Crash [@ nsBlockBandData::Init] with MathML testcase using position:fixed

VERIFIED FIXED

Status

()

Core
MathML
--
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: rbs)

Tracking

({crash, testcase})

Trunk
x86
Windows XP
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

547 bytes, application/xhtml+xml
Details
(Reporter)

Description

12 years ago
See upcoming testcase. When hovering over the text, Mozilla crashes.
Also happens in Mozilla1.7, so no recent regression.
Not sure if this is MathML at all, so cc-ing Boris.

Talkback ID: TB11284484E

nsBlockBandData::Init  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockBandData.cpp, line 70]
nsBlockFrame::Reflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 784]
nsMathMLmathBlockFrame::Reflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.h, line 358]
nsAbsoluteContainingBlock::ReflowAbsoluteFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 674]
nsAbsoluteContainingBlock::IncrementalReflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 387]
ViewportFrame::Reflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 299]
IncrementalReflow::Dispatch  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 860]
PresShell::ProcessReflowCommands  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6506]
ReflowEvent::HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6331]
PL_HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/threads/plevent.c, line 689]
SHELL32.dll + 0x520c24 (0x778b0c24)
(Reporter)

Comment 1

12 years ago
Created attachment 201421 [details]
testcase
Yeah, this is MathML.  The block it constructs for <math> doesn't have a space manager, and since it's fixed-pos neither do any ancestors, so we crash.  It should probably either have a space manager if there are no ancestor blocks (which is what CSS blocks do) or always have a space manager (which is what some other block-like things we have do).  Which one we want depends on whether floats should "leak out" of a <math> element or not.
(Assignee)

Comment 3

12 years ago
Fixed by the patch of bug 307826.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Verified FIXED SeaMonkey 1.1a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051105 Mozilla/1.0 (I installed the fonts from http://www.mozilla.org/projects/mathml/fonts/)

No crash.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsBlockBandData::Init]
You need to log in before you can comment on or make changes to this bug.