Closed Bug 325222 Opened 19 years ago Closed 18 years ago

[FIX]Crash with evil xul/mathml testcase, involving mi display: block and eq [@ nsLineLayout::ReflowFrame]

Categories

(Core :: MathML, defect, P2)

Product:
Core
Component:
MathML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase (hangs/crashes on load)
331 bytes, application/vnd.mozilla.xul+xml
Details
Do what blocks do
1.60 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
See upcoming testcase, which makes Mozilla hang/crash on load. It happens also in Mozilla1.7, so no recent regression
Talkback ID TB14549442K: nsLineLayout::ReflowFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsLineLayout.cpp, line 981] nsMathMLContainerFrame::ReflowForeignChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp, line 1027] nsMathMLContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp, line 1005] nsMathMLTokenFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLTokenFrame.cpp, line 181] nsFrame::BoxReflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 6013] nsFrame::RefreshSizeCache [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 5513] nsFrame::GetAscent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 5721] nsSprocketLayout::GetAscent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1564] nsBoxFrame::GetAscent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 946] nsSprocketLayout::Layout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 260] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1065] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1065] nsRootBoxFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 217] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 742] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 239] PresShell::InitialReflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 2784] nsXULDocument::StartLayout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2049] nsXULDocument::ResumeWalk [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2975] nsXULDocument::EndLoad [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 679] XULContentSinkImpl::DidBuildModel [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULContentSink.cpp, line 406]
Summary: Crash with evil xul/mathml testcase, involving mi display: block and eq → Crash with evil xul/mathml testcase, involving mi display: block and eq [@ nsLineLayout::ReflowFrame]
Blocks: ajax-demolisher
Flags: blocking1.9a1?
Attached patch naive patch (obsolete) — Splinter Review
This patch does a little bit of wallpaper of the nsSpaceManager in nsMathMLContainerFrame::ReflowForeignChild() passed to the nsLineLayout, emulating similar code in nsSVGForeignObjectFrame::Reflow(). I've never dealt with a nsSpaceManager before, so don't know if what I've done is appropriate.
Flags: blocking1.9a1? → blocking1.9+
bz, this is the bug (it is not related to float) that I was thinking about when I posted my comment in bug 353894.
The effect is the same as the "naive patch".
Attachment #223505 - Attachment is obsolete: true
Attachment #239946 - Flags: superreview?(roc)
Attachment #239946 - Flags: review?(roc)
Assignee: rbs → bzbarsky
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Summary: Crash with evil xul/mathml testcase, involving mi display: block and eq [@ nsLineLayout::ReflowFrame] → [FIX]Crash with evil xul/mathml testcase, involving mi display: block and eq [@ nsLineLayout::ReflowFrame]
Target Milestone: --- → mozilla1.9alpha
Attachment #239946 - Flags: superreview?(roc)
Attachment #239946 - Flags: superreview+
Attachment #239946 - Flags: review?(roc)
Attachment #239946 - Flags: review+
Fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 239946 [details] [diff] [review] Do what blocks do Probably worth fixing on the branches.
Attachment #239946 - Flags: approval1.8.1?
Attachment #239946 - Flags: approval1.8.0.8?
Comment on attachment 239946 [details] [diff] [review] Do what blocks do Approved for RC2.
Attachment #239946 - Flags: approval1.8.1? → approval1.8.1+
Fixed on 1.8 branch.
Keywords: fixed1.8.1
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060925 Minefield/3.0a1
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.8+
Comment on attachment 239946 [details] [diff] [review] Do what blocks do approved for 1.8.0 branch, a=dveditz for drivers
Attachment #239946 - Flags: approval1.8.0.8? → approval1.8.0.8+
Fixed for 1.8.0.8
Keywords: fixed1.8.0.8
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre, no crash/hang with testcase.
Keywords: fixed1.8.0.8verified1.8.0.8
Crash Signature: [@ nsLineLayout::ReflowFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: