Closed
Bug 502017
Opened 15 years ago
Closed 15 years ago
Crash [@ nsHTMLReflowState::GetHypotheticalBoxContainer] with -moz-column, overflow, clear, margin, fixed pos, and float
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dholbert, Assigned: dholbert)
References
Details
(4 keywords, Whiteboard: [sg:critical?][fixed by bug 67752 on m-c][1.9.1.2+])
Crash Data
Attachments
(5 files)
472 bytes,
text/html
|
Details | |
3.56 KB,
text/plain
|
Details | |
5.70 KB,
text/plain
|
Details | |
3.18 KB,
patch
|
roc
:
review+
beltzner
:
approval1.9.1.2+
dveditz
:
approval1.9.0.14+
|
Details | Diff | Splinter Review |
1.09 KB,
patch
|
Details | Diff | Splinter Review |
I'm filing this bug for a remaining 1.9.1 crash, with a modified version of bug 467493's testcase. (just adding an empty floated div) See in particular bug 467493 comment 25. The attached "testcase 1" crashes in both optimized and debug 1.9.1 builds. (This testcase is the same as "testcase 3" on bug 467493) In my debug build, I get these assertions before the crash: ###!!! ASSERTION: Placeholder relationship should have been torn down; see comments in nsPlaceholderFrame.h: '!shell->FrameManager()->GetPlaceholderFrameFor(mOutOfFlowFrame)', file /mozilla/layout/generic/nsPlaceholderFrame.cpp, line 132 ###!!! ASSERTION: no placeholder frame: 'nsnull != placeholderFrame', file /mozilla/layout/generic/nsHTMLReflowState.cpp, line 1122 I also get many copies of this warning: WARNING: bad value: file /mozilla/layout/generic/nsFloatManager.cpp, line 149 Crash report (hasn't loaded yet, but should soon): http://crash-stats.mozilla.com/report/pending/f7955dc3-a1ff-4e8a-a542-bdc8f2090702
Assignee | ||
Comment 1•15 years ago
|
||
testcase 1 crashes on load in this 1.9.1 build: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 and it's WFM in this mozilla-central build: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090701 Minefield/3.6a1pre Presumably, this used to crash on mozilla-central, even after the float-manager landing fixed bug 467493's other testcases. A fix range would be great.
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.9.1.1?
Whiteboard: [sg:critical?][needs m-c fix range]
Assignee | ||
Comment 2•15 years ago
|
||
Here's a backtrace of the crash on testcase 1.
Assignee | ||
Comment 3•15 years ago
|
||
Here's a dump of the frametree at crash-time. (This is from the same crash occurrence as was used to generate the backtrace in attachment 386559 [details])
Assignee | ||
Updated•15 years ago
|
Attachment #386559 -
Attachment description: crash backtrace → backtrace at crash
Assignee | ||
Updated•15 years ago
|
Attachment #386557 -
Attachment description: testcase 1 → testcase 1 (crashes on loading in 1.9.1 & 1.9.0)
Assignee | ||
Comment 4•15 years ago
|
||
(In reply to comment #1) > Presumably, this used to crash on mozilla-central, even after the float-manager > landing fixed bug 467493's other testcases. A fix range would be great. Ok, here's the m-c fix range: CRASHES ON: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090505 Minefield/3.6a1pre WFM on: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090506 Minefield/3.6a1pre
Whiteboard: [sg:critical?][needs m-c fix range] → [sg:critical?]
Assignee | ||
Comment 5•15 years ago
|
||
Pushlog for fix range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a82ba52ed30&tochange=7518078cb842 bug 67752 looks like the only likely fix-candidate in that range.
Assignee | ||
Comment 6•15 years ago
|
||
I've confirmed that testcase 1 crashes on Mac 1.9.1, too. Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1pre) Gecko/20090630 Shiretoko/3.5.1pre Crash report: http://crash-stats.mozilla.com/report/index/1c2f4392-268e-4d99-a443-0a0922090702
OS: Linux → All
Assignee | ||
Comment 7•15 years ago
|
||
(In reply to comment #5) > bug 67752 looks like the only likely fix-candidate in that range. Confirmed that bug 67752 fixed this on mozilla-central. Changeset 47e935bd7f3b hits the assertions & the crash from comment 0, whereas changeset a08d1947ec5a does not (though it still has lots of "WARNING: bad value" messages). It doesn't look like bug 67752 is targeted for 1.9.1 (or 1.9.0), though, so it probably won't be able to fix this on the branches...
Depends on: ireflow
Assignee | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][fixed by bug 67752 on m-c]
Comment 8•15 years ago
|
||
It's really weird that bug 67752 changed behavior here. Are we actually interrupting on the testcase? Or was it the scrolling changes or some such? Or maybe it was the changes in nsBlockFrame::ReflowDirtyLines around pulling stuff? We could port that sort of thing to branch, I think.
Assignee | ||
Comment 9•15 years ago
|
||
(In reply to comment #8) > Or maybe it was the changes in nsBlockFrame::ReflowDirtyLines around pulling > stuff? That sounds most likely.
Comment 10•15 years ago
|
||
I think that we should try to backport those. Do you want to give it a shot or should I?
Assignee | ||
Comment 11•15 years ago
|
||
In my build at changeset a08d1947ec5a (that's bug 67752's patch), if I revert bug 67752's changes to nsBlockFrame.* and recompile, the assertions & the crash return. So it's definitely one of the changes to nsBlockFrame.cpp that fixed this (probably the pulling stuff, as bz suggested). I'll try to backport that -- looks pretty straightforward.
Assignee | ||
Comment 12•15 years ago
|
||
This is just the pulling chunk from bug 67752's nsBlockFrame changes. It applies cleanly on 1.9.1 and 1.9.0, and it fixes this crash on both branches. It also fixes the crash on bug 467493's testcases on 1.9.0 branch.
Updated•15 years ago
|
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Assignee | ||
Comment 13•15 years ago
|
||
Comment on attachment 386646 [details] [diff] [review] Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26] So, here's a summary what's going on in this backported patch, starting with the final chunk: >@@ -2076,24 +2079,28 @@ nsBlockFrame::ReflowDirtyLines(nsBlockRe > if (!bifLineIter.Next() || > !bifLineIter.GetLine()->IsDirty()) { >- if (IS_TRUE_OVERFLOW_CONTAINER(aState.mNextInFlow)) >- NS_FRAME_SET_OVERFLOW_INCOMPLETE(aState.mReflowStatus); >- else >- NS_FRAME_SET_INCOMPLETE(aState.mReflowStatus); > skipPull=PR_TRUE; > } > } > } >+ >+ if (skipPull && aState.mNextInFlow) { >+ NS_ASSERTION(heightConstrained, "Height should be constrained here\n"); >+ if (IS_TRUE_OVERFLOW_CONTAINER(aState.mNextInFlow)) >+ NS_FRAME_SET_OVERFLOW_INCOMPLETE(aState.mReflowStatus); >+ else >+ NS_FRAME_SET_INCOMPLETE(aState.mReflowStatus); >+ } This chunk makes sure that, if we've got a next-in-flow and we're going to skip pulling from it, we'll set an INCOMPLETE bit on our reflow status. Otherwise, our next-in-flow could end up being destroyed while we've still potentially got kids with mNextContinuation pointers into it, and that's bad news. Previously, we were only setting the INCOMPLETE bit inside of a clause that required a whole bunch of conditions to be satisfied. (In the testcase attached here, the |aState.mReflowState.mFlags.mNextInFlowUntouched| condition was the one that failed and made us skip setting the INCOMPLETE bit.) >- // We can skip trying to pull up the next line if there is no next >- // in flow or we were told not to or we know it will be futile, i.e., >+ // We can skip trying to pull up the next line if our height is constrained >+ // (so we can report being incomplete) and there is no next in flow or we >+ // were told not to or we know it will be futile, i.e., [snip] >- PRBool skipPull = willReflowAgain; >- if (aState.mNextInFlow && >+ PRBool heightConstrained = >+ aState.mReflowState.availableHeight != NS_UNCONSTRAINEDSIZE; >+ PRBool skipPull = willReflowAgain && heightConstrained; This chunk makes sure we only set |skipPull| if our height is constrained. Otherwise (if we have an unconstrained height), we may not be safe to return an INCOMPLETE reflow status (which would end up getting set in the above-described chunk of the patch, if |skipPull| were true). >- if (aState.mNextInFlow && >+ if (!skipPull && heightConstrained && aState.mNextInFlow && > (aState.mReflowState.mFlags.mNextInFlowUntouched && This chunk adds two conditions to the "if" check here -- !skipPull && heightConstrained. Now that the INCOMPLETE-setting has been moved out of this "if" clause, this clause just does one thing -- it turns on |skipPull| in certain situations. It doesn't do anything else. So, there's no point in entering it if |skipPull| is already turned on. (hence the first added condition) We also don't want to enter it if our height is unconstrained, because then we definitely don't want to turn on skipPull (because we can't return an incomplete reflow status, as described above). (hence the second added condition)
Attachment #386646 -
Flags: review?(roc)
Assignee | ||
Comment 14•15 years ago
|
||
Here's testcase 1 as a crashtest, for landing on all branches after this is fixed on all branches. I've just re-confirmed that this crashes pre-patch, and doesn't crash post-patch, using an up-to-date 1.9.1 checkout. (I generated this crashtest patch using a 1.9.1 build -- it may need minor bitrot-fixing in "crashtest.list" on 1.9.0 and on mozilla-central)
Assignee | ||
Updated•15 years ago
|
Flags: in-testsuite?
Attachment #386646 -
Flags: review?(roc) → review+
Assignee | ||
Updated•15 years ago
|
Attachment #386646 -
Flags: approval1.9.1.1?
Attachment #386646 -
Flags: approval1.9.0.13?
Assignee | ||
Comment 15•15 years ago
|
||
Comment on attachment 386646 [details] [diff] [review] Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26] Requesting approval to land this backport on the 1.9.1 & 1.9.0 stable branches. Fixes a security-sensitive crash, has baked on mozilla-central, and is a fairly minimal change. (See comment 13 for an overview of what it does.) This also will fix bug 467493 (a related crash) on the 1.9.0 branch, as mentioned in comment 12. (That bug is WFM on 1.9.1, because the float manager works around it.)
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.9.0.13?
Updated•15 years ago
|
Flags: blocking1.9.0.13? → blocking1.9.0.13+
Updated•15 years ago
|
Assignee: nobody → dholbert
Comment 16•15 years ago
|
||
Comment on attachment 386646 [details] [diff] [review] Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26] Approved for 1.9.0.13, a=dveditz for release-drivers
Attachment #386646 -
Flags: approval1.9.0.13? → approval1.9.0.13+
Assignee | ||
Comment 17•15 years ago
|
||
Attachment 386646 [details] [diff] checked in to 1.9.0 branch:
Checking in layout/generic/nsBlockFrame.cpp;
/cvsroot/mozilla/layout/generic/nsBlockFrame.cpp,v <-- nsBlockFrame.cpp
new revision: 3.963; previous revision: 3.962
done
Keywords: fixed1.9.0.13
Assignee | ||
Updated•15 years ago
|
Attachment #386646 -
Attachment description: Backported fix: just the "pull" chunk from bug 67752's patch → Backported fix: just the "pull" chunk from bug 67752's patch [checked in 1.9.0: comment 17]
Assignee | ||
Updated•15 years ago
|
Attachment #386646 -
Attachment description: Backported fix: just the "pull" chunk from bug 67752's patch [checked in 1.9.0: comment 17] → Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c17]
Comment 18•15 years ago
|
||
Comment on attachment 386646 [details] [diff] [review] Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26] 1.9.0.13 will be in sync with 1.9.1.2, so we'll take this patch then.
Attachment #386646 -
Flags: approval1.9.1.1? → approval1.9.1.2?
Comment 19•15 years ago
|
||
I'm leaving this as wanted1.9.1.x, but since we don't yet have our new blocking1.9.1 flag, I can't make it block 1.9.1.2 yet. It does though.
Flags: blocking1.9.1.1?
Whiteboard: [sg:critical?][fixed by bug 67752 on m-c] → [sg:critical?][fixed by bug 67752 on m-c][1.9.1.2+]
Assignee | ||
Comment 20•15 years ago
|
||
Backed out of 1.9.0 -- this appears to have somehow caused a test failure in test_bug343416.xul, on Mac. (It went orange for two consecutive cycles, with a test-failure that doesn't appear to be known-sporadic.) http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.0/1247255968.1247259491.3895.gz http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.0/1247260655.1247264163.22911.gz Backout: Checking in layout/generic/nsBlockFrame.cpp; /cvsroot/mozilla/layout/generic/nsBlockFrame.cpp,v <-- nsBlockFrame.cpp new revision: 3.964; previous revision: 3.963 done Log from failing test: { *** 669 INFO Running chrome://mochikit/content/chrome/widget/test/test_bug343416.xul... *** 670 INFO PASS | nsIIdleService should exist and be implemented on all tier 1 platforms. *** 671 ERROR FAIL | Getting the idle Time should not fail in normal circumstances on any tier 1 platform. | | chrome://mochikit/content/chrome/widget/test/test_bug343416.xul *** 672 INFO PASS | The nsIIdleService should allow us to add an observer. *** 673 INFO PASS | The nsIIdleService should allow us to add the same observer again. *** 674 INFO PASS | The nsIIdleService should allow us to remove the observer just once. *** 675 ERROR FAIL | Getting the idle time should not fail in normalcircumstances on any tier 1 platform. | | chrome://mochikit/content/chrome/widget/test/test_bug343416.xul *** 676 ERROR FAIL | The idle time should have increased by roughly the amount of time it took for the timeout to fire. | | chrome://mochikit/content/chrome/widget/test/test_bug343416.xul *** 677 INFO PASS | We set a timeout and it should have fired by now. *** 678 ERROR FAIL | We added a listener and it should have been called by now. | | chrome://mochikit/content/chrome/widget/test/test_bug343416.xul *** 679 INFO PASS | We added a listener and we should be able to remove it. }
Keywords: fixed1.9.0.13
Assignee | ||
Comment 21•15 years ago
|
||
Link to source of failing test: http://mxr.mozilla.org/mozilla-central/source/widget/tests/test_bug343416.xul
Comment 22•15 years ago
|
||
I seriously doubt this patch should have affected that test...
Assignee | ||
Comment 23•15 years ago
|
||
Me too, but with two consecutive orange cycles, best diagnostic is to back out. Having said that, the failing test *stayed orange* in the post-backout cycle: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.0/1247266920.1247270435.27327.gz So this checkin couldn't be responsible. I just pinged #build to see if someone can reboot (or otherwise fix) the still-orange tinderbox.
Comment 24•15 years ago
|
||
Rebooted bm-xserve21 to see if that resolves the Fx3.0 unit issue.
Assignee | ||
Comment 25•15 years ago
|
||
The reboot seems to have fixed the issue -- the cycle before the reboot was orange with the nsIIdleService failure, and the four cycles after the reboot have all been green.
Assignee | ||
Comment 26•15 years ago
|
||
Re-landed patch on 1.9.0.x (CVS Trunk): Checking in layout/generic/nsBlockFrame.cpp; /cvsroot/mozilla/layout/generic/nsBlockFrame.cpp,v <-- nsBlockFrame.cpp new revision: 3.965; previous revision: 3.964 done
Keywords: fixed1.9.0.13
Assignee | ||
Updated•15 years ago
|
Attachment #386646 -
Attachment description: Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c17] → Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26]
Updated•15 years ago
|
blocking1.9.1: --- → .2+
status1.9.1:
--- → wanted
Updated•15 years ago
|
Attachment #386646 -
Flags: approval1.9.1.2? → approval1.9.1.2+
Comment 27•15 years ago
|
||
Comment on attachment 386646 [details] [diff] [review] Backported fix: just the "pull" chunk from bug 67752's patch [checked in to 1.9.0: c26] a=beltzner, please land on mozilla-1.9.1
Comment 28•15 years ago
|
||
dholbert: Can you please land this on 1.9.1 asap?
Assignee | ||
Comment 29•15 years ago
|
||
Was just about to. Landed. http://hg.mozilla.org/releases/mozilla-1.9.1/rev/63785ea38770 status1.9.1 --> .2fixed
Comment 30•15 years ago
|
||
Verified fixed in 1.9.0 using my debug build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.13pre) Gecko/2009072711 GranParadiso/3.0.13pre). Verified crash and assertion in comment 0 from build in early July. Both are fixed now.
Keywords: fixed1.9.0.13 → verified1.9.0.13
Comment 31•15 years ago
|
||
Verified using test case in comment #0. 3.5 crashed on load. 3.5.2 did not. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (3.5 and 3.5.2 behaved the same on XP, no crash).
Keywords: verified1.9.1
Updated•15 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ nsHTMLReflowState::GetHypotheticalBoxContainer]
You need to log in
before you can comment on or make changes to this bug.
Description
•