Closed Bug 414255 Opened 12 years ago Closed 11 years ago

zooming in hangs [@ nsBlockReflowState::CanPlaceFloat], causes ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED

Categories

(Core :: Layout, defect, P2, critical)

x86
All
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: asqueella, Assigned: fantasai.bugs)

References

()

Details

(Keywords: assertion, hang, regression)

Attachments

(1 file, 1 obsolete file)

STR:
1. Load http://en.wikipedia.org/wiki/Atonement_(film)
2. Press CTRL+"+"

Actual results:

Firefox hangs; the following lines are printed to the console:

###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.:
'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file s:/mozilla/layout/generic/nsBlockFrame.cpp, line 1388
nsBlockReflowContext: Block(div)(5)@060F3830 metrics=49540,1073741824!
###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.:
'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file s:/mozilla/layout/generic/nsBlockFrame.cpp, line 1388
nsBlockReflowContext: Area(div)(1)@060F9320 metrics=51124,1073744191!
###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.:
'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file s:/mozilla/layout/generic/nsBlockFrame.cpp, line 1388
nsBlockReflowContext: Area(div)(1)@060F9028 metrics=60420,1073746325!

The hang happens in nsBlockReflowState::CanPlaceFloat at the following stack:

nsBlockReflowState::CanPlaceFloat(aFloatSize={...}, aFloats='', aForceFit=0x00000001)  Line 699	C++
nsBlockReflowState::FlowAndPlaceFloat(aFloatCache=0x0608f270, aIsLeftFloat=0x00129e5c, aReflowStatus=0x00000000, aForceFit=0x00000001)  Line 778	C++
nsBlockReflowState::AddFloat(aLineLayout={...}, aPlaceholder=0x060f9080, aInitialReflow=0x00000001, aReflowStatus=0x00000000)  Line 552	C++
nsBlockReflowState::InitFloat(aLineLayout={...}, aPlaceholder=0x060f9080, aReflowStatus=0x00000000)  Line 506	C++
nsLineLayout::InitFloat(aFrame=0x060f9080, aReflowStatus=0x00000000)  Line 200	C++
nsLineLayout::ReflowFrame(aFrame=0x060f9080, aReflowStatus=0x00000000, aMetrics=0x00000000, aPushedFrame=0x00000000)  Line 877	C++
nsBlockFrame::ReflowInlineFrame(aState={...}, aLineLayout={...}, aLine={...}, aFrame=0x060f9080, aLineReflowStatus=0x0012a144)  Line 3582	C++
nsBlockFrame::DoReflowInlineFrames(aState={...}, aLineLayout={...}, aLine={...}, aKeepReflowGoing=0x0012a508, aLineReflowStatus=0x0012a278, aAllowPullUp=0x00000001)  Line 3405	C++
nsBlockFrame::ReflowInlineFrames(aState={...}, aLine={...}, aKeepReflowGoing=0x0012a508)  Line 3254	C++
nsBlockFrame::ReflowLine(aState={...}, aLine={...}, aKeepReflowGoing=0x0012a508)  Line 2319	C++
nsBlockFrame::ReflowDirtyLines(aState={...})  Line 1881	C++
nsBlockFrame::Reflow(aPresContext=0x06001b68, aMetrics={...}, aReflowState={...}, aStatus=0x00000000)  Line 936	C++
nsBlockReflowContext::ReflowBlock(aSpace={...}, aApplyTopMargin=0x00000000, aPrevMargin={...}, aClearance=0x00000000, aIsAdjacentWithTop=0x00000001, aComputedOffsets={...}, aLine=0x0610a154, aFrameRS={...}, aFrameReflowStatus=0x00000000, aState={...})  Line 339	C++
nsBlockFrame::ReflowBlockFrame(aState={...}, aLine={...}, aKeepReflowGoing=0x0012b08c)  Line 2993	C++
nsBlockFrame::ReflowLine(aState={...}, aLine={...}, aKeepReflowGoing=0x0012b08c)  Line 2266	C++
nsBlockFrame::ReflowDirtyLines(aState={...})  Line 1881	C++
nsBlockFrame::Reflow(aPresContext=0x06001b68, aMetrics={...}, aReflowState={...}, aStatus=0x00000000)  Line 936	C++
nsBlockReflowContext::ReflowBlock(aSpace={...}, aApplyTopMargin=0x00000001, aPrevMargin={...}, aClearance=0x00000000, aIsAdjacentWithTop=0x00000001, aComputedOffsets={...}, aLine=0x0610a17c, aFrameRS={...}, aFrameReflowStatus=0x00000000, aState={...})  Line 339	C++
nsBlockFrame::ReflowBlockFrame(aState={...}, aLine={...}, aKeepReflowGoing=0x0012bc10)  Line 2993	C++
nsBlockFrame::ReflowLine(aState={...}, aLine={...}, aKeepReflowGoing=0x0012bc10)  Line 2266	C++
nsBlockFrame::ReflowDirtyLines(aState={...})  Line 1881	C++
nsBlockFrame::Reflow(aPresContext=0x06001b68, aMetrics={...}, aReflowState={...}, aStatus=0x00000000)  Line 936	C++
nsContainerFrame::ReflowChild(aKidFrame=0x060f8b48, aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aX=0x00000000, aY=0x00000000, aFlags=0x00000000, aStatus=0x00000000, aTracker=0x00000000)  Line 755	C++
CanvasFrame::Reflow(aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aStatus=0x00000000)  Line 589	C++
nsContainerFrame::ReflowChild(aKidFrame=0x05f18bf4, aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aX=0x00000000, aY=0x00000000, aFlags=0x00000003, aStatus=0x00000000, aTracker=0x00000000)  Line 755	C++
nsHTMLScrollFrame::ReflowScrolledFrame(aState=0x0012c568, aAssumeHScroll=0x00000000, aAssumeVScroll=0x00000001, aMetrics=0x0012c4c0, aFirstPass=0x00000001)  Line 485	C++
nsHTMLScrollFrame::ReflowContents(aState=0x0012c568, aDesiredSize={...})  Line 569	C++
nsHTMLScrollFrame::Reflow(aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aStatus=0x00000000)  Line 770	C++
nsContainerFrame::ReflowChild(aKidFrame=0x05f18d38, aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aX=0x00000000, aY=0x00000000, aFlags=0x00000000, aStatus=0x00000000, aTracker=0x00000000)  Line 755	C++
ViewportFrame::Reflow(aPresContext=0x06001b68, aDesiredSize={...}, aReflowState={...}, aStatus=0x00000000)  Line 286	C++
PresShell::DoReflow(target=0x05f1895c)  Line 6188	C++
PresShell::ResizeReflow(aWidth=0x0000f000, aHeight=0x0000a110)  Line 2527	C++
PresShell::ResizeReflow(aView=0x05ff0a08, aWidth=0x0000f000, aHeight=0x0000a110)  Line 5878	C++
nsViewManager::DoSetWindowDimensions(aWidth=0x0000f000, aHeight=0x0000a110)  Line 281	C++
nsViewManager::SetWindowDimensions(aWidth=0x0000f000, aHeight=0x0000a110)  Line 365	C++
nsPresContext::SetFullZoom(aZoom=1.2500000)  Line 1144	C++
DocumentViewerImpl::SetFullZoom(aFullZoom=1.2500000)  Line 2714	C++
NS_InvokeByIndex_P(that=0x00000007, methodIndex=0x00000001, paramCount=0x0012cce4, params=0x00451ca0)  Line 102	C++
XPCWrappedNative::CallMethod(ccx={...}, mode=0x00000007)  Line 2346	C++
XPCWrappedNative::CallMethod(ccx={...}, mode=CALL_SETTER)  Line 2346	C++
XPCWrappedNative::SetAttribute(ccx={...})  Line 2229	C++
XPC_WN_GetterSetter(cx=0x041905e8, obj=JSObject [... slots], argc=0x00000001, argv=0x05fff5f0, vp=0x0012cfc0)  Line 1496	C++
js_Invoke(cx=0x041905e8, argc=0x00000001, vp=0x05fff5e8, flags=0x00000002)  Line 1020	C
js_InternalInvoke(cx=0x041905e8, obj=JSObject [... slots], fval=0x05cb1ea0, flags=0x00000000, argc=0x00000001, argv=0x0012d644, rval=0x0012d644)  Line 1093	C
js_InternalGetOrSet(cx=0x041905e8, obj=JSObject [... slots], id=0x04261a64, fval=0x05cb1ea0, mode=JSACC_WRITE, argc=0x00000001, argv=0x0012d644, rval=0x0012d644)  Line 1156	C
js_NativeSet(cx=0x041905e8, obj=JSObject [... slots], sprop=0x041813c0, vp=0x0012d644)  Line 3575	C
js_SetProperty(cx=0x041905e8, obj=JSObject [... slots], id=0x04261a64, vp=0x0012d644)  Line 3834	C
js_Interpret(cx=0x041905e8, pc=0x048f3dd2, result=0x0012d75c)  Line 3580	C
js_Invoke(cx=0x041905e8, argc=0x00000001, vp=0x05fff5c4, flags=0x00000002)  Line 1037	C
js_InternalInvoke(cx=0x041905e8, obj=JSObject [... slots], fval=0x04341de0, flags=0x00000000, argc=0x00000001, argv=0x0012dd60, rval=0x0012dd60)  Line 1093	C
js_InternalGetOrSet(cx=0x041905e8, obj=JSObject [... slots], id=0x04261a64, fval=0x04341de0, mode=JSACC_WRITE, argc=0x00000001, argv=0x0012dd60, rval=0x0012dd60)  Line 1156	C
js_NativeSet(cx=0x041905e8, obj=JSObject [... slots], sprop=0x041845e0, vp=0x0012dd60)  Line 3575	C
js_SetProperty(cx=0x041905e8, obj=JSObject [... slots], id=0x04261a64, vp=0x0012dd60)  Line 3834	C
js_Interpret(cx=0x041905e8, pc=0x048f3fd4, result=0x0012de78)  Line 3580	C
js_Invoke(cx=0x041905e8, argc=0x00000001, vp=0x05fff484, flags=0x00000002)  Line 1037	C
js_InternalInvoke(cx=0x041905e8, obj=JSObject [... slots], fval=0x05cb1da0, flags=0x00000000, argc=0x00000001, argv=0x05fff480, rval=0x0012df90)  Line 1093	C
JS_CallFunctionValue(cx=0x041905e8, obj=JSObject [... slots], fval=0x05cb1da0, argc=0x00000001, argv=0x05fff480, rval=0x0012df90)  Line 4939	C
nsJSContext::CallEventHandler(aTarget=0x04a0fe20, aScope=0x042f0620, aHandler=0x05cb1da0, aargv=0x04ea5b88, arv=0x0012e15c)  Line 1942	C++
nsJSEventListener::HandleEvent(aEvent=0x04ea5b0c)  Line 235	C++
nsEventListenerManager::HandleEventSubType(aListenerStruct=0x0496cd88, aListener=0x0496cd38, aDOMEvent=0x04ea5b0c, aCurrentTarget=0x04a0fe20, aPhaseFlags=0x00000006)  Line 1081	C++
nsEventListenerManager::HandleEvent(aPresContext=0x00d3f4a8, aEvent=0x0012e4d4, aDOMEvent=0x0012e434, aCurrentTarget=0x04a0fe20, aFlags=0x00000006, aEventStatus=0x0012e438)  Line 1189	C++
nsEventTargetChainItem::HandleEvent(aVisitor={...}, aFlags=0x00000006)  Line 207	C++
nsEventTargetChainItem::HandleEventTargetChain(aVisitor={...}, aFlags=0x00000006, aCallback=0x00000000)  Line 266	C++
nsEventDispatcher::Dispatch(aTarget=0x04a0fe20, aPresContext=0x00d3f4a8, aEvent=0x0012e4d4, aDOMEvent=0x00000000, aEventStatus=0x0012e51c, aCallback=0x00000000)  Line 479	C++
nsXULElement::PreHandleEvent(aVisitor={...})  Line 1541	C++
nsEventTargetChainItem::PreHandleEvent(aVisitor={...})  Line 186	C++
nsEventDispatcher::Dispatch(aTarget=0x049d92b8, aPresContext=0x00d3f4a8, aEvent=0x0012e6f0, aDOMEvent=0x00000000, aEventStatus=0x0012e6ec, aCallback=0x00000000)  Line 438	C++
nsXBLPrototypeHandler::DispatchXULKeyCommand(aEvent=0x05eec458)  Line 564	C++
nsXBLPrototypeHandler::ExecuteHandler(aTarget=0x04a0fe20, aEvent=0x05eec458)  Line 281	C++
nsXBLWindowKeyHandler::WalkHandlersInternal(aEvent=0x05eec458, aEventType=0x00fb8750, aHandler=0x04c57178)  Line 542	C++
nsXBLWindowKeyHandler::WalkHandlers(aKeyEvent=0x05eec458, aEventType=0x00fb8750)  Line 349	C++
nsXBLWindowKeyHandler::KeyPress(aKeyEvent=0x05eec458)  Line 398	C++
DispatchToInterface(aEvent=0x05eec458, aListener=0x04968df8, aMethod=0x01afc160, aIID={...})  Line 184	C++
nsEventListenerManager::HandleEvent(aPresContext=0x06001b68, aEvent=0x0012f11c, aDOMEvent=0x0012ed64, aCurrentTarget=0x00d2e648, aFlags=0x00000202, aEventStatus=0x0012ed68)  Line 1180	C++
nsEventTargetChainItem::HandleEvent(aVisitor={...}, aFlags=0x00000202)  Line 207	C++
nsEventTargetChainItem::HandleEventTargetChain(aVisitor={...}, aFlags=0x00000206, aCallback=0x0012ee18)  Line 289	C++
nsEventTargetChainItem::HandleEventTargetChain(aVisitor={...}, aFlags=0x00000006, aCallback=0x0012ee18)  Line 319	C++
nsEventDispatcher::Dispatch(aTarget=0x05fc54d8, aPresContext=0x06001b68, aEvent=0x0012f11c, aDOMEvent=0x00000000, aEventStatus=0x0012ef18, aCallback=0x0012ee18)  Line 479	C++
PresShell::HandleEventInternal(aEvent=0x0012f11c, aView=0x05ff0a08, aStatus=0x0012ef18)  Line 5821	C++
PresShell::HandleEvent(aView=0x05ff0a08, aEvent=0x0012f11c, aEventStatus=0x0012ef18)  Line 5621	C++
nsViewManager::HandleEvent(aView=0x05ff0a08, aPoint={...}, aEvent=0x0012f11c, aCaptured=0x00000000)  Line 1297	C++
nsViewManager::DispatchEvent(aEvent=0x0012f11c, aStatus=0x0012f05c)  Line 1250	C++
HandleEvent(aEvent=0x0012f11c)  Line 171	C++
nsWindow::DispatchEvent(event=0x0012f11c, aStatus=nsEventStatus_eIgnore)  Line 1054	C++
nsWindow::DispatchWindowEvent(event=0x0012f11c)  Line 1075	C++
nsWindow::DispatchKeyEvent(aEventType=0x00000083, aCharCode=0x002b, aVirtualCharCode=0x00000000, aKeyData=0x004e0001, aFlags=0x00000000)  Line 3187	C++
nsWindow::OnKeyDown(aVirtualKeyCode=0x0000006b, aScanCode=0x0000004e, aKeyData=0x004e0001)  Line 3408	C++
nsWindow::ProcessMessage(msg=0x00000100, wParam=0x0000006b, lParam=0x004e0001, aRetValue=0x0012f63c)  Line 4338	C++
nsWindow::WindowProc(hWnd=0x006e0332, msg=0x00000100, wParam=0x0000006b, lParam=0x004e0001)  Line 1271	C++
user32.dll!7e418734() 	
[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
user32.dll!7e418816() 	
user32.dll!7e4189cd() 	
user32.dll!7e41c5de() 	
user32.dll!7e418a10() 	
nsAppShell::ProcessNextNativeEvent(mayWait=0x00000001)  Line 149	C++
nsBaseAppShell::DoProcessNextNativeEvent(mayWait=0x00000001)  Line 137	C++
nsBaseAppShell::OnProcessNextEvent(thr=0x00bcff38, mayWait=0x00000001, recursionDepth=0x00000000)  Line 247	C++
nsThread::ProcessNextEvent(mayWait=0x00000001, result=0x0012f834)  Line 500	C++
NS_ProcessNextEvent_P(thread=0x00bcff38, mayWait=0x00000001)  Line 227	C++
nsBaseAppShell::Run()  Line 154	C++
tkitcmps.dll!nsAppStartup::Run()  Line 181	C++
xul.dll!XRE_main(argc=0x00000003, argv=0x00bcb8c0, aAppData=0x00bcc1e8)  Line 3229	C++
firefox.exe!NS_internal_main(argc=0x00000003, argv=0x00bcb8c0)  Line 158	C++
firefox.exe!wmain(argc=0x00000003, argv=0x00bc8c60)  Line 55	C++
firefox.exe!__tmainCRTStartup()  Line 594	C
firefox.exe!wmainCRTStartup()  Line 414	C
kernel32.dll!7c816fd7() 	

This is in a build pulled at Sun Jan 27 06:00:03 RST 2008 [GMT+3]

This is a regression from 1.8.1, don't have a window though.
Flags: blocking1.9?
The assertion is fantasai's, I think, and the last hang on zooming in I found was fixed by roc, CCing. Sorry I can't create a testcase or figure out the regression window now.
I can confirm this bug on "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.9b3pre) Gecko/2008012704 Minefield/3.0b3pre". Basically, I surf to the
wikipedia article (don't follow the broken link in bugzilla, type in the URL
manually). When I hit CTRL-+ firefox.exe goes into endless 100% CPU spike.
Bug is also triggered in "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre) Gecko/2008012704 Minefield/3.0b3pre" running on Ubuntu Gutsy.
Bug does NOT repro using "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre)
Gecko/2008012204 Minefield/3.0b3pre" on Ubuntu Gutsy.

Bug does repro consistently using "Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9b3pre) Gecko/2008012404 Minefield/3.0b3pre" on Ubuntu Gutsy.
Bug does NOT repro on "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre) Gecko/2008012304 Minefield/3.0b3pre" using Ubuntu Gutsy which means that the bad check-in happened between nightly builds of Jan 23rd and Jan 24th 2008.
It's bug 368079, verified with local backout.
Blocks: 368079
Assignee: nobody → fantasai.bugs
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Attached patch patch (obsolete) — Splinter Review
This should fix it. I don't yet know why it happens, though.
Better patch for temporary use. Neither roc nor I get why we're hitting this assertion, and it's going to take some debugging.. which I most likely won't have time to do before the freeze. I believe this will patch the problem. I couldn't reproduce the bug reliably, so someone may want to check. This version doesn't interfere with CVS history on the existing code, and it leaves the assertion in place in case someone hits it on a more reliable test case.
Attachment #299700 - Attachment is obsolete: true
Comment on attachment 299708 [details] [diff] [review]
better temporary patch

Requesting review for this so we can patch the hang for Beta3 -- I'll keep the bug open until we find the cause.
Attachment #299708 - Flags: superreview?(roc)
Attachment #299708 - Flags: review?(roc)
Attachment #299708 - Flags: superreview?(roc)
Attachment #299708 - Flags: superreview+
Attachment #299708 - Flags: review?(roc)
Attachment #299708 - Flags: review+
landed temporary fix, nsBlockFrame.cpp v3.927
It would be nice with a regression test for this bug so I tired to reduce the testcase today (using minefield from 24 jan). I never got lithium to work because when I saved the HTML to disk the bug didn't repro anymore. If anyone knows a really good way to pull a page down to disk (preserving all css/scripts etc) please tell me how it can be done.

Anyway, what I was able to do was to reduce the wikicode for the article. I now got it down to this: http://en.wikipedia.org/wiki/User:Mnemo/BrowserBugTest2 and thus it seems that the bug has something to do with the wikipedia article references that appear is this specific article.
Depends on: 404215
Flags: wanted1.9+
Flags: blocking1.9-
Flags: tracking1.9+
Flags: wanted1.9.0.x+
Flags: wanted1.9-
Flags: wanted1.9+
Can someone check to see if the checkin for bug 404215 (last night) fixed this?
Note that the Wikipedia article in question has been modified so that it can no longer be used to run the repro steps. To trigger this bug it's neccesary to use either the reduced wikicode I posted above or go to an old revision of the Wikipedia article. I was able to trigger the bug using this URL and minefield from jan 24th:
http://en.wikipedia.org/w/index.php?title=Atonement_(film)&oldid=187189919

I suggest that someone with bugzilla editing access changes the URL field to point to this specific revision of the Wikipedia article. While, you're at in; also change the "OS" field to "All" because I'm seeing this bug on Ubuntu etc.
This bug was present in minefield jan28 but was gone in nightly from jan29. I assume that this was because fantasai's temporary fix? I have not seen this bug in any minefield build later than jan29 and I know explicitly that this bug is not present in minefield april 19th (this build also does not print any assertion messages to the terminal).
Marking fixed based on mnemo's comments.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: wanted1.9.0.x+
You need to log in before you can comment on or make changes to this bug.