Closed Bug 316026 Opened 19 years ago Closed 19 years ago

Crash [@ nsHTMLReflowState::ComputePadding] with evil testcase, using button and display:table; position:absolute;

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase
441 bytes, text/html
Details
testcase2
325 bytes, text/html
Details
See upcoming testcase. Talkback ID: TB11712918Z nsHTMLReflowState::ComputePadding [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 2444] nsHTMLReflowState::InitConstraints [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 1763] nsHTMLReflowState::Init [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 342] nsHTMLReflowState::nsHTMLReflowState [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLReflowState.cpp, line 315] nsAbsoluteContainingBlock::ReflowAbsoluteFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 521] nsAbsoluteContainingBlock::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp, line 208] nsBlockFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 1073] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 891] CanvasFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 525] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 891] nsHTMLScrollFrame::ReflowScrolledFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 521] nsHTMLScrollFrame::ReflowContents [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 584] nsHTMLScrollFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsGfxScrollFrame.cpp, line 781] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 891] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 230] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 859] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6483] PresShell::WillPaint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6143] Might be dupe, but the other similar bugs didn't crash for me for the testcases.
Attached file testcase
tables and abs. pos. its a known love affair :-(, bug 10209 comes into mind and of course bug 175590.
buttons do evil things with style contexts I thought that I added a comment it to bug 56746. void 203 nsHTMLButtonControlFrame::ReParentFrameList(nsFrameManager* aFrameManager, 204 nsIFrame* aFrameList) 205 { 206 // get the new parent context from the first child: that is the 207 // frame that the subsequent children will be made children of 208 nsStyleContext* newParentContext = mFrames.FirstChild()->GetStyleContext(); 209 210 // Set the parent for each of the child frames 211 for (nsIFrame* frame = aFrameList; frame; frame = frame->GetNextSibling()) { 212 frame->SetParent(mFrames.FirstChild()); 213 // now reparent the contexts for the reparented frame too 214 aFrameManager->ReParentStyleContext(frame, newParentContext); 215 } 216 217 // Set NS_FRAME_HAS_CHILD_WITH_VIEW on the area frame if needed, bug 276236. 218 mFrames.FirstChild()->AddStateBits(GetStateBits() & NS_FRAME_HAS_CHILD_WITH_VIEW); 219 } but obviously not, this is reminder for me, this code does evil things with the outer-inner table vodoo.
Depends on: 51767
I can't seem to reproduce this in a current trunk build....
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 Same as bz, and I'm too lazy to track which patch fixed this.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
I will anyway proceed with the button cleanup which also fixes this bug and only needs rtesting + review.
Please do! They need it desperately.
I crash again with a 2005-12-15 trunk build on windows. Talkback ID: TB13024467W (which gives the same backtrace) Remember, you need to hover over the text from top to bottom to get the crash.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: blocking1.9a1?
Blocks: ajax-demolisher
Attached file testcase2
Seperate testcase, which I minimised from a different file. I think it is basically this bug.
This seems to be fixed by the patch for bug 322348
Depends on: 322348
This doesn't crash anymore in the 2006-01-13 build, so fixed by bug 51767.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Verified FIXED using both testcases with SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060116 Mozilla/1.0
Status: RESOLVED → VERIFIED
Flags: blocking1.9a1?
Crash Signature: [@ nsHTMLReflowState::ComputePadding]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: