Closed Bug 317682 Opened 16 years ago Closed 16 years ago

Crash with evil testcase using display:table and dd with position:relative; float:right

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1beta1

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

(Depends on 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase
416 bytes, text/html
Details
Stack
3.09 KB, text/plain
Details 
(cc-ing bernd, maybe this has something to do with tables)

See upcoming testcase, it crashes for me when hovering over the text.
It seems like a regression, it doesn't crash in 2005-04-29 build, but it crashes in 2005-04-30 build:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-04-28+23%3A00%3A00&maxdate=2005-04-30+08%3A00%3A00&cvsroot=%2Fcvsroot
Maybe regression from bug 290377?

Talkback ID: TB12208000Q
Attached file testcase 
looks like the testcase has already enough issues on load

###!!! ASSERTION: huh?: 'pfd->mFrame == aFrame', file d:/moz_src/mozilla/layout/
generic/nsLineLayout.cpp, line 521
###!!! ASSERTION: huh?: 'pfd->mFrame == aFrame', file d:/moz_src/mozilla/layout/
generic/nsLineLayout.cpp, line 521
###!!! ASSERTION: huh?: 'pfd->mFrame == aFrame', file d:/moz_src/mozilla/layout/
generic/nsLineLayout.cpp, line 521
WARNING: aFrame is already associated with a region, file d:/moz_src/mozilla/lay
out/generic/nsSpaceManager.cpp, line 814
###!!! ASSERTION: bad float placement: 'NS_SUCCEEDED(rv)', file d:/moz_src/mozil
la/layout/generic/nsBlockReflowState.cpp, line 1005
WARNING: aFrame is already associated with a region, file d:/moz_src/mozilla/lay
out/generic/nsSpaceManager.cpp, line 814
###!!! ASSERTION: bad float placement: 'NS_SUCCEEDED(rv)', file d:/moz_src/mozil
la/layout/generic/nsBlockReflowState.cpp, line 1005
###!!! ASSERTION: leak: 'mSpansAllocated == mSpansFreed', file d:/moz_src/mozill
a/layout/generic/nsLineLayout.cpp, line 355
###!!! ASSERTION: leak: 'mFramesAllocated == mFramesFreed', file d:/moz_src/mozi
lla/layout/generic/nsLineLayout.cpp, line 356
###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aN
extSibling', file d:/moz_src/mozilla/layout/generic/nsIFrame.h, line 695
###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aN
extSibling', file d:/moz_src/mozilla/layout/generic/nsIFrame.h, line 695
I have filed two bugs with similar assertions: bug 316318 and bug 317278
this should never happen .. even if the code that make it crash is poorly done, no offense martijn ;-) j/k
Flags: blocking1.8.1?
I really have no idea what's going on here...  Anyone familiar with line layout want to take a look at the pfd asserts?  I suspect those are the key...
Depends on: 316318, 317278
Flags: blocking1.9a1+
Blocks: 317855
I think the core issue is bug 222194, we don't create a anonymous block around the inline frame and as a consequence we reflow the inline without creating a line object.
Depends on: 222194
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1

I don't crash anymore with a build that the fix for bug 317855 checked in. I do still get the assertions, though.
stephend, does that mean you crash with current trunk on this testcase?
(In reply to comment #9)
> stephend, does that mean you crash with current trunk on this testcase?

Yes, I should have been more explicit.  Build 2005-12-09-09 on Windows XP, SeaMonkey trunk gave that stack.

Huh.  I get lots of asserts on Linux, but no crash....
the assertions got fixed by bug 307992, wfm, Stephen could you test with a build that incorporates Davids checkin from 2005-12-15 15:08?
bernd: the testcase is now working fine (no crash) with trunk SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051216 Mozilla/1.0
marking as fixed
Status: NEW → RESOLVED
Closed: 16 years ago
Depends on: 307992
Resolution: --- → FIXED
Verified; see comment 13.
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1? → blocking1.8.1+
Assignee: nobody → dbaron
dbaron, is this OK to take for branch?
Target Milestone: --- → mozilla1.8.1beta1
Clearing blocking flag since this is covered in other bugs.
Flags: blocking1.8.1+
You need to log in before you can comment on or make changes to this bug.