Closed Bug 398733 Opened 17 years ago Closed 17 years ago

Crash [@ BuildTextRunsScanner::ScanFrame] with position: absolute, rtl text and changing styles

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta2

People

(Reporter: martijn.martijn, Assigned: roc)

References

Details

(4 keywords, Whiteboard: [dbaron-1.9:RsCt])

Crash Data

Attachments

(3 files, 1 obsolete file)

testcase
520 bytes, text/html
Details
simpler testcase
282 bytes, text/html
Details
updated for checkin
3.75 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crashes current trunk build after 100ms.

It doesn't crash in a 2006-10-18 and 2006-10-19:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-10-18+04&maxdate=2006-10-19+09&cvsroot=%2Fcvsroot
I guess a regression from bug 343445, somehow?

http://crash-stats.mozilla.com/report/index/8b027545-7353-11dc-95e8-001a4bd43e5c
0  	@0x0  	
1 	BuildTextRunsScanner::ScanFrame(nsIFrame*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1163
2 	BuildTextRunsScanner::ScanFrame(nsIFrame*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1163
3 	BuildTextRuns 	mozilla/layout/generic/nsTextFrameThebes.cpp:941
4 	nsTextFrame::EnsureTextRun(nsIRenderingContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) 	mozilla/layout/generic/nsTextFrameThebes.cpp:1717
5 	nsTextFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) 	mozilla/layout/generic/nsTextFrameThebes.cpp:5088
6 	nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, int&) 	mozilla/layout/generic/nsLineLayout.cpp:882
7 	nsInlineFrame::ReflowInlineFrame(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned int&) 	mozilla/layout/generic/nsInlineFrame.cpp:603
8 	nsInlineFrame::ReflowFrames(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned int&) 	mozilla/layout/generic/nsInlineFrame.cpp:470
9 	nsInlineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) 	mozilla/layout/generic/nsInlineFrame.cpp:385
10 	nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, int&) 	mozilla/layout/generic/nsLineLayout.cpp:882
etc..
Assignee: nobody → roc
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:RsCt]
The important thing here is the assertions earlier:

###!!! ASSERTION: Deleting out of flow without tearing down placeholder relationship; see comments in nsFrame.h: '!(mState & NS_FRAME_OUT_OF_FLOW) || !shell->FrameManager()->GetPlaceholderFrameFor(this)', file /Users/roc/mozilla-checkin/mozilla/layout/generic/nsFrame.cpp, line 487
###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: 'Not Reached', file /Users/roc/mozilla-checkin/mozilla/layout/base/nsFrameManager.cpp, line 708

I suspect this is related to other out-of-flow destruction issues.
Attached file simpler testcase 
I simplified that testcase a bit.
Attached patch fix (obsolete) — Splinter Review 
This is fairly simple and obvious, I think. We should be using GetFirstContinuation here instead of GetNextInFlow.
Attachment #286140 - Flags: superreview?(bzbarsky)
Attachment #286140 - Flags: review?(bzbarsky)
Whiteboard: [dbaron-1.9:RsCt] → [dbaron-1.9:RsCt][needs review]
Comment on attachment 286140 [details] [diff] [review]
fix

Looks good, but I wonder whether it's worth eliminating this function (AdjustAbsoluteContainingBlock) altogether...  In any case, get rid of the unused aPresContext arg?
Attachment #286140 - Flags: superreview?(bzbarsky)
Attachment #286140 - Flags: superreview+
Attachment #286140 - Flags: review?(bzbarsky)
Attachment #286140 - Flags: review+
Sure, I'll eliminate the arg.

I think having this function just proved useful since I only had to change this in one place :-)
Whiteboard: [dbaron-1.9:RsCt][needs review] → [dbaron-1.9:RsCt][needs landing]

        Attachment #286140 -
        Attachment is obsolete: true

        Attachment #287637 -
        Flags: superreview+

        Attachment #287637 -
        Flags: review+

    
    

    
  
Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1421; previous revision: 1.1420
done
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [dbaron-1.9:RsCt][needs landing] → [dbaron-1.9:RsCt]
Target Milestone: --- → mozilla1.9 M10

    
  
Flags: in-testsuite?

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007110805 Minefield/3.0b2pre
Status: RESOLVED → VERIFIED

    
    

    
  
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
Crash Signature: [@ BuildTextRunsScanner::ScanFrame]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: