469861 - Crash [@ nsHTMLReflowState::CalculateHypotheticalBox] with MathML, position:fixed, tables

Status: RESOLVED FIXED

(Core :: MathML, defect)

Description

[Jesse Ruderman]

Attachment: testcase (crashes Firefox when loaded)

###!!! ASSERTION: shouldn't use unconstrained widths anymore: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || frame->GetType() == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', file /Users/jruderman/central/layout/generic/nsHTMLReflowState.cpp, line 305

###!!! ASSERTION: Should hit cbrs->frame before we run off the frame tree!: 'aContainingBlock', file /Users/jruderman/central/layout/generic/nsHTMLReflowState.cpp, line 1103

Crash:
0  nsIFrame::GetPositionIgnoringScrolling
1  nsHTMLReflowState::CalculateHypotheticalBox
2  nsHTMLReflowState::InitAbsoluteConstraints
...

Comment 1

[Boris Zbarsky [:bzbarsky]]

The key here is the second assertion.

nsHTMLReflowState::CalculateHypotheticalBox is being called with the viewport as aContainingBlock and the viewport as the cbrs->frame.  Then this loop:

1120     do {
1121       NS_ASSERTION(aContainingBlock,
1122                    "Should hit cbrs->frame before we run off the frame tree!");
1123       cbOffset += aContainingBlock->GetPositionIgnoringScrolling();
1124       aContainingBlock = aContainingBlock->GetParent();
1125     } while (aContainingBlock != cbrs->frame);

obviously asserts and crashes.

The reason for the weird containing block is that GetHypotheticalBoxContainer skips over frames that aren't IsContainingBlock(), and the relevant part of the frametree here is:

    Fixed-list<
      Inline(math)(1)@0x15a6e38 next=0x15aa990 {480,480,0,0} [state=00000100] [content=0x2058b530] [sc=0x1562228]<
        Placeholder(mtable)(0)@0x15aac10 {0,0,0,0} [state=00400402] [content=0x2058ba00] outOfFlowFrame=TableOuter(mtable)(0)@0x15aa990
      >
      TableOuter(mtable)(0)@0x15aa990 {0,0,0,0} [state=00000502] [content=0x2058ba00] [sc=0x15aba80] pst=:-moz-table-outer<
        Table(mtable)(0)@0x15aab00 {0,0,0,0} [state=00000402] [content=0x2058ba00] [sc=0x15a58e8]<>
      >
    >

In particular, the <math> element got an inline frame even though it's fixed-pos, and as a result isn't IsContainingBlock.  That's just broken.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Aha.  And the reason that happens is that the <math> ends up with display:table (because it's inline-table but forced to be block-outer).  If it took the normal "construct by display" codepath, this would all work, but it doesn't.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed fix

We could also, or in addition, make nsFrame::IsContainingBlock return true if display is table, but I'm not sure we want that.

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 419975 [details] [diff] [review]
Proposed fix

r=dbaron.  Sorry for the delay.

Probably worth checking that this also fixes bug 535483.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Pushed http://hg.mozilla.org/mozilla-central/rev/36b5bb1b4a1e

Comment 6

[Boris Zbarsky [:bzbarsky]]

Attachment: 1.9.2 branch merge

This should be fairly safe and fixes a crasher.  Requesting 1.9.2 branch approval.

Comment 7

[Boris Zbarsky [:bzbarsky]]

Attachment: 1.9.1 branch merge

The context is all different, but the patch is the same.

Comment 8

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 429292 [details] [diff] [review]
1.9.1 branch merge

a=beltzner for both branches

Comment 9

[Boris Zbarsky [:bzbarsky]]

Pushed:
  http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ee26a67e631d
  http://hg.mozilla.org/releases/mozilla-1.9.1/rev/99f97b5d724c

Comment 10

[Carsten Book [:Tomcat]]

verified for 1.9.2-2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100321 Firefox/3.6.2 ID:20100321170417 Debug Build on 10.6