Closed Bug 265371 Opened 20 years ago Closed 20 years ago

Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8alpha5

People

(Reporter: thomas+mozilla, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, fixed-aviary1.0, fixed1.7.5)

Crash Data

Attachments

(2 files)

ISINDEX position relative crash testcase
175 bytes, text/html
Details
Fix
894 bytes, patch
roc
: review+
roc
: superreview+
asa
: approval-aviary+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041020

I was using iExploder - http://toadstool.se/software/iexploder/ - to do some QA work on FireFox, and 
this was the first crash it found. The test case is simple:

<isindex style="position: fixed; ">

This happens in FireFox and Mozilla nightly trunk builds from 2004-10-20, both Linux and Mac OS X.




Reproducible: Always
Steps to Reproduce:
1. Visit http://toadstool.se/software/iexploder/iexploder.cgi?test=18149&lookup=1
2. Wait

Actual Results:  
It Crashed


Expected Results:  
Probably nothing

Stacktrace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
Crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
13  com.apple.HIToolbox 	0x927d1fc8 DispatchEventToHandlers + 0x150
Warning: clicking on this attachment will crash Mozilla and FireFox
confirming with win2k build 20041018
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: crash
QA Contact: general → core.layout
could be related to bug 200347 (fixed a long time ago)
Attached patch FixSplinter Review 

    
    

    
  
Comment on attachment 163024 [details] [diff] [review]
Fix

isindex should just always have a space manager...

        Attachment #163024 -
        Flags: superreview?(roc)

        Attachment #163024 -
        Flags: review?(roc)

    
  
Summary: Crash when ISINDEX is used with position: fixed → Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]

        Attachment #163024 -
        Flags: superreview?(roc)

        Attachment #163024 -
        Flags: superreview+

        Attachment #163024 -
        Flags: review?(roc)

        Attachment #163024 -
        Flags: review+

    
  
Assignee: nobody → bzbarsky
Priority: -- → P3
Target Milestone: --- → mozilla1.8alpha5

    
    

    
  
Comment on attachment 163024 [details] [diff] [review]
Fix

This crash fix is pretty straightforward; probably worth taking on the
branches.

        Attachment #163024 -
        Flags: approval1.7.x?

        Attachment #163024 -
        Flags: approval-aviary?

    
    

    
  
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 163024 [details] [diff] [review]
Fix

a=mkaply for 1.7.

Sent a note to aviary for aviary approval.

I think we need this for aviary. For some reason, this crash completely
corrupted my Mozilla when it happened.

        Attachment #163024 -
        Flags: approval1.7.x? → approval1.7.x+

    
    

    
  
Comment on attachment 163024 [details] [diff] [review]
Fix

a=asa for aviary checkin.

        Attachment #163024 -
        Flags: approval-aviary? → approval-aviary+

    
    

    
  
Fixed on branches.
Keywords: fixed-aviary1.0, 
          
            fixed1.7.x

    
    

    
  
vrfy'd fixed on linux and mac using 200411030x-0.11 bits. don't crash when
visiting either the URL in comment 0 or the testcase.
Status: RESOLVED → VERIFIED

    
  
Blocks: iexploder
Crash Signature: [@ nsBlockBandData::Init]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: