Crash [@ nsHTMLReflowState::CalculateHypotheticalBox] with MathML, position:fixed, tables

RESOLVED FIXED

Status

()

Core
MathML
--
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, testcase, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(status1.9.2 .2-fixed, status1.9.1 .9-fixed)

Details

(crash signature)

Attachments

(4 attachments)

(Reporter)

Description

9 years ago
Created attachment 353260 [details]
testcase (crashes Firefox when loaded)

###!!! ASSERTION: shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', file /Users/jruderman/central/layout/generic/nsHTMLReflowState.cpp, line 305

###!!! ASSERTION: Should hit cbrs->frame before we run off the frame tree!: 'aContainingBlock', file /Users/jruderman/central/layout/generic/nsHTMLReflowState.cpp, line 1103

Crash:
0  nsIFrame::GetPositionIgnoringScrolling
1  nsHTMLReflowState::CalculateHypotheticalBox
2  nsHTMLReflowState::InitAbsoluteConstraints
...
The key here is the second assertion.

nsHTMLReflowState::CalculateHypotheticalBox is being called with the viewport as aContainingBlock and the viewport as the cbrs->frame.  Then this loop:

1120     do {
1121       NS_ASSERTION(aContainingBlock,
1122                    "Should hit cbrs->frame before we run off the frame tree!");
1123       cbOffset += aContainingBlock->GetPositionIgnoringScrolling();
1124       aContainingBlock = aContainingBlock->GetParent();
1125     } while (aContainingBlock != cbrs->frame);

obviously asserts and crashes.

The reason for the weird containing block is that GetHypotheticalBoxContainer skips over frames that aren't IsContainingBlock(), and the relevant part of the frametree here is:

    Fixed-list<
      Inline(math)(1)@0x15a6e38 next=0x15aa990 {480,480,0,0} [state=00000100] [content=0x2058b530] [sc=0x1562228]<
        Placeholder(mtable)(0)@0x15aac10 {0,0,0,0} [state=00400402] [content=0x2058ba00] outOfFlowFrame=TableOuter(mtable)(0)@0x15aa990
      >
      TableOuter(mtable)(0)@0x15aa990 {0,0,0,0} [state=00000502] [content=0x2058ba00] [sc=0x15aba80] pst=:-moz-table-outer<
        Table(mtable)(0)@0x15aab00 {0,0,0,0} [state=00000402] [content=0x2058ba00] [sc=0x15a58e8]<>
      >
    >

In particular, the <math> element got an inline frame even though it's fixed-pos, and as a result isn't IsContainingBlock.  That's just broken.
Aha.  And the reason that happens is that the <math> ends up with display:table (because it's inline-table but forced to be block-outer).  If it took the normal "construct by display" codepath, this would all work, but it doesn't.
Created attachment 419975 [details] [diff] [review]
Proposed fix

We could also, or in addition, make nsFrame::IsContainingBlock return true if display is table, but I'm not sure we want that.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #419975 - Flags: review?(dbaron)
Comment on attachment 419975 [details] [diff] [review]
Proposed fix

r=dbaron.  Sorry for the delay.

Probably worth checking that this also fixes bug 535483.
Attachment #419975 - Flags: review?(dbaron) → review+
Pushed http://hg.mozilla.org/mozilla-central/rev/36b5bb1b4a1e
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Created attachment 429280 [details] [diff] [review]
1.9.2 branch merge

This should be fairly safe and fixes a crasher.  Requesting 1.9.2 branch approval.
Attachment #429280 - Flags: approval1.9.2.2?
Blocks: 535483
Created attachment 429292 [details] [diff] [review]
1.9.1 branch merge

The context is all different, but the patch is the same.
Attachment #429292 - Flags: approval1.9.1.9?
Attachment #429280 - Flags: approval1.9.2.2? → approval1.9.2.2+
Comment on attachment 429292 [details] [diff] [review]
1.9.1 branch merge

a=beltzner for both branches
Attachment #429292 - Flags: approval1.9.1.9? → approval1.9.1.9+
Pushed:
  http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ee26a67e631d
  http://hg.mozilla.org/releases/mozilla-1.9.1/rev/99f97b5d724c
status1.9.1: --- → .9-fixed
status1.9.2: --- → .2-fixed
verified for 1.9.2-2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100321 Firefox/3.6.2 ID:20100321170417 Debug Build on 10.6
Keywords: verified1.9.2
Crash Signature: [@ nsHTMLReflowState::CalculateHypotheticalBox]
You need to log in before you can comment on or make changes to this bug.