Closed
Bug 291702
Opened 20 years ago
Closed 18 years ago
Crash if a XUL page contains flex summing up to zero - Integer divide by 0 [@ nsSprocketLayout::ComputeChildSizes ]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sergiu, Assigned: martijn.martijn)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(4 files, 3 obsolete files)
|
420 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
471 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
943 bytes,
patch
|
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
|
5.59 KB,
application/vnd.mozilla.xul+xml
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
If a XUL page has two element, one with flex="n" and the other with flex="-n",
the browser crashes.
<window title="Negative flex bug"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<button label="Button" flex="2"/>
<label value="This is a label" flex="-2"/>
</window>
Reproducible: Always
Steps to Reproduce:
1. Write a simple XUL with two elements.
2. Set flex="1" for the first element.
3. Set flex="-1" for the second element.
4. Open the XUL file.
Actual Results:
The browser crashes.
Expected Results:
The browser doesn't crash.
If my view on the free space distribution algorithm isn't wrong, then a division
by 0 exception occurs, because the sum of all flex values is 0.
I didn't try it, but I think that any flex values that sum to a total of 0
causes this problem.
|
Reporter | |
Comment 1•20 years ago
|
||
I've tested it with more elements, and I was right. If the flex attributes give
a total of 0, then there is a crash.
<window title="Negative flex bug #2"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<button label="Button" flex="2"/>
<label value="This is a label" flex="1"/>
<label value="This is the second label" flex="-2"/>
<label value="This is another label" flex="-1"/>
</window>
|
||
Comment 2•20 years ago
|
||
I could reproduce the problem on Gentoo Linux: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050413 Firefox/1.0.2 I'll confirm this bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 3•20 years ago
|
||
|
Assignee | |
Comment 4•20 years ago
|
||
Also happens with current trunk build.
Assignee: firefox → nobody
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: unspecified → Trunk
|
||
Comment 5•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050423 Talkback TB5323330E As there are over 3100 reports waiting to be processed, I assume it will take about 7 hours till this one gets ready: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB5323330E
|
|
Reporter | |
Updated•20 years ago
|
|
|
||
Comment 6•20 years ago
|
||
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB5323330E Trigger Reason Integer divide by zero 1256 // ----- look at our min and max limits make sure we aren't too small or too big ----- 1257 evaughan 1.12 if (!computedBoxSizes->valid) { 1258 jaggernaut 1.26 PRInt32 newSize = pref + sizeRemaining*flex/spacerConstantsRemaining; //NSToCoordRound(float((sizeRemaining*flex)/spacerConstantsRemaining)); Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1258 Stack Trace nsSprocketLayout::ComputeChildSizes [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1258] nsSprocketLayout::Layout [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 279] nsBoxFrame::DoLayout [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1104] nsBoxFrame::DoLayout [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1104] nsRootBoxFrame::Reflow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 227] nsContainerFrame::ReflowChild [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsContainerFrame.cpp, line 887] ViewportFrame::Reflow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsViewportFrame.cpp, line 240] PresShell::InitialReflow [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 2851] nsXULDocument::StartLayout [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2157] nsXULDocument::ResumeWalk [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3176] nsXULDocument::EndLoad [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp, line 742] XULContentSinkImpl::DidBuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULContentSink.cpp, line 407]
|
|
||
Comment 7•20 years ago
|
||
In this function the sum is made and used to divide, so crashing if it sums to zero. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsSprocketLayout.cpp&mark=1258&rev=#1162 1162 void 1163 evaughan 1.2 nsSprocketLayout::ComputeChildSizes(nsIBox* aBox, 1211 jaggernaut 1.26 spacerConstantsRemaining += boxSizes->flex; 1258 jaggernaut 1.26 PRInt32 newSize = pref + sizeRemaining*flex/spacerConstantsRemaining; //NSToCoordRound(float((sizeRemaining*flex)/spacerConstantsRemaining));
Summary: Crash if a XUL page contains two elements with opposite flex values (i.e. -1 and 1) → Crash if a XUL page contains flex summing up to zero - Integer divide by 0
|
||
Updated•20 years ago
|
|
||
Comment 8•20 years ago
|
||
Hmm, the testcase seems to wfm with Seamonkey 2005042309 on Mac OS 10.3.9.
|
|
Assignee | |
Comment 9•19 years ago
|
||
This fixes the crash for me. Not sure if this is the correct way.
Attachment #219857 -
Flags: review?(neil)
|
||
Comment 10•19 years ago
|
||
Comment on attachment 219857 [details] [diff] [review] patch I guess it's a start, but what if you have four boxes with flex="1073741824"?
Attachment #219857 -
Flags: review?(neil) → review+
|
|
Assignee | |
Comment 11•19 years ago
|
||
(In reply to comment #10) > (From update of attachment 219857 [details] [diff] [review] [edit]) > I guess it's a start, but what if you have four boxes with flex="1073741824"? Hmm, yes, that still crashes with the patch.
|
|
Assignee | |
Comment 12•19 years ago
|
||
This patch would also fix the crash in testcase2.
Attachment #220162 -
Flags: review?(neil)
|
|
||
Comment 13•19 years ago
|
||
Comment on attachment 220162 [details] [diff] [review] patch2 I'm not going to argue about your choice of constants as you're going to need layout review anyway.
Attachment #220162 -
Flags: review?(neil) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #220162 -
Flags: superreview?(bzbarsky)
|
||
Comment 14•19 years ago
|
||
Comment on attachment 220162 [details] [diff] [review] patch2 So why the 16-bit limitation here? And why to FFFE?
|
|
Assignee | |
Updated•19 years ago
|
Attachment #220162 -
Flags: superreview?(bzbarsky)
|
|
Assignee | |
Comment 15•19 years ago
|
||
I should use nscoord_MAX, right? This works right, Mozilla doesn't crash with it, although the testcase acts funny with the patch.
Attachment #219857 -
Attachment is obsolete: true
Attachment #220162 -
Attachment is obsolete: true
Attachment #220663 -
Flags: superreview?(bzbarsky)
|
|
||
Comment 16•19 years ago
|
||
Comment on attachment 220663 [details] [diff] [review] patch3 I'm still not sure what the check against nscoord_MAX is doing.... sr=bzbarsky, but what we should _really_ do, imo is: 1) Not parse negative flex values in CSS (use ParsePositiveVariant instead of ParseVariant). 2) Not allow negative values from attributes. 3) Deal with some of flexes overflow somehow (perhaps the nscoord_MAX check here does that?)
|
|
||
Updated•19 years ago
|
Attachment #220663 -
Flags: superreview?(bzbarsky) → superreview+
|
|
Assignee | |
Comment 17•18 years ago
|
||
Some extra tests, I've done. With patch3, Mozilla doesn't crash.
|
|
Assignee | |
Comment 18•18 years ago
|
||
Sorry, these tests make actually more sense.
Attachment #230416 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•18 years ago
|
Assignee: neil → martijn.martijn
|
|
Assignee | |
Comment 19•18 years ago
|
||
Checking in nsBox.cpp; /cvsroot/mozilla/layout/xul/base/src/nsBox.cpp,v <-- nsBox.cpp new revision: 1.117; previous revision: 1.116 done Checked into trunk, I'll file a follow-up bug on Boris' comments in comment 16.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 20•18 years ago
|
||
I've filed bug 345709 as a follow-up.
Crash is Verified FIXED using build 2006-07-27-09 of SeaMonkey trunk under Windows XP.
Status: RESOLVED → VERIFIED
|
||
Comment 22•16 years ago
|
||
layout/xul/base/src/crashtests/291702-1.xul layout/xul/base/src/crashtests/291702-2.xul layout/xul/base/src/crashtests/291702-3.xul http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
|
||
Updated•13 years ago
|
Crash Signature: [@ nsSprocketLayout::ComputeChildSizes ]
You need to log in
before you can comment on or make changes to this bug.
Description
•