496742 - Crash [@ nsHTMLReflowState::GetHypotheticalBoxContainer] with position: fixed, float right

Status: RESOLVED FIXED

(Core :: Layout, defect, P2)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which normally crashes current trunk build within 1 second.
It doesn't crash in a 2009-05-05 build, but it does crash in a 2009-05-07 build:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-05-05+05%3A00%3A00&enddate=2009-05-07+07%3A00%3A00
My guess is a regression from bug 67752.

http://crash-stats.mozilla.com/report/index/8076b748-441d-46fa-8a76-831112090606?p=1
0  	xul.dll  	nsHTMLReflowState::GetHypotheticalBoxContainer  	 layout/generic/nsHTMLReflowState.cpp:717
1 	xul.dll 	nsHTMLReflowState::InitAbsoluteConstraints 	layout/generic/nsHTMLReflowState.cpp:1164
2 	xul.dll 	nsHTMLReflowState::InitConstraints 	layout/generic/nsHTMLReflowState.cpp:1819
3 	xul.dll 	nsHTMLReflowState::Init 	layout/generic/nsHTMLReflowState.cpp:279
4 	xul.dll 	nsHTMLReflowState::nsHTMLReflowState 	layout/generic/nsHTMLReflowState.cpp:174
5 	xul.dll 	nsAbsoluteContainingBlock::ReflowAbsoluteFrame 	layout/generic/nsAbsoluteContainingBlock.cpp:449
6 	xul.dll 	nsAbsoluteContainingBlock::Reflow 	layout/generic/nsAbsoluteContainingBlock.cpp:157
7 	xul.dll 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:317
8 	xul.dll 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7097
9 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7227
10 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4898
11 	nspr4.dll 	PR_Lock 	nsprpub/pr/src/threads/combined/prulock.c:233
12 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
13 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
14 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
15 	nspr4.dll 	PR_GetEnv 	
16 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
17 	firefox.exe 	firefox.exe@0x21a7 	
18 	kernel32.dll 	kernel32.dll@0x17076 

The content of the iframe is this:
<span>
m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m 
m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m 
m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m 
m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m 
<span style="position: fixed; float: right;"></span>
</span>

<script>
function toggleIframe(){
var x=window.frameElement;
x.style.display = x.style.display == 'none' ? x.style.display = '' : x.style.display = 'none';
setTimeout(toggleIframe,100);
}
setTimeout(toggleIframe,100);
</script>

Comment 1

[Boris Zbarsky [:bzbarsky]]

Almost certainly the same as bug 505482.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Should be fixed by checkin for bug 505482.  Not sure how to write a sane test for this.  :(

Comment 3

[Mike Beltzner [:beltzner, not reading bugmail]]

Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)

Comment 4

[Mats Palmgren (inactive)]

Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8bfa06a3c92d

Comment 5

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/8bfa06a3c92d