Last Comment Bug 331679 - Crash involving ::-moz-table-row-group, overflow, position, and opacity [@ nsIView::GetOffsetTo]
: Crash involving ::-moz-table-row-group, overflow, position, and opacity [@ ns...
Status: RESOLVED FIXED
[sg:critical]
: crash, testcase, verified1.8.0.5, verified1.8.1
Product: Core
Classification: Components
Component: Layout: Tables (show other bugs)
: Trunk
: PowerPC Mac OS X
: -- critical (vote)
: ---
Assigned To: Bernd
:
Mentors:
Depends on: 336291
Blocks: randomclasses
  Show dependency treegraph
 
Reported: 2006-03-25 02:08 PST by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
7 users (show)
dveditz: blocking1.8.0.5+
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
reduced testcase for crash [@ nsIView::GetOffsetTo] (652 bytes, application/xhtml+xml)
2006-03-25 02:10 PST, Jesse Ruderman
no flags Details
reduced tectase that triggers assertion (312 bytes, text/xml)
2006-03-27 08:52 PST, Bernd
no flags Details
testcase without abs.pos. which triggers the assert (383 bytes, text/xml)
2006-04-20 12:28 PDT, Bernd
no flags Details
patch (5.79 KB, patch)
2006-04-20 22:57 PDT, Bernd
bzbarsky: review+
bzbarsky: superreview+
roc: approval‑branch‑1.8.1+
dveditz: approval1.8.0.5+
Details | Diff | Review
1.0.x patch (3.85 KB, patch)
2006-08-08 08:27 PDT, Alexander Sack
no flags Details | Diff | Review

Description Jesse Ruderman 2006-03-25 02:08:40 PST
[sg:critical] because before I reduced the testcase, I got crashes with random addresses on top.  The only reduced testcases I managed to make were for nondeterministic null dereferences, so I will retest with the original file once this is fixed.

Stack signatures (functions on top of the stack) included:

[@ nsIView::GetOffsetTo] 
[@ nsCSSFrameConstructor::BeginBuildingScrollFrame] -- with random at top 
[@ nsCSSFrameConstructor::ContentInserted] 
[@ nsHTMLContainerFrame::CreateViewForFrame] 
[@ IncrementalReflow::AddCommand] 
[@ nsHTMLReflowState::InitConstraints]
Comment 1 Jesse Ruderman 2006-03-25 02:10:39 PST
Created attachment 216197 [details]
reduced testcase for crash [@ nsIView::GetOffsetTo] 

Usually crashes after about 10 reloads.
Comment 2 Bernd 2006-03-27 08:52:19 PST
Created attachment 216414 [details]
reduced tectase that triggers assertion

###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached',
file d:/moz_src/mozilla/layout/generic/nsContainerFrame.cpp, line 108

This happens on the scroll frame around the rowgroup which is a abs. containing block.
Comment 3 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-04-17 11:38:20 PDT
So what's GetAbsoluteContainingBlock returning here, and why?
Comment 4 Bernd 2006-04-20 12:28:38 PDT
Created attachment 219177 [details]
testcase without abs.pos. which triggers the assert

rowgroup pseudos are the parent frames at pseudoFrames.mRowGroup.mFrame. If we build however a scrollframe for the rowgroup, we have the scrollframe there and then we put the row on the childlist of the.... scrollframe allready occupied by the rowgroupframe. (The typical case of: NOBODY expects the Spanish Inquisition!)
Comment 5 Bernd 2006-04-20 22:57:38 PDT
Created attachment 219269 [details] [diff] [review]
patch

This code is wrong since it has been written, the typical effect is that we loose the rowframe and all its children. Then its only a question what you stuffed inside this row to determine where we crash, abs. pos with opacity, seems nice, the abs.pos animated gif should work too. I guess we need to get this, once it has baked, back to branches.
Comment 6 Bernd 2006-04-22 03:56:06 PDT
fix checked in, open for some stress tests by Jesse 
Comment 7 Daniel Veditz [:dveditz] 2006-06-15 14:46:12 PDT
Comment on attachment 219269 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Comment 8 Bernd 2006-06-18 00:11:49 PDT
fix checked in into branches
Comment 9 Jay Patel [:jay] 2006-06-26 14:54:59 PDT
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase.
Comment 10 Daniel Veditz [:dveditz] 2006-06-26 17:40:41 PDT
(In reply to comment #0)
> [sg:critical] because before I reduced the testcase, I got crashes with random
> addresses on top.  The only reduced testcases I managed to make were for
> nondeterministic null dereferences, so I will retest with the original file
> once this is fixed.

Jesse: Do you still have the original testcase, and if so did this really fix it?

asac: I don't think anyone tested this on the 1.7 branch.
Comment 11 Jesse Ruderman 2006-06-26 22:54:10 PDT
I think I tested the original testcase (and various intermediate testcases) shortly after this was fixed and didn't hit any more crashes.  I think the more recent fix for bug 331883 affects how Gecko thinks about this testcase.
Comment 12 Alexander Sack 2006-08-08 08:27:58 PDT
Created attachment 232739 [details] [diff] [review]
1.0.x patch
Comment 13 Bob Clary [:bc:] 2006-08-21 23:57:01 PDT
https://bugzilla.mozilla.org/attachment.cgi?id=216197
ff2b2 no crash windows, linux, macppc

https://bugzilla.mozilla.org/attachment.cgi?id=216414&action=view
ff2b2 windows, linux, macppc no crash; windows, linux no assert

https://bugzilla.mozilla.org/attachment.cgi?id=219177
ff2b2 windows, linux, macppc; windows, linux no assert
Comment 14 Bob Clary [:bc:] 2006-08-21 23:57:42 PDT
verified fixed 1.8
Comment 15 Jesse Ruderman 2007-12-16 18:58:45 PST
Crashtests checked in.
Comment 16 Jesse Ruderman 2007-12-19 16:19:26 PST
The crashtests trigger CSS errors because bug 331883 has been fixed -- web pages cannot reference these internal pseudo-elements at all.

Note You need to log in before you can comment on or make changes to this bug.