Closed Bug 455171 Opened 16 years ago Closed 16 years ago

Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated content, position: fixed

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: martijn.martijn, Assigned: dbaron)

References

Details

(4 keywords)

Crash Data

Attachments

(4 files)

testcase
145 bytes, text/html
Details
another testcase
155 bytes, text/html
Details
testcase3
74 bytes, text/html
Details
patch
11.41 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crashes current trunk build on load.

Stack from debug build:
>	gklayout.dll!nsIFrame::GetPositionIgnoringScrolling()  Line 716 + 0x3 bytes	C++
 	gklayout.dll!nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext * aPresContext=0x087b17c8, nsIFrame * aPlaceholderFrame=0x08af83a8, nsIFrame * aContainingBlock=0x00000000, int aBlockLeftContentEdge=0, int aBlockContentWidth=84840, const nsHTMLReflowState * cbrs=0x0012eeb0, nsHypotheticalBox & aHypotheticalBox={...})  Line 1079 + 0xc bytes	C++
 	gklayout.dll!nsHTMLReflowState::InitAbsoluteConstraints(nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState * cbrs=0x0012eeb0, int containingBlockWidth=84840, int containingBlockHeight=480)  Line 1134	C++
 	gklayout.dll!nsHTMLReflowState::InitConstraints(nsPresContext * aPresContext=0x087b17c8, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, const nsMargin * aBorder=0x00000000, const nsMargin * aPadding=0x00000000)  Line 1780	C++
 	gklayout.dll!nsHTMLReflowState::Init(nsPresContext * aPresContext=0x087b17c8, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, const nsMargin * aBorder=0x00000000, const nsMargin * aPadding=0x00000000)  Line 290	C++
 	gklayout.dll!nsHTMLReflowState::nsHTMLReflowState(nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aParentReflowState={...}, nsIFrame * aFrame=0x08af82d0, const nsSize & aAvailableSpace={...}, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aInit=1)  Line 179	C++
 	gklayout.dll!nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame * aDelegatingFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aReflowState={...}, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aConstrainHeight=1, nsIFrame * aKidFrame=0x08af82d0, unsigned int & aStatus=0, nsRect * aChildBounds=0x0012eb0c)  Line 404	C++
 	gklayout.dll!nsAbsoluteContainingBlock::Reflow(nsContainerFrame * aDelegatingFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, const nsHTMLReflowState & aReflowState={...}, unsigned int & aReflowStatus=0, int aContainingBlockWidth=84840, int aContainingBlockHeight=480, int aConstrainHeight=1, int aCBWidthChanged=1, int aCBHeightChanged=0, nsRect * aChildBounds=0x0012eb0c)  Line 158	C++
 	gklayout.dll!nsBlockFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 1172 + 0x43 bytes	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x08af7f60, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000)  Line 788 + 0x21 bytes	C++
 	gklayout.dll!CanvasFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 674	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x095417a8, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=3, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000)  Line 788 + 0x21 bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState * aState=0x0012f288, int aAssumeHScroll=0, int aAssumeVScroll=1, nsHTMLReflowMetrics * aMetrics=0x0012f1e4, int aFirstPass=1)  Line 517 + 0x30 bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::ReflowContents(ScrollReflowState * aState=0x0012f288, const nsHTMLReflowMetrics & aDesiredSize={...})  Line 611 + 0x35 bytes	C++
 	gklayout.dll!nsHTMLScrollFrame::Reflow(nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 812 + 0x13 bytes	C++
 	gklayout.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x09541924, nsPresContext * aPresContext=0x087b17c8, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000)  Line 788 + 0x21 bytes	C++
etc...
Crashes my just-updated Linux debug build, too, with this assertion just before the crash:
###!!! ASSERTION: Should hit cbrs->frame before we run off the frame tree!: 'aContainingBlock', file mozilla/layout/generic/nsHTMLReflowState.cpp, line 1078
OS: Windows XP → All
Hardware: PC → All
The problem probably stems from the way that transformed elements always act as fixed-pos and abs-pos containing blocks.  This is implemented inside nsCSSFrameConstructor by inserting elements with position: fixed into the containing block frame's absolutely-positioned child list.  I don't know much about nsBlockFrame or nsHTMLReflowState, but I'm willing to wager that the problem is that the code isn't aware that something can have position: fixed but still be part of an absolute containing block.
Summary: Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated conten, position: fixed → Crash [@ nsIFrame::GetPositionIgnoringScrolling] with moz-transform and generated content, position: fixed
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
Attached file another testcase 

  

  



    
    

    
  
This bug is easy to hit and interferes with testing -moz-transform.

  

  


Flags: blocking1.9.1?

    
  
Keywords: assertion

    
    

    
  

      
      
      
      

        Attached file
          
        testcase3
      

    


  

  

  


Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P3

    
    

    
  
I'll have a look at this one next.

  

  


Assignee: nobody → dbaron

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
tests 1-3 are the attached ones; test 4 is an additional one that is not fixed by the change that fixes 1-3 but is fixed by the additional change to nsCSSFrameConstructor, and test 5 is a reftest testing the behavior patched by the code affected by tests 1-3.

There's also the code changes, but they should be relatively clear, especially if you start in nsLayoutUtils.h.

  

  



        Attachment #349534 -
        Flags: superreview?(bzbarsky)

        Attachment #349534 -
        Flags: review?(bzbarsky)
Whiteboard: [needs review]

    
    

    
  
(Full reftests pass.)

  

  



        Attachment #349534 -
        Flags: superreview?(bzbarsky)

        Attachment #349534 -
        Flags: superreview+

        Attachment #349534 -
        Flags: review?(bzbarsky)

        Attachment #349534 -
        Flags: review+
Whiteboard: [needs review] → [needs landing]

    
    

    
  
Fixed in mozilla-central (and thus also on mozilla-1.9.1):
http://hg.mozilla.org/mozilla-central/rev/342b86dd79f4

Then backed out due to a Mac startup crash, whose underlying cause was actually
bug 466399:
http://hg.mozilla.org/mozilla-central/rev/bf407fc736d7
http://hg.mozilla.org/mozilla-central/rev/acff8baac5a8

Then relanded, and thus again fixed in mozilla-central (and thus also on
mozilla-1.9.1):
http://hg.mozilla.org/mozilla-central/rev/483aaa57f290

  

  


Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla1.9.1b3

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081126 Minefield/3.1b3pre

  

  


Status: RESOLVED → VERIFIED

    
  
Keywords: verified1.9.1
Keywords: fixed1.9.1
Crash Signature: [@ nsIFrame::GetPositionIgnoringScrolling]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: