Closed
Bug 373533
Opened 18 years ago
Closed 17 years ago
Crash [@ nsLineBox::CachedIsEmpty] [@ IsContinuationPlaceholder] with XUL, MathML, HTML
Categories
(Core :: Layout, defect, P3)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: jruderman, Assigned: Waldo)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?][dbaron-1.9:Rs])
Crash Data
Attachments
(6 files, 3 obsolete files)
4.64 KB,
text/plain; charset=UTF-8
|
Details | |
679 bytes,
application/xhtml+xml
|
Details | |
859 bytes,
application/xhtml+xml
|
Details | |
859 bytes,
application/xhtml+xml
|
Details | |
6.03 KB,
patch
|
neil
:
review+
|
Details | Diff | Splinter Review |
5.87 KB,
patch
|
Waldo
:
review+
dbaron
:
superreview-
|
Details | Diff | Splinter Review |
Steps to reproduce:
1. Load the testcase
Result: one or more of:
###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file /Users/jruderman/trunk/mozilla/layout/generic/nsBlockFrame.cpp, line 5025
Crash, null deref [@ nsLineBox::CachedIsEmpty]
Crash, random address "called by" IsContinuationPlaceholder -- sg:critical
Flags: blocking1.9?
Reporter | ||
Comment 1•18 years ago
|
||
This bug can also trigger:
###!!! ASSERTION: prev sibling not in line list: 'Not Reached', file /Users/jruderman/trunk/mozilla/layout/generic/nsBlockFrame.cpp, line 4667
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Comment 2•18 years ago
|
||
This regressed between 2006-12-07 and 2006-12-08, so probably a regression from the reflow branch landing.
Blocks: reflow-refactor
Updated•18 years ago
|
Assignee: nobody → dbaron
This doesn't crash my Linux debug build.
Comment 4•18 years ago
|
||
Reporter | ||
Comment 5•18 years ago
|
||
Still crashes for me on Mac (debug).
Comment 6•18 years ago
|
||
Ah wait, when reloading it quickly a couple of times, I still crash with a 2007-03-22 build, talkback ID: TB30541118K
It crashes for me on the first try in a Linux nightly, but it doesn't crash my debug build (with patches).
Attachment #260326 -
Attachment mime type: application/octet-stream → text/plain; charset=UTF-8
Reporter | ||
Comment 8•18 years ago
|
||
Do you guys still get a crash with this testcase? If not, or if you need a new one that crashes in debug, I can try to make a new one.
A testcase that crashes more reliably would be useful.
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Comment 10•18 years ago
|
||
This crashes reliably on trunk [@ nsLineBox::CachedIsEmpty].
Attachment #258196 -
Attachment is obsolete: true
Comment 11•18 years ago
|
||
Poke.
Any news on this?
Comment 12•18 years ago
|
||
I can't reproduce any sort of exploitable crash on Linux here, but I do see a null-ptr crash in layout. We seem to manage to remove frames without managing to notify their lines...
Assignee | ||
Updated•18 years ago
|
Assignee: dbaron → jwalden+bmo
Assignee | ||
Comment 13•17 years ago
|
||
If you tweak the test slightly to move the appendChild and removeChild calls into two timeouts (boom ends in one which calls appendChild, that one ends in one which calls removeChild), you get these two assertions and a hang on a loop over that circular list:
###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)'
###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aNextSibling'
Still working on this yet...
Status: NEW → ASSIGNED
Assignee | ||
Comment 14•17 years ago
|
||
Assignee | ||
Comment 15•17 years ago
|
||
So, if you actually read the previous modification, you'll see that it's not what I said it was -- I somehow managed to convert the last call, a removeChild, into an appendChild. If you do what I *said* I did (posted as this attachment), and make the last call to removeChild, the crash occurs while accessing presshell-deallocated memory.
Assignee | ||
Comment 16•17 years ago
|
||
So it seems at least part of the problem is as follows: the outer XUL box is collapsed, so its bounding box is (0,0,0,0). Within a box, layout of children is done as though the children were themselves boxes, using an nsBoxReflowState to pass state from parent to child. When we reach the xul:box and try to layout its children, we notice it's collapsed and short-circuit immediately, passing in (0,0,0,0) as the rect for each child. When we layout a non-XUL child, we don't have an nsHTMLReflowState to use for passing information, so we create a root reflow state, and we pass in our rect as the size. This height is 0, so things start wrapping, creating continuations, etc. and Eli says we don't deal with that at all.
We pass in zero for availableHeight somewhere? That would be wrong.
Comment 18•17 years ago
|
||
Yes, we do. nsFrame::BoxReflow uses the passed-in aWidth and aHeight as the available space. When called from nsFrame::DoLayout, those are mRect.width and mRect.height.
For parentReflowState? Yeah, that should probably be fixed, but does it matter?
Hmm, I think I've seen a bug relating to this somewhere.
It obviously does matter if it's managing to trigger continuation placeholders outside a columns/pagination situation.
Assignee | ||
Comment 21•17 years ago
|
||
Passing in a rect with height NS_UNCONSTRAINEDSIZE does the right thing for me; it prevents the testcases from asserting, and it seems to be the right thing to do anyway, since in any other non-paginated context we wouldn't know the child's available height.
I added all the testcases here (except the first, which is just the second minimized, basically) to the patch. The third crashes dereferencing freed memory and absolutely can't be immediately committed to CVS. The other two, I believe, are null derefs, but I need to double-check that; given how little they differ from the third, I suspect none of them can be committed for awhile. :-(
Attachment #277876 -
Flags: superreview?(dbaron)
Attachment #277876 -
Flags: review?(bzbarsky)
Comment 22•17 years ago
|
||
Uh.... That diff only has tests in it.
Assignee | ||
Comment 23•17 years ago
|
||
Blah; I'd reverted the fix to ensure the tests crashed in a pre-fix build and hadn't un-reverted.
Attachment #277876 -
Attachment is obsolete: true
Attachment #277980 -
Flags: superreview?(dbaron)
Attachment #277980 -
Flags: review?(bzbarsky)
Attachment #277876 -
Flags: superreview?(dbaron)
Attachment #277876 -
Flags: review?(bzbarsky)
Comment 24•17 years ago
|
||
Comment on attachment 277980 [details] [diff] [review]
Include the fix this time
This could really use review from Neil.
Attachment #277980 -
Flags: review?(bzbarsky) → review?(neil)
Comment 25•17 years ago
|
||
Comment on attachment 277980 [details] [diff] [review]
Include the fix this time
Something doesn't like this. I got several of these opening DOMi:
###!!! ASSERTION: non-root frame's desired size changed during an incremental reflow: '(target == rootFrame && size.height == NS_UNCONSTRAINEDSIZE) || (desiredSize.width == size.width && desiredSize.height == size.height)', file C:/mozilla/layout/base/nsPresShell.cpp, line 6069
Sadly this was in a debug build without symbols.
Attachment #277980 -
Flags: review?(neil) → review-
Assignee | ||
Updated•17 years ago
|
Attachment #277980 -
Flags: superreview?(dbaron)
Comment 26•17 years ago
|
||
Is size.height just unconstrained for a non-root frame here?
Assignee | ||
Comment 27•17 years ago
|
||
(In reply to comment #26)
> Is size.height just unconstrained for a non-root frame here?
Yes; if I force the frame to (0,0) after laying it out, that satisfies the assertion, in what seems to be a reasonably correct manner. I don't get the assertion opening the DOM inspector any more, and I don't see anything else showing up that could have been caused by this patch.
Attachment #277980 -
Attachment is obsolete: true
Attachment #278460 -
Flags: review?(neil)
Comment 28•17 years ago
|
||
Comment on attachment 278460 [details] [diff] [review]
Explicitly resize collapsed children to 0,0 so no frames in the final tree are unconstrained
>+ nsBoxFrame::LayoutChildAt(aState, child,
>+ nsRect(0, 0, 0, NS_UNCONSTRAINEDSIZE));
>+
>+ // Fix expectations: a fully reflowed frame tree contains no frames
>+ // with unconstrained size, but since we just passed an unconstrained
>+ // height, we need to fix that.
>+ child->SetSize(nsSize(0, 0));
If we set the size like this is it actually necessary to lay out the child?
(A quick test suggests that it is not and I saw no errors or crashes either.)
Attachment #278460 -
Flags: review?(neil) → review+
Assignee | ||
Comment 29•17 years ago
|
||
Yeah, I saw the same thing in my testing after you mentioned it on IRC; I think we should be okay doing that, or at least trying it to see if it breaks anything.
Attachment #278634 -
Flags: superreview?(dbaron)
Attachment #278634 -
Flags: review+
Sorry for taking so long to get to this...
So I'm a little uncomfortable about skipping the layout of the children. Why does their position never matter?
And, looking at the original patch, I'd think a non-unconstrained height ought to be OK within the box code, but we shouldn't propagate that to non-box. Do you know what's responsible for doing that propagation?
Comment on attachment 278634 [details] [diff] [review]
SetSize only
Marking sr- given previous comment.
Attachment #278634 -
Flags: superreview?(dbaron) → superreview-
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:Rs]
Priority: -- → P3
Reporter | ||
Comment 32•17 years ago
|
||
WFM with a more recent trunk build.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Comment 33•17 years ago
|
||
Jesse, is the underlying problem gone too? That is, did dbaron's "wrap in block" patch fix this? Or is something just hiding the crash?
Flags: in-testsuite?
Reporter | ||
Comment 34•17 years ago
|
||
I don't know. Want me to test nightlies to find out when the crash went away?
Comment 35•17 years ago
|
||
If it's easy, please?
Reporter | ||
Comment 36•17 years ago
|
||
2007-11-08 Mac nightly: crashes
2007-11-09 Mac nightly: does not crash
Comment 37•17 years ago
|
||
Odd. Nothing in there obviously looks like it should fix this...
Comment 38•17 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase
-> Verified fixed
Status: RESOLVED → VERIFIED
Updated•14 years ago
|
Crash Signature: [@ nsLineBox::CachedIsEmpty]
[@ IsContinuationPlaceholder]
Updated•13 years ago
|
Group: core-security
Crash Signature: [@ nsLineBox::CachedIsEmpty]
[@ IsContinuationPlaceholder] → [@ nsLineBox::CachedIsEmpty]
[@ IsContinuationPlaceholder]
Comment 39•11 years ago
|
||
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•