Closed Bug 455171 Opened 16 years ago Closed 16 years ago

Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated content, position: fixed

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

Details

(4 keywords)

Crash Data

Attachments

(4 files)

testcase
145 bytes, text/html
Details
another testcase
155 bytes, text/html
Details
testcase3
74 bytes, text/html
Details
patch
11.41 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build on load. Stack from debug build: > gklayout.dll!nsIFrame::GetPositionIgnoringScrolling() Line 716 + 0x3 bytes C++ gklayout.dll!nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext * aPresContext=0x087b17c8, nsIFrame * aPlaceholderFrame=0x08af83a8, nsIFrame * aContainingBlock=0x00000000, int aBlockLeftContentEdge=0, int aBlockContentWidth=84840, const nsHTMLReflowState * cbrs=0x0012eeb0, nsHypotheticalBox & aHypotheticalBox={...}) Line 1079 + 0xc bytes C++ gklayout.dll!nsHTMLReflowState::InitAbsoluteConstraints(nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState * cbrs=0x0012eeb0, int containingBlockWidth=84840, int containingBlockHeight=480) Line 1134 C++ gklayout.dll!nsHTMLReflowState::InitConstraints(nsPresContext * aPresContext=0x087b17c8, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, const nsMargin * aBorder=0x00000000, const nsMargin * aPadding=0x00000000) Line 1780 C++ gklayout.dll!nsHTMLReflowState::Init(nsPresContext * aPresContext=0x087b17c8, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, const nsMargin * aBorder=0x00000000, const nsMargin * aPadding=0x00000000) Line 290 C++ gklayout.dll!nsHTMLReflowState::nsHTMLReflowState(nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aParentReflowState={...}, nsIFrame * aFrame=0x08af82d0, const nsSize & aAvailableSpace={...}, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aInit=1) Line 179 C++ gklayout.dll!nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame * aDelegatingFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aReflowState={...}, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aConstrainHeight=1, nsIFrame * aKidFrame=0x08af82d0, unsigned int & aStatus=0, nsRect * aChildBounds=0x0012eb0c) Line 404 C++ gklayout.dll!nsAbsoluteContainingBlock::Reflow(nsContainerFrame * aDelegatingFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aReflowState={...}, unsigned int & aReflowStatus=0, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aConstrainHeight=1, int aCBWidthChanged=1, int aCBHeightChanged=0, nsRect * aChildBounds=0x0012eb0c) Line 158 C++ gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 1172 + 0x43 bytes C++ gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 788 + 0x21 bytes C++ gklayout.dll!CanvasFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 674 C++ gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x095417a8, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=3, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 788 + 0x21 bytes C++ gklayout.dll!nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState * aState=0x0012f288, int aAssumeHScroll=0, int aAssumeVScroll=1, nsHTMLReflowMetrics * aMetrics=0x0012f1e4, int aFirstPass=1) Line 517 + 0x30 bytes C++ gklayout.dll!nsHTMLScrollFrame::ReflowContents(ScrollReflowState * aState=0x0012f288, const nsHTMLReflowMetrics & aDesiredSize={...}) Line 611 + 0x35 bytes C++ gklayout.dll!nsHTMLScrollFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 812 + 0x13 bytes C++ gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x09541924, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 788 + 0x21 bytes C++ etc...
Crashes my just-updated Linux debug build, too, with this assertion just before the crash: ###!!! ASSERTION: Should hit cbrs->frame before we run off the frame tree!: 'aContainingBlock', file mozilla/layout/generic/nsHTMLReflowState.cpp, line 1078
OS: Windows XP → All
Hardware: PC → All
The problem probably stems from the way that transformed elements always act as fixed-pos and abs-pos containing blocks. This is implemented inside nsCSSFrameConstructor by inserting elements with position: fixed into the containing block frame's absolutely-positioned child list. I don't know much about nsBlockFrame or nsHTMLReflowState, but I'm willing to wager that the problem is that the code isn't aware that something can have position: fixed but still be part of an absolute containing block.
Summary: Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated conten, position: fixed → Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated content, position: fixed
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Attached file another testcase
This bug is easy to hit and interferes with testing -moz-transform.
Flags: blocking1.9.1?
Keywords: assertion
Attached file testcase3
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P3
I'll have a look at this one next.
Assignee: nobody → dbaron
Attached patch patchSplinter Review
tests 1-3 are the attached ones; test 4 is an additional one that is not fixed by the change that fixes 1-3 but is fixed by the additional change to nsCSSFrameConstructor, and test 5 is a reftest testing the behavior patched by the code affected by tests 1-3. There's also the code changes, but they should be relatively clear, especially if you start in nsLayoutUtils.h.
Attachment #349534 - Flags: superreview?(bzbarsky)
Attachment #349534 - Flags: review?(bzbarsky)
Whiteboard: [needs review]
Attachment #349534 - Flags: superreview?(bzbarsky)
Attachment #349534 - Flags: superreview+
Attachment #349534 - Flags: review?(bzbarsky)
Attachment #349534 - Flags: review+
Whiteboard: [needs review] → [needs landing]
Fixed in mozilla-central (and thus also on mozilla-1.9.1): http://hg.mozilla.org/mozilla-central/rev/342b86dd79f4 Then backed out due to a Mac startup crash, whose underlying cause was actually bug 466399: http://hg.mozilla.org/mozilla-central/rev/bf407fc736d7 http://hg.mozilla.org/mozilla-central/rev/acff8baac5a8 Then relanded, and thus again fixed in mozilla-central (and thus also on mozilla-1.9.1): http://hg.mozilla.org/mozilla-central/rev/483aaa57f290
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla1.9.1b3
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081126 Minefield/3.1b3pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
Keywords: fixed1.9.1
Crash Signature: [@ nsIFrame::GetPositionIgnoringScrolling]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: