Closed Bug 266222 Opened 20 years ago Closed 20 years ago

Crash or Hang [@ nsCSSFrameConstructor::CreatePlaceholderFrameFor ]

Categories

(Core :: CSS Parsing and Computation, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: robert.strong.bugs, Assigned: dbaron)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041025 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041025 The soon to be attached simplified testcase causes a crash or hang @ nsCSSFrameConstructor::CreatePlaceholderFrameFor. When opening the testcase locally by opening the associated html file it causes a crash. When viewing over the net with the application open it causes a hang. TB1541413Z is from viewing it locally. Reproducible: Always Steps to Reproduce: 1. Either open the testcase directly or save it locally and open it 2. 3. Actual Results: If opened locally a hard crash occurs. If viewed directly from the testcase link a hang occurs and it is impossible to navigate away from the url. The process will have to then be killed. Expected Results: No crash or hang http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1541413Z Stack Signature nsCSSFrameConstructor::CreatePlaceholderFrameFor 192b6067 Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 4281 Note: This also affects the latest Firefox branch though I didn't send a talkback for it.
Testcase contains the following: <HTML> <HEAD> </HEAD> <BODY> <NOFRAMES STYLE="DISPLAY:BLOCK; float:left; overflow:inherit;"></NOFRAMES> </BODY> </HTML>
Adding keywords crash and testcase
Keywords: crash, testcase
Attached file stacktrace
bz's fix for bug 263406 changed the stack a bit and added more assertions (the first one occured before bug 263406): ###!!! ASSERTION: Style system did not apply CSS2.1 section 9.7 fixups: '!(aDisplay->IsFloating() || aDisplay->IsAbsolutelyPositioned()) || aDisplay->IsBlockLevel()', file nsCSSFrameConstructor.cpp, line 6401 ###!!! ASSERTION: How did we get here?: 'Not Reached', file nsCSSFrameConstructor.cpp, line 6774 ###!!! ASSERTION: Things that could be out-of-flow need to handle adding to the frame list themselves: '!aDisplay->IsAbsolutelyPositioned() && !aDisplay->IsFloating()', file nsCSSFrameConstructor.cpp, line 6784
style system
Assignee: general → dbaron
Component: Browser-General → Style System (CSS)
OS: Windows XP → All
QA Contact: general → ian
Boris might know what to do with it.
See discussion in bug 240129. I bet the problem here is that the style in the page overrides html.css, so we get past the display:none check ConstructFrameInternal does and get into ConstructHTMLFrame, where the code mutates the style context to be display:none... then we get into the ConstructFrameByDisplayType code, fall into the notreached case in the switch because it's display:none, which we expect to have been handled already, and then crash when we try to work with the null pointer because we never created the frame. The "right" fix, in my mind, is outlined in bug 240129. Someone wanna do it? If not, I guess I can...
Depends on: 240129
Fixed with the checkin for bug 240129 and verified with a beast buid.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED with the testcase at https://bugzilla.mozilla.org/attachment.cgi?id=163509 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050304
Status: RESOLVED → VERIFIED
layout/base/crashtests/266222-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ nsCSSFrameConstructor::CreatePlaceholderFrameFor ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: