Closed Bug 32447 Opened 24 years ago Closed 24 years ago

CRASH: FORM inside TABLE with STYLE="position: absolute;"

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: andre, Assigned: troy)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase
106 bytes, text/html
Details 
build: 2000-03-19-05	
os: win2000
reproduceable: always

load http://rk-online.itbnet.de/stage/ then click on "systemlösungen",
mozilla will crash (appeared in all other builds before too)
the team has absolutely nothing to do with "süstemlösungen". bugs should be 
reported in english language.
think the last comment was stupid, because the bug was posted in english
language - the fact that the language is german should not allow mozilla to
crash, or do you think that mozilla should only work on english websites?
i don´t think so, in fact i could write an email to the site owner to change the
link in "systemsolutions", but that won´t prevent mozilla from crashing


Confirmed on Linux build 2000.03.19.09.  The crash happens in
http://rk-online.itbnet.de/stage/systemloesungen/index.php3. Looks like a parser
problem.  Here's a simplified testcase:

<TABLE STYLE="position: absolute;">
<FORM>
<TR>
<TD> Test
</TR>
</TABLE>
</FORM>

-> rickg
Assignee: cbegle → rickg
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Browser-General → Parser
Ever confirmed: true
Keywords: crash, testcase
OS: Windows NT → All
QA Contact: asadotzler → janc
Hardware: PC → All
Summary: crasher, on clicking "systemlösungen" → Crash in absolutely positioned TABLE with FORM and missing </TD>
Attached file testcase 

    
    

    
  
The language of the web page is, as alangho@itbnet.de says, irrelevant.

Confirmed on W95 20000317 (close enough).

The problem occurs if you have a <FORM> inside a table (this occurs on the 
original page, although the </FORM> is outside the table), and the table has 
STYLE="position: absolute;". I have no idea how the two are linked! I am fairly 
sure FORM inside TABLE is illegal, but it shouldn't crash the browser.

Test case attached. Trying component HTMLTables, but I wouldn't be surprised if 
they bounce it to Forms...

Gerv
Assignee: rickg → karnaze
Severity: critical → normal
Component: Parser → HTMLTables
Keywords: crash
OS: All → Windows NT
QA Contact: janc → chrisd
Hardware: All → PC
Summary: Crash in absolutely positioned TABLE with FORM and missing </TD> → CRASH: FORM inside TABLE with STYLE="position: absolute;"

    
    

    
  
Oops! Mid-air collision! I can't believe we both did the same test case work at 
exactly the same time...

I won't bother to attach mine, as zach@math has attached his. If you disagree 
with any of the reassignments, other field changes I made, feel free to 
fiddle...

Gerv

    
    

    
  
Since TABLE, FORM and style attribute seem to interact here, I think this is one
for rickg.
Assignee: karnaze → rickg
Severity: normal → critical
Component: HTMLTables → Parser
Keywords: crash
OS: Windows NT → All
QA Contact: chrisd → janc
Hardware: PC → All

    
    

    
  
Could be a reflow bug.  Here is the trace.

nsBlockReflowState::~nsBlockReflowState() line 694 + 29 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x00f2e304, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1745 + 20 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00f2e304, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 0, unsigned int & 0) line 646 + 31 bytes
nsTableFrame::ResizeReflowPass1(nsTableFrame * const 0x00f2e298, nsIPresContext 
* 0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0, nsTableRowGroupFrame * 0x00000000, nsReflowReason 
eReflowReason_Initial, int 1) line 1720
nsTableFrame::Reflow(nsTableFrame * const 0x00f2e298, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1545 + 39 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00f2e298, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 0, unsigned int & 0) line 646 + 31 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x00f2e244, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 1003 + 43 bytes
nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame * 0x00f2e0e8, 
nsIPresContext * 0x02adfa70, const nsHTMLReflowState & {...}, int -1, int -1, 
nsIFrame * 0x00f2e244, int 1, unsigned int & 0) line 403 + 37 bytes
nsAbsoluteContainingBlock::Reflow(nsIFrame * 0x00f2e0e8, nsIPresContext * 
0x02adfa70, const nsHTMLReflowState & {...}, int -1, int -1, nsRect & {...}) 
line 209
nsAreaFrame::Reflow(nsAreaFrame * const 0x00f2e0e8, nsIPresContext * 0x02adfa70, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) 
line 287 + 44 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x00f2e0e8, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 0, unsigned int & 0) line 646 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x0209d564, nsIPresContext * 0x02adfa70, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) 
line 331
nsContainerFrame::ReflowChild(nsIFrame * 0x0209d564, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 1, unsigned int & 0) line 646 + 31 bytes
nsScrollPortFrame::Reflow(nsScrollPortFrame * const 0x0209d5ec, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 480
nsContainerFrame::ReflowChild(nsIFrame * 0x0209d5ec, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 3, unsigned int & 0) line 646 + 31 bytes
nsGfxScrollFrameInner::ReflowFrame(nsIPresContext * 0x02adfa70, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, 
nsIFrame * 0x0209d5ec, const nsSize & {...}, const nsSize & {...}, int & 0, 
nsIFrame * & 0x00000000) line 1361
nsGfxScrollFrameInner::ReflowScrollArea(nsIPresContext * 0x02adfa70, 
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, 
nsIFrame * & 0x00000000) line 1428
nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x0209d5a0, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 582
nsContainerFrame::ReflowChild(nsIFrame * 0x0209d5a0, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, 
int 0, unsigned int 0, unsigned int & 0) line 646 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x0209d528, nsIPresContext * 
0x02adfa70, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, 
unsigned int & 0) line 531
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x02b22410, 
nsIPresContext * 0x02adfa70, nsHTMLReflowMetrics & {...}, const nsSize & {...}, 
nsIRenderingContext & {...}) line 145
PresShell::ProcessReflowCommands(PresShell * const 0x028a80f0, int 0) line 2054
PresShell::ExitReflowLock(PresShell * const 0x028a80f0, int 1) line 909
PresShell::ContentAppended(PresShell * const 0x028a80f8, nsIDocument * 
0x02b02640, nsIContent * 0x028d4cfc, int 0) line 2626
nsDocument::ContentAppended(nsDocument * const 0x02b02640, nsIContent * 
0x028d4cfc, int 0) line 1590
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x02b02640, nsIContent * 
0x028d4cfc, int 0) line 1133
HTMLContentSink::NotifyAppend(nsIContent * 0x028d4cfc, int 0) line 3978
SinkContext::FlushTags(int 1) line 1920
HTMLContentSink::CloseBody(HTMLContentSink * const 0x02623830, const 
nsIParserNode & {...}) line 2711
CNavDTD::CloseBody(const nsIParserNode * 0x028d0f00) line 2679 + 31 bytes
CNavDTD::CloseContainer(const nsIParserNode * 0x028d0f00, nsHTMLTag 
eHTMLTag_body, int 0) line 2993 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3050 + 20 
bytes
CNavDTD::CloseContaine

Probably belongs to nisheeth or buster.  Reassigning to nisheeth for further 
analysis.
Assignee: rickg → nisheeth

    
    

    
  
The table element has a form element as its first child.  When the table frame 
reflows its children, the form frame (which is a block frame) asserts that there 
is no space manager.

This problem only shows up when the table is absolutely positioned because, for 
that case, no space manager is created and set on the reflow state before the 
table is reflowed.

I've talked this over with Troy and he's asked me to give this over to him...
Assignee: nisheeth → troy

    
    

    
  
changed original page, new url has bug too

URL: http://rk-online.itbnet.de/stage/http://rk-online.itbnet.de/stage/best...

    
    

    
  
b: 2000-04-03-08
os: win2000
is this one fixed right now? it worked for me

Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME

    
    

    
  
WFM as well on Linux 2000.04.03.15. and 2000.04.04.09. 

    
    

    
  
verified per reporter comments
Status: RESOLVED → VERIFIED

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: