Closed
Bug 429968
Opened 16 years ago
Closed 16 years ago
"ASSERTION: child list is not empty for initial reflow" with :first-letter, rtl
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: roc)
References
Details
(6 keywords, Whiteboard: [sg:investigate] fixes 429969)
Attachments
(6 files)
396 bytes,
text/html
|
Details | |
190 bytes,
text/html
|
Details | |
217 bytes,
text/html
|
Details | |
7.67 KB,
patch
|
Details | Diff | Splinter Review | |
11.31 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
12.34 KB,
patch
|
dveditz
:
approval1.9.0.11+
|
Details | Diff | Splinter Review |
Loading the testcase triggers: ###!!! ASSERTION: child list is not empty for initial reflow: 'mFrames.IsEmpty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 326 Closing it triggers: ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673 Reduced from a testcase Gary Kwong sent me. Security-sensitive because the second assertion often indicates the presense of a security hole.
Reporter | ||
Comment 1•16 years ago
|
||
See also bug 429969, which triggers different assertions and a crash with a slightly different testcase.
Comment 2•16 years ago
|
||
This is a bug in nsBidiPresUtils::RemoveBidiContinuation, as far as I can tell. We have a frametree like this: Block(div)(0)@0x13bae44 {0,0,55440,1152} [state=a0000401] sc=0x13bacf8(i=1,b=0)< line 0x13bb344: count=2 state=inline,dirty,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x8141] {0,0,1333,1152} < Inline(span)(0)@0x13baf6c next=0x13b2b90 next-continuation=0x13b2b90 {0,96,1333,960} [content=0xc8754f0] [sc=0x13baca8]< Inline(span)(0)@0x13bb018 {0,0,0,960} [content=0xd990330] [sc=0x13bb170]< Text(0)@0x13bb0a0[0,2,T] {0,720,0,0} [state=08220000] [content=0x6a0e7b0] sc=0x13b2ca8 pst=:-moz-non-element< "\n\n" > > > Inline(span)(0)@0x13b2b90 prev-continuation=0x13baf6c {0,0,0,0} [state=00000402] [content=0xc8754f0] [sc=0x13baca8]< Letter(span)(0)@0x13bb2ac next=0x13bb6b0 next-continuation=0x13bb6b0 {0,0,693,960} [content=0xc8754f0] [sc=0x13b2b40] pst=:first-letter< Text(1)@0x13bb26c[0,1,F] next-continuation=0x13bb638 {0,0,693,960} [state=02300000] [content=0xca39ed0] sc=0x13b2af0 pst=:-moz-non-element< "A" > > Letter(span)(0)@0x13bb6b0 prev-continuation=0x13bb2ac {693,0,640,960} [state=00000004] [content=0xc8754f0] [sc=0x13bafc8] pst=:-moz-non-element< Text(1)@0x13bb638[1,1,T] prev-continuation=0x13bb26c {0,0,640,960} [state=02420004] [content=0xca39ed0] sc=0x13bafc8 pst=:-moz-non-element< "B" > > > > > where the two inlines that are immediate kids of the block's line were split apart by bidi. Now we're doing RemoveBidiContinuation, and making them in-flows of each other (fluid continuations)... but we've never reflown this stuff, and both frames have kids. Just switching them to be fluid continuations is no good here. Then later in nsInlineFrame::Reflow we assert and lose part of the framelist, hence the second assert. Looks like a regression from bug 319930.
Blocks: 319930
Flags: wanted1.9.1?
Comment 3•16 years ago
|
||
Maybe we should just fix nsInlineFrame to not assume that it has no kids if it's an in-flow on its first reflow...
Reporter | ||
Comment 4•16 years ago
|
||
Now I get: ###!!! ASSERTION: First-in-flow first-letter should have first-letter style enabled in nsLineLayout!: 'll->GetFirstLetterStyleOK() || GetPrevInFlow()', file /Users/jruderman/central/layout/generic/nsFirstLetterFrame.cpp, line 240
Assignee | ||
Updated•16 years ago
|
Flags: wanted1.9.1? → blocking1.9.1+
Priority: -- → P3
Comment 5•16 years ago
|
||
I still get the assertion from comment 4 with this testcase even after the change to it I made in bug 448610. The frame tree I'm seeing is: Block(div)(0)@0xaee95850 {0,0,55860,1140} [state=a0100401] sc=0xaee95728(i=3,b=0)< line 0xaee95df8: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x5100] {55860,0,0,1140} < Inline(span)(0)@0xaee959b0 next=0xb014a168 next-continuation=0xb014a168 {55860,0,0,1140} [content=0xaee6eae0] [sc=0xaee956d8] < Inline(span)(0)@0xaee95a5c next-continuation=0xaee7ff60 {0,0,0,1140} [content=0xaee6eb20] [sc=0xaee95bb4] < Text(0)@0xaee95ae4[0,0,F] next=0xb014a0e0 next-continuation=0xb014a0e0 {0,900,0,0} [state=00200000] [content=0xaee8f5e0] sc=0xb014a090 pst=:-moz-non-element< "" > Text(0)@0xb014a0e0[0,1,F] prev-continuation=0xaee95ae4 next-continuation=0xb014a124 {0,0,0,1140} [state=80600004] [content=0xaee8f5e0] sc=0xb014a090 pst=:-moz-non-element< "\n" > > > > line 0xaee7f070: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:linebr[0x5100] {55860,1140,0,1140} < Inline(span)(0)@0xb014a168 next=0xb014a1a0 prev-continuation=0xaee959b0 next-continuation=0xb014a1a0 {55860,1140,0,1140} [state=00000004] [content=0xaee6eae0] [sc=0xaee956d8] < Inline(span)(0)@0xaee7ff60 prev-continuation=0xaee95a5c {0,0,0,1140} [state=00000004] [content=0xaee6eb20] [sc=0xaee95bb4] < Text(0)@0xb014a124[1,1,T] prev-continuation=0xb014a0e0 {0,0,0,1140} [state=80600004] [content=0xaee8f5e0] sc=0xb014a090 pst=:-moz-non-element< "\n" > > > > line 0xb014a1d8: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x4000] {0,0,0,0} < Inline(span)(0)@0xb014a1a0 prev-continuation=0xb014a168 {0,0,0,0} [state=00000407] [content=0xaee6eae0] [sc=0xaee956d8] < Letter(span)(0)@0xaee95d28 next=0xaee7f238 next-continuation=0xaee7f238 {0,0,720,1140} [state=00000401] [content=0xaee6eae0] [sc=0xaee7feb4] pst=:first-letter < Text(1)@0xaee95ce8[0,1,F] next-continuation=0xaee7f1c4 {0,0,720,1140} [state=80300000] [content=0xaee8f610] sc=0xaee7fe64 pst=:-moz-non-element< "A" > > Letter(span)(0)@0xaee7f238 prev-continuation=0xaee95d28 {720,0,720,1140} [state=00000004] [content=0xaee6eae0] [sc=0xaee95a0c] pst=:-moz-non-element < Text(1)@0xaee7f1c4[1,1,T] prev-continuation=0xaee95ce8 {0,0,720,1140} [state=80400004] [content=0xaee8f610] sc=0xaee95a0c pst=:-moz-non-element< "B" > > > > > with this=0xaee95d28 Note that the testcase doesn't now trigger bidi resolution at all (at least in my local build).
Comment 6•16 years ago
|
||
The bug described in comment 2 is still present, though. Perhaps we need a different testcase for it, but it's alive and kicking.
Comment 7•16 years ago
|
||
Indeed, and also bug 429969 doesn't seem to have changed its behaviour.
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate]
Assignee | ||
Comment 8•16 years ago
|
||
This testcase causes the assertion to fire and also displays "AB" in red. In fact, both letters should be black.
Assignee: nobody → roc
Assignee | ||
Comment 9•16 years ago
|
||
The problem is that we don't wrap the newline in the span in a letter-frame, because it's all whitespace. We carry on and wrap "AB" in a letter-frame. But because it's white-space:pre, the newline does turn into a line break. So we turn off the first-letter flag in nsLineLayout when we move to the second line, and then we reflow the letter-frame and it asserts. Since we've turned off the first-letter flag in nsLineLayout, we don't break the text after the first letter and it all gets the first-letter style. I'm not sure how to fix this. Our design for first-letter isn't really able to handle it. If we wrap the newline in a letter-frame we'll get all confused because we expect all the first-letter frames for a block to be continuations of one another and that definitely isn't possible here. The only thing I can think of is to remove the NS_ASSERTION(ll->GetFirstLetterStyleOK() || GetPrevContinuation()) and handle the case where the first-in-flow letter frame does not have first-letter style. I think we can get away with restyling the text child frame before we reflow it --- nsFirstLetterFrame::DrainOverflowFrames already does restyle the next-in-flow text children during reflow.
Assignee | ||
Comment 10•16 years ago
|
||
This testcase is somewhat harder. Here, we need to restyle the first-in-flow nsFirstLetterFrame so that it loses its text-decoration. We could hack around the text-decoration by modifying its BuildDisplayList to not do the decorations, but we'd still lose with a testcase that, e.g., used font-size and added the wrong ascents to line-heights.
Assignee | ||
Comment 11•16 years ago
|
||
This patch fixes many testcases but it doesn't fix the problem I mentioned above. I'm not sure what havoc would be wreaked if we tried to have nsFirstLetterFrame::Reflow modify its own style context. Another option would be to let it complete without reflowing its kid, pushing the kid to the overflow list instead, so we end up with an empty nsFirstLetterFrame representing the non-existent first letter.
Assignee | ||
Comment 12•16 years ago
|
||
That patch modifies ReResolveStyleContext to always reflow when re-resolving style on a first-letter. This ensures that the code that mangles style contexts on reflow happens again to fix up those style contexts.
Assignee | ||
Comment 13•16 years ago
|
||
OK, this patch is by far my best attempt to fix this. The idea is to have the text frame child of the first-in-flow nsFirstLetterFrame always execute the first-letter path during reflow. However, if it detects that the first-letter style should not actually apply, we just make the first-letter text be zero characters. This is very simple and works very well. It passes the first-letter reftests and some additional hard testcases I created. The patch removes a redundant call to SetFirstLetterStyleOK(PR_FALSE) in nsTextFrameThebes::Reflow.
Attachment #353181 -
Flags: superreview?(dbaron)
Attachment #353181 -
Flags: review?(dbaron)
Assignee | ||
Comment 14•16 years ago
|
||
Note that we could already create zero-length first-letter text --- e.g., when the first character is not a valid 'letter' --- so the risk here is actually very low.
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate] → [sg:investigate][needs review]
Comment on attachment 353181 [details] [diff] [review] fix >- NS_ASSERTION(ll->GetFirstLetterStyleOK() || GetPrevContinuation(), >- "First-continuation first-letter should have first-letter style enabled in nsLineLayout!"); >+ ll->SetInFirstLetter(GetPrevContinuation() == nsnull); I think GetPrevContinuation() is the wrong test... I can imagine the actual first-letter part having multiple continuations in some cases (even if we may never do that right now). I would prefer: // Set based on whether we're really the :first-letter or we're // the unstyled continuation of it. ll->SetInFirstLetter(mStyleContext->GetPseudoType() == nsCSSPseudoElements::firstLetter); I still need to look at nsTextFrameThebes.cpp and the tests.
Comment on attachment 353181 [details] [diff] [review] fix OK, r+sr=dbaron with the fix in the previous comment. (I'm also wondering if you really meant to remove the assertion that I quoted in the previous comment.)
Attachment #353181 -
Flags: superreview?(dbaron)
Attachment #353181 -
Flags: superreview+
Attachment #353181 -
Flags: review?(dbaron)
Attachment #353181 -
Flags: review+
Whiteboard: [sg:investigate][needs review] → [sg:investigate][needs updated patch and landing]
Assignee | ||
Comment 17•16 years ago
|
||
(In reply to comment #16) > (I'm also wondering if you really meant to remove the assertion that I quoted > in the previous comment.) I did. That assertion would fire in these testcases even with my patch. The point of this patch is to correctly handle situations where the first-letter text is not on the first line so ll->GetFirstLetterStyleOK() is false.
Assignee | ||
Comment 18•16 years ago
|
||
Pushed d170052b6a6b
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [sg:investigate][needs updated patch and landing] → [sg:investigate][needs 191 landing]
Assignee | ||
Comment 19•16 years ago
|
||
Pushed 3b9272c15bfe to 1.9.1
Keywords: fixed1.9.1
Whiteboard: [sg:investigate][needs 191 landing] → [sg:investigate]
Updated•15 years ago
|
Comment 20•15 years ago
|
||
Blocking 1.9.0.10 because this fixes bug 429969
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.10+
Whiteboard: [sg:investigate] → [sg:investigate] fixes 429969
Comment 21•15 years ago
|
||
Comment on attachment 353181 [details] [diff] [review] fix Will this patch apply to the 1.9.0 branch or will we need a backport?
Assignee | ||
Comment 22•15 years ago
|
||
I've backported the patch to 1.9.0, which wasn't entirely nontrivial, and it fixes the bugs in comment #3 and later, but it doesn't fix the issues in comments #0 to #2, and it's not really a security bug. So I suspect Boris was right in comment #6. Something changed on trunk to make the underlying problem in this bug go away, and I only fixed some first-letter rendering issues. Dan, should we take this off blocking 1.9.0.10 since we don't have a branch fix here? Simon, can you dig into comment #2? Finding the changeset that fixed trunk would be a great start.
Assignee | ||
Comment 23•15 years ago
|
||
For the record, here's the backported rendering fix. I don't expect it to fix any security issues so it shouldn't land on branch.
Comment 24•15 years ago
|
||
(In reply to comment #22) What about the crash in bug 429969? Is that included in the things not fixed on 1.9.0 branch? > Simon, can you dig into comment #2? Finding the changeset that fixed trunk > would be a great start. On it.
Assignee | ||
Comment 25•15 years ago
|
||
Hmm, actually that patch *does* seem to fix 429969 in 1.9.0, so I guess it is wanted for branch, but not for this bug!
Whiteboard: [sg:investigate] fixes 429969 → [sg:investigate] fixes 429969 [needs landing]
Comment 26•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/08bf39f0754a from bug 441367 is the changeset that stopped the assertions in comment 0
Assignee | ||
Comment 27•15 years ago
|
||
Er really? I thought that was just cleanup!
Comment 28•15 years ago
|
||
It certainly *shouldn't* have changed any behavior...
If you still have the tree set up in which you did that bisect, could you figure out which changes within nsRuleNode caused the change (the changes within nsRuleNode.cpp other than the introduction of SetFactor and SetDiscrete can all be backed out independently), or whether it was somehow one of the other changes?
Comment 30•15 years ago
|
||
The change was caused by the change to "direction" in nsRuleNode::ComputeVisibilityData, specifically removing: - if (NS_STYLE_DIRECTION_RTL == visibility->mDirection) - mPresContext->SetBidiEnabled(); Adding a similar line in nsCSSFrameConstructor presumably prevented this causing a regression in static pages, but it doesn't help when changing direction dynamically. I filed bug 489517 on this. Putting back that line brings back the assertions from comment 0 in a build from right after the checkin of bug 441367; but the assertions don't appear in trunk, even with the checkin from this bug backed out.
Comment 31•15 years ago
|
||
Bisecting again while applying the patch from bug 489517, it turns out that the assertions were finally fixed by bug 472950, so I suppose we need the patch from bug 472950 on 1.9.0.x to fix this bug, and the patch from here to fix bug 429969 ;-)
Comment 32•15 years ago
|
||
Please request branch approval on the 1.9.0 patches you want to take.
Updated•15 years ago
|
Whiteboard: [sg:investigate] fixes 429969 [needs landing] → [sg:investigate] fixes 429969 [needs 1.9.0 approval request(s) -- comment 31]
Comment 33•15 years ago
|
||
Comment on attachment 373597 [details] [diff] [review] 1.9.0 patch Approved for 1.9.0.11, a=dveditz for release-drivers This patch fixes security bug 429969 on the 1.9.0 branch. It does not fix the assertions from comment 0 in this bug so I'm not sure if marking it fixed1.9.0.11 after landing is appropriate. Probably it is OK, we can decide whether the branch needs those fixed in bug 472950.
Attachment #373597 -
Flags: approval1.9.0.11+
Comment 35•15 years ago
|
||
On the 1.9.0 branch there were three reftest that failed. 429968-1a and 429968-1b make sense, this patch makes the 1.9.0 branch better but not entirely up to snuff and so the tests fail. 23604 is a surprise. 23604-1.html actually looks fine, but 23604-1-ref.html has the first-line style applied to the first two lines. Removing the first-letter style fixes it, or making a dynamic style change as in 23604-1 itself. We'll have to fix this regression in 1.9.0.12
Updated•15 years ago
|
Whiteboard: [sg:investigate] fixes 429969 [needs 1.9.0 approval request(s) -- comment 31] → [sg:investigate] fixes 429969
Comment 36•15 years ago
|
||
(In reply to comment #0) > Loading the testcase triggers: > > ###!!! ASSERTION: child list is not empty for initial reflow: > 'mFrames.IsEmpty()', file > /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 326 > > Closing it triggers: > > ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: > 'mFrameCount == 0', file > /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673 I still see this in the build I built today (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051812 GranParadiso/3.0.11pre). For the test case in comment #8: > This testcase causes the assertion to fire and also displays "AB" in red. In > fact, both letters should be black. I do not see this assert with my build from today and the "AB is black. Should I be concerned about the assertions from comment #0?
Comment 37•15 years ago
|
||
Filed bug 493652 on the 1.9.0-branch regression on the 23604-1-ref test.
Updated•15 years ago
|
Flags: wanted1.8.1.x-
Comment 38•15 years ago
|
||
Is there more to do for this bug or can it be unhidden now?
Keywords: regression
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•