Closed Bug 268157 Opened 20 years ago Closed 19 years ago

Crash [@ nsHTMLReflowState::ComputePadding ]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: robert.strong.bugs, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(7 files, 2 obsolete files)

Testcase (causes crash)
546 bytes, text/html
Details
Assertions before crash
473 bytes, text/plain
Details
Smaller testcase
420 bytes, text/html
Details
frame dump + stack
14.56 KB, text/html
Details
SplitToContainingBlock - "right case"
9.27 KB, text/html
Details
SplitToContainingBlock - "left case"
5.54 KB, text/html
Details
wallpaper
2.30 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041106 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041106 The soon to be attached simplified testcase causes a crash @ nsHTMLReflowState::ComputePadding - TB1770634H. Reproducible: Always Steps to Reproduce: 1. Open testcase Actual Results: Crash Expected Results: No crash http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1770634H Stack Signature nsHTMLReflowState::ComputePadding 0e003fe8 Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsHTMLReflowState.cpp, line 2327 Besides the latest trunk this also crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
Attachment #164923 - Attachment description: Testcase → Testcase (causes crash)
Adding keywords crash and testcase
Keywords: crash, testcase
That first assert (about "unexpected flow") fires when |this| is a frame for the <del> element (in fact, it's the second in-flow frame for the <del>)... it has three kids that are text frames, and the last of these has a next-in-flow that's not in the child list of the <del>'s inline frame. I'll attach a testcase that's a little more minimal (<span> instead of <del>, removes some content, etc)... For some reason the first <object> and <div> pair is in fact necessary. At a guess, part of the issue here is that when the divs are processed because we replace the object we end up with an {ib} split, so we blow away things in WipeContainingBlock and somehow screw up when we reconstruct. I'm not really familiar enough with inline reflow to be able to say more than that.
Attached file Smaller testcase
Notes: 1) To get this to crash reliably, you want a debug build (so we 0xdddddddd out deleted stuff). 2) We don't call WipeContainingBlock, just SplitToContainingBlock(). I can totally see SplitToContainingBlock() failing to adjust the in-flow stuff correctly... The problem is that I don't know what the in-flow linking should look like in this case. Robert, David, is that documented somewhere?
Blocks: 285212
I don't crash or see any assetions when viewing the testcase using a debug build from 20050324. Perhaps the checkin for bug 263825 has fixed this?
I still crash quite nicely on the "smaller testcase" with a debug build from "Fri Mar 25 21:34:13 CST 2005"
Attached patch Spackle (obsolete) — Splinter Review
On the Mac, this crash appears to be due to attempt to use a null nsCOMPtr<nsIWidget> , in the function nsWindow::ResetInputState() at http://lxr.mozilla.org/seamonkey/source/widget/src/mac/nsWindow.cpp#2471 This patch guards against this. This file seems to have inconsistent brace and indenting - would a patch for this be accepted?
Attachment #181121 - Flags: review?
Ben, chances are the patch you posted isn't really a patch for this bug (which is cross-platform) or is a patch for a consequence without addressing the real issue... You may want to put it in a separate bug (and request review from one of the Mac widget owners).
I have opened Bug 291096 : I fear that I have wasted your time as the patch actually does nothing anyway (the code path is exercised by the testcase though). On my build using standard methods 2005-04-18, this crash is still in; but using recent debug builds, I do not get a crash - just my warning. I suspect that either there is a partial fix in, or Mac is less susceptible or I have a patch in my tree which hides the crash.
Blocks: 305386
Attachment #181121 - Attachment is obsolete: true
Attachment #181121 - Flags: review?
I started debugging bug 305386 which I'm pretty sure is the same underlying bug. The reason we crash is that someone pushes a frame that still has a next-in-flow with a different parent and then we pick those up during initial reflow and decide to set the parent pointer lazily: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsInlineFrame.cpp&rev=3.241&root=/cvsroot&mark=366,367#334 -- but the comments here seems to indicate this is a bad situation: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsInlineFrame.cpp&rev=3.241&root=/cvsroot&mark=501,509-517#471 Is it ok to "steal" those next-in-flows in PushFrames()? or should this not have happened in the first place, meaning something else is broken?
OS: Windows XP → All
Attached patch fix? (obsolete) — Splinter Review
I don't think this block makes sense. Removing it fixes the crashes and all the assertions disappear. This block was a fix for bug 32192, but that crash does not come back after removing this block, so maybe it was just a wallpaper and that the real bug that caused 32192 has since been fixed?
Why do you think that doesn't make sense? I can't think of a case --- even in an IB situation --- where this block should be asserting. Can you explain it in detail?
(In reply to comment #14) > Why do you think that doesn't make sense? Because the next-in-flow frame that we bluntly do SetParent() on here is still in some other frame's child list (mFrames). That's not a healthy situation as far as I know.
It should be in our child list, so this assertion: - NS_ASSERTION(mFrames.ContainsFrame(nextInFlow), "unexpected flow"); Should not be firing. Can you explain the situation that leads to it firing?
Attached file frame dump + stack
Here's a frame dump (at the start) in nsInlineFrame::PushFrames when the problem occurs. The last of the frames we are pushing has a next-in-flow with a different parent.
> Inline(span)(1)@0x86b8668 next=0x86f71c4 {0,0,0,0} [state=00008403] [content=0x86f24c0] [sc=0x86f682c]< This is still in the intial reflow for this frame? We shouldn't be getting into this state where we're doing an initial reflow on the frame while it already has a next-in-flow (because of text wrapping, it appears). And I believe that at the point of the dump, 0x86b8668 should have its next in flow set to 0x86f71c4.
Attachment #193383 - Attachment is obsolete: true
It is SplitToContainingBlock that has reset the next/prev-in-flow for the ancestors: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1114&root=/cvsroot&mark=13382-13386#13362 This is what leads to the "dangling" in-flow chains. The "right" case is triggered by bug 305386, the "left" by this bug. Note that for these traces I commented out the code block above so when the crashes occurs the red prev/next-in-flow links have been nulled out and that's the root cause for the crashes. I tried various way to repair the situation, and it is possible to make the crashes a harder to reproduce, but I failed to fix it completely. If someone can tell me what the prev/next-in-flow is supposed to look like after a split that would be much appreciated. The otherwise good documentation here: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1114&root=/cvsroot&mark=13180-13252#13180 does not mention them at all.
Attached patch wallpaperSplinter Review
This fixes all the crashes for me (and no assertions). I think it is wrong to null out the in-flow chain like this though, since it breaks text selection for example.
Comment on attachment 193524 [details] [diff] [review] wallpaper I think this worth taking as wallpaper until we know how to deal with this situation.
Attachment #193524 - Flags: superreview?(roc)
Attachment #193524 - Flags: review?(roc)
I believe Boris' work on handling broken plugins and images will fix this for real by eliminating SplitToContainingBlock (which is indescribably evil). This patch is hideous --- it leaves flow chains without a primary frame at the start --- but I suppose it's no more hideous than SplitToContaingBlock cutting up the flow chain.
Attachment #193524 - Flags: superreview?(roc)
Attachment #193524 - Flags: superreview+
Attachment #193524 - Flags: review?(roc)
Attachment #193524 - Flags: review+
I'm eliminating CantHandleReplacedElement, not SplitToContainingBlock, unfortunately.
But CantRenderReplacedElement is the only caller of SplitToContainingBlock (other than SplitToContainingBlock).
Isn't that just a matter of needing more callers? Right now we just flub inserting a block as a child of an inline, don't we? That is, I don't think we create an IB split in that case. I believe we have bugs on that...
I vote we kill SplitToContainingBlock and just reconstruct to the containing block in the that case.
OK. Sounds reasonable to me.
*** Bug 300585 has been marked as a duplicate of this bug. ***
Blocks: 316026
Fixed by checkin for bug 11011 (which removed SplitToContainingBlock).
Assignee: nobody → bzbarsky
Depends on: moz-broken
Target Milestone: --- → mozilla1.9alpha
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED on trunk using both testcases here on build 1.5a of SeaMonkey Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051207 Mozilla/1.0
Status: RESOLVED → VERIFIED
layout/base/crashtests/268157-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ nsHTMLReflowState::ComputePadding ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: