Last Comment Bug 253479 - position:fixed elements in XUL document crash/hang browser [@nsHTMLReflowState::CalculateHypotheticalBox]
: position:fixed elements in XUL document crash/hang browser [@nsHTMLReflowStat...
Status: RESOLVED FIXED
[patch]
: crash, testcase, topcrash, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: Layout: R & A Pos (show other bugs)
: Trunk
: All All
: -- critical with 1 vote (vote)
: ---
Assigned To: David Baron :dbaron: ⌚️UTC-10
:
: Jet Villegas (:jet)
Mentors:
: 284228 316504 (view as bug list)
Depends on: 231776
Blocks: randomstyles 284228 316608 320699 344061
  Show dependency treegraph
 
Reported: 2004-07-28 17:46 PDT by Karsten Düsterloh
Modified: 2011-06-13 10:01 PDT (History)
13 users (show)
dveditz: blocking1.8.0.7+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Crashing XUL file with html:div (202 bytes, application/vnd.mozilla.xul+xml)
2004-07-28 17:48 PDT, Karsten Düsterloh
no flags Details
Crashing XUL file with x element (144 bytes, application/vnd.mozilla.xul+xml)
2004-07-28 17:49 PDT, Karsten Düsterloh
no flags Details
patch (10.10 KB, patch)
2005-12-19 13:42 PST, David Baron :dbaron: ⌚️UTC-10
roc: review+
roc: superreview+
benjamin: approval‑branch‑1.8.1+
dveditz: approval1.8.0.7+
Details | Diff | Splinter Review

Description Karsten Düsterloh 2004-07-28 17:46:51 PDT
Opening this XUL file suffices to crash or hang Mozilla (see attchment):

<?xml version="1.0"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <x style="position:fixed;"/>
</window>

It got even "crashier" in this form:

<?xml version="1.0"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
        xmlns:html="http://www.w3.org/1999/xhtml"
>
<html:div style="position:fixed;"/>
</window>

Either Mozilla crashes directly or it claims to be still loading, but does not
finish. Exiting closes open windows, but Mozilla still keeps running and has to
be |kill|ed by hand resp. TaskManager.

Mozilla 1.8a2 nightlies (2004-07-28, 2004-04-14) and 1.7 releases crash most of
the time (an open sidebar seems to "help" crashing, but isn't necessary), 1.6
and 1.4.1 and even Firefox 0.9.1 hang and have to shot.

I wasn't able to trigger Talkback with anything newer than 1.7de-AT (Talkback
incident is TB435422G).
Comment 1 Karsten Düsterloh 2004-07-28 17:48:09 PDT
Created attachment 154607 [details]
Crashing XUL file with html:div
Comment 2 Karsten Düsterloh 2004-07-28 17:49:12 PDT
Created attachment 154608 [details]
Crashing XUL file with x element
Comment 3 Boris Zbarsky [:bz] (still a bit busy) 2004-07-28 18:29:09 PDT
The crash happens because aBlockFrame is null in CalculateHypotheticalBox(). 
That happens because there is in fact no block or area frame that's an ancestor
of the placeholder...
Comment 4 Robert Strong [:rstrong] (use needinfo to contact me) 2004-10-28 17:41:09 PDT
I believe the following HTML also demonstrates this crash without using XUL
<ACRONYM STYLE="position:fixed; display:table;"></ACRONYM>

Perhaps the summary should be updated to show that this doesn't just affect XUL
if this is in fact the same cause for the crash?
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1585669K
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2004-10-28 17:52:54 PDT
The table crash is bug 231776, which this bug is marked dependent on.  They are
in fact different bugs; it's quite possible to fix one without fixing the other.
Comment 6 Jesse Ruderman 2005-09-30 15:23:06 PDT
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050928
Firefox/1.6a1

Both testcases in this bug still crash with the same signature.
Comment 7 Jesse Ruderman 2005-10-19 20:20:58 PDT
Automated testing hits this crash often (mozqa:rs, see bug 306939).
Comment 8 Jay Patel [:jay] 2005-10-20 16:32:28 PDT
Adding topcrash keyword to get this on the radar.  blcary's automation is indeed
hitting this crash a lot, so let's use that data to figure out what's going on
and hopefully get a fix on the Trunk.
Comment 9 Boris Zbarsky [:bz] (still a bit busy) 2005-10-20 16:46:23 PDT
We know exactly what's happening in this bug -- fixed position is not supported
in XUL.

Note that similar stacks could happen for various other reasons, none related to
this bug.
Comment 10 David Baron :dbaron: ⌚️UTC-10 2005-12-19 13:42:22 PST
Created attachment 206324 [details] [diff] [review]
patch

This isn't that hard to make not crash, and actually display the content and what's likely to be at least a somewhat reasonable place.  GetNearestContainingBlock is only used for passing stuff to CalculateHypotheticalBox, so I just needed to make it handle non-block frames.
Comment 11 David Baron :dbaron: ⌚️UTC-10 2005-12-19 13:44:21 PST
(Note that the other possibility here is to use 0 rather than the placeholder's offset.  I almost prefer that since it's much easier to define in specifications, although less compatible with the current spec.)
Comment 12 David Baron :dbaron: ⌚️UTC-10 2005-12-19 13:59:42 PST
*** Bug 316504 has been marked as a duplicate of this bug. ***
Comment 13 David Baron :dbaron: ⌚️UTC-10 2005-12-20 19:33:34 PST
Checked in to trunk, 2005-12-20 19:30 -0800.
Comment 14 Benjamin Smedberg [:bsmedberg] 2006-01-30 11:11:13 PST
Comment on attachment 206324 [details] [diff] [review]
patch

marking branch-1.8.1+ for dbaron who requested the approval.
Comment 15 Boris Zbarsky [:bz] (still a bit busy) 2006-02-12 14:26:37 PST
Fixed on 1.8.1 branch
Comment 16 timeless 2006-03-19 20:36:04 PST
*** Bug 284228 has been marked as a duplicate of this bug. ***
Comment 17 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-07-13 15:12:02 PDT
Maybe the patch is safe enough for the 1.8.0.6 branch? It doesn't seem to have caused any regressions at least for the 6 months it is on trunk and 1.8.1 branch.
Comment 18 Daniel Veditz [:dveditz] 2006-08-10 11:10:48 PDT
Comment on attachment 206324 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Comment 19 David Baron :dbaron: ⌚️UTC-10 2006-08-15 13:45:44 PDT
Checked in to MOZILLA_1_8_0_BRANCH (merged patch from MOZILLA_1_8_BRANCH).
Comment 20 Jay Patel [:jay] 2006-08-24 14:33:36 PDT
v.fixed on 1.8.1 and 1.8.0 branches with 8/24 nightly builds, no crashes with XUL files.
Comment 21 Bob Clary [:bc:] 2009-05-09 10:43:12 PDT
content/xul/content/crashtests/253479-1.xul
content/xul/content/crashtests/253479-2.xul
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3

Note You need to log in before you can comment on or make changes to this bug.