+
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Marking resolved with 2/3 builds. Thanks.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.