Closed
Bug 253479
Opened 20 years ago
Closed 19 years ago
position:fixed elements in XUL document crash/hang browser [@nsHTMLReflowState::CalculateHypotheticalBox]
Categories
(Core :: Layout: Positioned, defect)
Core
Layout: Positioned
Tracking
()
RESOLVED
FIXED
People
(Reporter: mnyromyr, Assigned: dbaron)
References
Details
(5 keywords, Whiteboard: [patch])
Crash Data
Attachments
(3 files)
|
202 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
144 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
10.10 KB,
patch
|
roc
:
review+
roc
:
superreview+
benjamin
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.7+
|
Details | Diff | Splinter Review |
Opening this XUL file suffices to crash or hang Mozilla (see attchment):
<?xml version="1.0"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<x style="position:fixed;"/>
</window>
It got even "crashier" in this form:
<?xml version="1.0"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
>
<html:div style="position:fixed;"/>
</window>
Either Mozilla crashes directly or it claims to be still loading, but does not
finish. Exiting closes open windows, but Mozilla still keeps running and has to
be |kill|ed by hand resp. TaskManager.
Mozilla 1.8a2 nightlies (2004-07-28, 2004-04-14) and 1.7 releases crash most of
the time (an open sidebar seems to "help" crashing, but isn't necessary), 1.6
and 1.4.1 and even Firefox 0.9.1 hang and have to shot.
I wasn't able to trigger Talkback with anything newer than 1.7de-AT (Talkback
incident is TB435422G).
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
|
|
Reporter | |
Updated•20 years ago
|
Component: Browser-General → Layout
Summary: Non-XUL-Elements with position:fixed crash/hang browser → Non-XUL-Elements with position:fixed crash/hang browser [@nsHTMLReflowState::CalculateHypotheticalBox]
|
||
Comment 3•20 years ago
|
||
The crash happens because aBlockFrame is null in CalculateHypotheticalBox().
That happens because there is in fact no block or area frame that's an ancestor
of the placeholder...
Assignee: general → nobody
Component: Layout → Layout: R & A Pos
OS: Windows 2000 → All
QA Contact: general → core.layout.r-and-a-pos
Hardware: PC → All
|
|
||
Comment 4•20 years ago
|
||
I believe the following HTML also demonstrates this crash without using XUL
<ACRONYM STYLE="position:fixed; display:table;"></ACRONYM>
Perhaps the summary should be updated to show that this doesn't just affect XUL
if this is in fact the same cause for the crash?
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1585669K
|
|
||
Comment 5•20 years ago
|
||
The table crash is bug 231776, which this bug is marked dependent on. They are
in fact different bugs; it's quite possible to fix one without fixing the other.
|
||
Comment 6•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050928
Firefox/1.6a1
Both testcases in this bug still crash with the same signature.
Keywords: testcase
|
|
||
Comment 7•19 years ago
|
||
Automated testing hits this crash often (mozqa:rs, see bug 306939).
Blocks: randomstyles
|
||
Comment 8•19 years ago
|
||
Adding topcrash keyword to get this on the radar. blcary's automation is indeed
hitting this crash a lot, so let's use that data to figure out what's going on
and hopefully get a fix on the Trunk.
Flags: blocking1.9a1?
Keywords: topcrash
|
|
||
Comment 9•19 years ago
|
||
We know exactly what's happening in this bug -- fixed position is not supported
in XUL.
Note that similar stacks could happen for various other reasons, none related to
this bug.
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → dbaron
|
|
Assignee | |
Comment 10•19 years ago
|
||
This isn't that hard to make not crash, and actually display the content and what's likely to be at least a somewhat reasonable place. GetNearestContainingBlock is only used for passing stuff to CalculateHypotheticalBox, so I just needed to make it handle non-block frames.
Attachment #206324 -
Flags: superreview?(roc)
Attachment #206324 -
Flags: review?(roc)
Attachment #206324 -
Flags: approval1.8.1?
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [patch]
|
|
Assignee | |
Comment 11•19 years ago
|
||
(Note that the other possibility here is to use 0 rather than the placeholder's offset. I almost prefer that since it's much easier to define in specifications, although less compatible with the current spec.)
|
|
Assignee | |
Updated•19 years ago
|
Summary: Non-XUL-Elements with position:fixed crash/hang browser [@nsHTMLReflowState::CalculateHypotheticalBox] → position:fixed elements in XUL document crash/hang browser [@nsHTMLReflowState::CalculateHypotheticalBox]
|
|
Assignee | |
Comment 12•19 years ago
|
||
*** Bug 316504 has been marked as a duplicate of this bug. ***
No longer blocks: 316504
Attachment #206324 -
Flags: superreview?(roc)
Attachment #206324 -
Flags: superreview+
Attachment #206324 -
Flags: review?(roc)
Attachment #206324 -
Flags: review+
|
|
Assignee | |
Comment 13•19 years ago
|
||
Checked in to trunk, 2005-12-20 19:30 -0800.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 14•19 years ago
|
||
Comment on attachment 206324 [details] [diff] [review]
patch
marking branch-1.8.1+ for dbaron who requested the approval.
Attachment #206324 -
Flags: approval1.8.1? → branch-1.8.1+
|
||
Comment 16•19 years ago
|
||
*** Bug 284228 has been marked as a duplicate of this bug. ***
|
||
Updated•18 years ago
|
Flags: blocking1.9a1?
|
|
||
Comment 17•18 years ago
|
||
Maybe the patch is safe enough for the 1.8.0.6 branch? It doesn't seem to have caused any regressions at least for the 6 months it is on trunk and 1.8.1 branch.
Flags: blocking1.8.0.6?
|
||
Updated•18 years ago
|
Attachment #206324 -
Flags: approval1.8.0.7?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
|
|
||
Comment 18•18 years ago
|
||
Comment on attachment 206324 [details] [diff] [review]
patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #206324 -
Flags: approval1.8.0.7? → approval1.8.0.7+
|
|
Assignee | |
Comment 19•18 years ago
|
||
Checked in to MOZILLA_1_8_0_BRANCH (merged patch from MOZILLA_1_8_BRANCH).
Keywords: fixed1.8.0.7
|
|
||
Comment 20•18 years ago
|
||
v.fixed on 1.8.1 and 1.8.0 branches with 8/24 nightly builds, no crashes with XUL files.
|
||
Comment 21•16 years ago
|
||
content/xul/content/crashtests/253479-1.xul
content/xul/content/crashtests/253479-2.xul
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
|
||
Updated•13 years ago
|
Crash Signature: [@nsHTMLReflowState::CalculateHypotheticalBox]
You need to log in
before you can comment on or make changes to this bug.
Description
•