Closed Bug 317502 Opened 19 years ago Closed 19 years ago

Crash [@ nsIFrame::GetPosition() line 664]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: bc, Assigned: dbaron)

References

Details

(Keywords: crash, verified1.8.0.1, verified1.8.1, Whiteboard: [sg:nse][patch])

Crash Data

Attachments

(2 files)

testcase
412 bytes, application/xhtml+xml; charset=UTF-8
Details
patch
1.97 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.8.0.1+
dveditz
: approval1.8.1+
Details | Diff | Splinter Review 
the stack looks like bug 316504 which is probably a dupe of bug  253479
Whiteboard: [sg:investigate]
Flags: blocking1.8.0.1?
Depends on: 316504
So this bug is actually quite different.

What's happening here is that nsFileControlFrame::Reflow constructs an nsHTMLReflowState txtKidReflowState, that has the same frame as its parent (this doesn't make much sense, but I don't think this is the only place we do it).  This file control frame happens to be fixed-positioned.

Since the file control frame |IsContainingBlock()| is true, we initialize this inner reflow states mCBReflowState (in InitCBReflowState) to be the outer reflow state.

So in  so we go into the do-while loop near the end of nsHTMLReflowState::CalculateHypotheticalBox, which assumes that the mCBReflowState for a fixed positioned frame is the reflow state for the viewport frame, and we loop in that loop until we get to the top of the frame tree and then crash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file testcase 
"Simplified" testcase written based on what I saw in the debugger.
Blocks: 118509
No longer depends on: 316504
Attached patch patchSplinter Review 
This doesn't make the testcases in bug 118509 any worse (nor any better, unfortunately).
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #206353 - Flags: superreview?(roc)
Attachment #206353 - Flags: review?(roc)
Priority: -- → P1
Whiteboard: [sg:investigate] → [sg:investigate][patch]
Target Milestone: --- → mozilla1.9alpha
Attachment #206353 - Flags: superreview?(roc)
Attachment #206353 - Flags: superreview+
Attachment #206353 - Flags: review?(roc)
Attachment #206353 - Flags: review+
Checked in to trunk, 2005-12-20 19:31 -0800.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.1? → blocking1.8.0.1+
Attachment #206353 - Flags: approval1.8.1?
Attachment #206353 - Flags: approval1.8.0.1?
Comment on attachment 206353 [details] [diff] [review]
patch

a=dveditz
Attachment #206353 - Flags: approval1.8.1?
Attachment #206353 - Flags: approval1.8.1+
Attachment #206353 - Flags: approval1.8.0.1?
Attachment #206353 - Flags: approval1.8.0.1+
Checked in to MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.1, fixed1.8.1
Keywords: fixed1.8.0.1verified1.8.0.1
no crash in 1.8.0.1, 1.8.1, 1.9a1 20060113 on windows. 

but in 1.9a1, clicking in the input area of the input file, automatically opens the file open dialog. this does not happen in the 1.8.x builds. 

Also, using tab to switch focus allows the input are of the input file to be focused in 1.8.x, but not trunk.
Keywords: fixed1.8.1verified1.8.1
Flags: testcase?
> but in 1.9a1, clicking in the input area of the input file, automatically opens
> the file open dialog. this does not happen in the 1.8.x builds. 

> Also, using tab to switch focus allows the input are of the input file to be
> focused in 1.8.x, but not trunk.

These changes were intentional (but somewhat controversial).  See bug 258875.
Flags: testcase? → testcase+
Whiteboard: [sg:investigate][patch] → [sg:nse][patch]
Group: security
Flags: in-testsuite+ → in-testsuite?
crash test landed
http://hg.mozilla.org/mozilla-central/rev/7806c9464087
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsIFrame::GetPosition() line 664]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: