Closed Bug 265371 Opened 18 years ago Closed 18 years ago

Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8alpha5

People

(Reporter: thomas+mozilla, Assigned: bzbarsky)

References

()

Details

(Keywords: crash, fixed-aviary1.0, fixed1.7.5)

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041020

I was using iExploder - http://toadstool.se/software/iexploder/ - to do some QA work on FireFox, and 
this was the first crash it found. The test case is simple:

<isindex style="position: fixed; ">

This happens in FireFox and Mozilla nightly trunk builds from 2004-10-20, both Linux and Mac OS X.




Reproducible: Always
Steps to Reproduce:
1. Visit http://toadstool.se/software/iexploder/iexploder.cgi?test=18149&lookup=1
2. Wait

Actual Results:  
It Crashed


Expected Results:  
Probably nothing

Stacktrace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
Crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   libgklayout.dylib   	0x0200edb4 nsBlockBandData::Init(nsSpaceManager*, nsSize const&) + 0x8
1   libgklayout.dylib   	0x02018bd0 nsBlockReflowState::
nsBlockReflowState[unified](nsHTMLReflowState const&, nsPresContext*, nsBlockFrame*, 
nsHTMLReflowMetrics const&, int) + 0x240
2   libgklayout.dylib   	0x0200fb18 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x1e8
3   libgklayout.dylib   	0x02088700 nsIsIndexFrame::Reflow(nsPresContext*, 
nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned&) + 0x20
4   libgklayout.dylib   	0x0200e388 nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, nsIFrame*, nsReflowReason, unsigned&) + 0x190
5   libgklayout.dylib   	0x0200e0d0 nsAbsoluteContainingBlock::IncrementalReflow(nsIFrame*, 
nsPresContext*, nsHTMLReflowState const&, int, int, int&) + 0xec
6   libgklayout.dylib   	0x02068da4 ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, 
nsHTMLReflowState const&, unsigned&) + 0x250
7   libgklayout.dylib   	0x0204f2cc IncrementalReflow::Dispatch(nsPresContext*, 
nsHTMLReflowMetrics&, nsSize const&, nsIRenderingContext&) + 0x11c
8   libgklayout.dylib   	0x020593ac PresShell::ProcessReflowCommands(int) + 0x208
9   libgklayout.dylib   	0x023572f0 0x2008000 + 0x34f2f0
10  libxpcom.dylib      	0x0032def8 PL_HandleEvent + 0x24
11  libxpcom.dylib      	0x0032de1c PL_ProcessPendingEvents + 0x80
12  libxpcom.dylib      	0x0032e300 _md_EventReceiverProc + 0x74
13  com.apple.HIToolbox 	0x927d1fc8 DispatchEventToHandlers + 0x150
Warning: clicking on this attachment will crash Mozilla and FireFox
confirming with win2k build 20041018
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: crash
QA Contact: general → core.layout
could be related to bug 200347 (fixed a long time ago)
Attached patch FixSplinter Review
Comment on attachment 163024 [details] [diff] [review]
Fix

isindex should just always have a space manager...
Attachment #163024 - Flags: superreview?(roc)
Attachment #163024 - Flags: review?(roc)
Summary: Crash when ISINDEX is used with position: fixed → Crash when ISINDEX is used with position: fixed [@ nsBlockBandData::Init]
Attachment #163024 - Flags: superreview?(roc)
Attachment #163024 - Flags: superreview+
Attachment #163024 - Flags: review?(roc)
Attachment #163024 - Flags: review+
Assignee: nobody → bzbarsky
Priority: -- → P3
Target Milestone: --- → mozilla1.8alpha5
Comment on attachment 163024 [details] [diff] [review]
Fix

This crash fix is pretty straightforward; probably worth taking on the
branches.
Attachment #163024 - Flags: approval1.7.x?
Attachment #163024 - Flags: approval-aviary?
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 163024 [details] [diff] [review]
Fix

a=mkaply for 1.7.

Sent a note to aviary for aviary approval.

I think we need this for aviary. For some reason, this crash completely
corrupted my Mozilla when it happened.
Attachment #163024 - Flags: approval1.7.x? → approval1.7.x+
Comment on attachment 163024 [details] [diff] [review]
Fix

a=asa for aviary checkin.
Attachment #163024 - Flags: approval-aviary? → approval-aviary+
Fixed on branches.
vrfy'd fixed on linux and mac using 200411030x-0.11 bits. don't crash when
visiting either the URL in comment 0 or the testcase.
Status: RESOLVED → VERIFIED
Blocks: iexploder
Crash Signature: [@ nsBlockBandData::Init]
You need to log in before you can comment on or make changes to this bug.