Closed Bug 373919 Opened 13 years ago Closed 13 years ago

Crash [@ nsIFrame::GetOffsetTo] with xul, html elements, position fixed and moving elements

Categories

(Core :: Layout, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9alpha8

People

(Reporter: martijn.martijn, Assigned: roc)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [sg:dupe 366128] fixed by 322436)

Crash Data

Attachments

(1 file)

1.04 KB, application/xhtml+xml
Details
Attached file testcase
See testcase, which usually crashes for me on first load.
Talkback ID: TB30224620H
nsIFrame::GetOffsetTo  [mozilla/layout/generic/nsframe.cpp, line 3525]
MarkOutOfFlowFrameForDisplay  [mozilla/layout/base/nsdisplaylist.cpp, line 115]
nsDisplayListBuilder::MarkFramesForDisplayList  [mozilla/layout/base/nsdisplaylist.cpp, line 209]
nsBlockFrame::BuildDisplayList  [mozilla/layout/generic/nsblockframe.cpp, line 5590]
nsIFrame::BuildDisplayListForChild  [mozilla/layout/generic/nsframe.cpp, line 1606]

This seems to have regressed between 2007-01-22 and 2007-01-23:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-01-22+04&maxdate=2007-01-23+09&cvsroot=%2Fcvsroot
Regression from bug 367332, somehow?
I'm getting an assertion in my debug build about the float cache getting out of sync with the float list.

Oddly, if I save the HTML locally, it doesn't assert or crash.
Still crashes, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070417 Minefield/3.0a4pre
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xddddde01

Thread 0 Crashed:
0   libgklayout.dylib        	0x19d44c3d nsIFrame::HasView() const + 9 (nsIFrame.h:1333)
1   libgklayout.dylib        	0x1975dd85 nsIFrame::GetOffsetTo(nsIFrame const*) const + 167 (nsFrame.cpp:3510)
2   libgklayout.dylib        	0x196fe88d MarkOutOfFlowFrameForDisplay(nsIFrame*, nsIFrame*, nsRect const&) + 47 (nsDisplayList.cpp:116)
3   libgklayout.dylib        	0x1970109f nsDisplayListBuilder::MarkFramesForDisplayList(nsIFrame*, nsIFrame*, nsRect const&) + 43 (nsDisplayList.cpp:210)
4   libgklayout.dylib        	0x197471c2 nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) + 486 (nsBlockFrame.cpp:5608)

Group: security
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical?]
trying to get owners for all sg: bugs.  dbaron or roc can you have a look or suggest someone else?
Assignee: nobody → dbaron
QA Contact: layout → dbaron
QA Contact: dbaron → layout
Assignee: dbaron → roc
Target Milestone: --- → mozilla1.9beta1
I wonder if this is just another manifestation of the floats-in-xul issue (bug 366128).
Yay!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070607 Minefield/3.0a6pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
I don't crash on Windows on the 1.8 branch but I do get the following assertion
###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file c:/moz/mozilla_1_8_branch/mozilla/layout/generic/nsBlockReflowState.cpp, line 847

Jesse, is this assertion important enough to get fixed on the branch?
My response is the same as in bug 366128 comment 23.  (And these are more or less the same bug.)
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.5?
Whiteboard: [sg:critical?] → [sg:critical?] need answer to comment 9 (or in bug 366128)
Whiteboard: [sg:critical?] need answer to comment 9 (or in bug 366128) → [sg:critical?] need answer to comment 9 (or in bug 366128).
Flags: blocking1.8.1.5? → blocking1.8.1.5+
Whiteboard: [sg:critical?] need answer to comment 9 (or in bug 366128). → [sg:dupe 366128]
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
This one is now fixed on the branch, it does appear to be a dupe of bug 336128 and fixed by 322436 on trunk and branches.
Group: security
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.7+
Flags: wanted1.8.1.x+
Whiteboard: [sg:dupe 366128] → [sg:dupe 366128] fixed by 322436
Crash Signature: [@ nsIFrame::GetOffsetTo]
You need to log in before you can comment on or make changes to this bug.