5192 - Float CSS directive causes Gecko to crash

Status: VERIFIED FIXED

(Core :: Layout, defect, P1)

Description

[mle]

When I have added a float: left; style as shown in for the
key element in the CSS stylesheet below Gecko crashes.
The XML file to which the stylesheet was applied is also
below.

Without the float request the file does display.

The problem appears to related to the fixed-size array
of trapezoidal floating frame elements.  When we iterate
through this array the last element has an invalid
frame value.

The CSS float style may not make sense here - I don't
know because it crashed and I could not play around
with it.  But even nonsensical CSS should not cause
a crash.

<?xml version="1.0"?>
<?xml-stylesheet href="keybd.css" type="text/css"?>
<!DOCTYPE keyboard [
<!ELEMENT keyboard (row+)>
<!ATTLIST keyboard type CDATA #IMPLIED>
<!ELEMENT row (key+)>
<!ELEMENT key ( #PCDATA | face )*>
<!ATTLIST key
          upper CDATA #REQUIRED
          lower CDATA #REQUIRED>
<!ELEMENT face (top, bot)>
<!ELEMENT top ( sym )>
<!ELEMENT bot ( sym )>
<!ELEMENT sym ( #PCDATA )>
]>
<keyboard type="dvorak">
<row>
<key upper="~"
lower="`"><face><top><sym>~</sym></top><bot><sym>`</sym></bot></face></key>
<key upper="!"
lower="1"><face><top><sym>!</sym></top><bot><sym>1</sym></bot></face></key>
<key upper="@"
lower="2"><face><top><sym>@</sym></top><bot><sym>2</sym></bot></face></key>
<key upper="#"
lower="3"><face><top><sym>#</sym></top><bot><sym>3</sym></bot></face></key>
<key upper="$"
lower="4"><face><top><sym>$</sym></top><bot><sym>4</sym></bot></face></key>
<key upper="%"
lower="5"><face><top><sym>%</sym></top><bot><sym>5</sym></bot></face></key>
<key upper="^"
lower="6"><face><top><sym>^</sym></top><bot><sym>6</sym></bot></face></key>
<key upper="&amp;"
lower="7"><face><top><sym>&amp;</sym></top><bot><sym>7</sym></bot></face></key>
<key upper="*"
lower="8"><face><top><sym>*</sym></top><bot><sym>8</sym></bot></face></key>
<key upper="("
lower="9"><face><top><sym>(</sym></top><bot><sym>9</sym></bot></face></key>
<key upper=")"
lower="0"><face><top><sym>)</sym></top><bot><sym>0</sym></bot></face></key>
<key upper="["
lower="]"><face><top><sym>[</sym></top><bot><sym>]</sym></bot></face></key>
<key upper="+"
lower="="><face><top><sym>+</sym></top><bot><sym>=</sym></bot></face></key>
</row>
<row>
<key upper='"'
lower="'"><face><top><sym>"</sym></top><bot><sym>'</sym></bot></face></key>
<key upper="&lt;"
lower=","><face><top><sym>&lt;</sym></top><bot><sym>,</sym></bot></face></key>
<key upper="&gt;"
lower="."><face><top><sym>&gt;</sym></top><bot><sym>.</sym></bot></face></key>
<key upper="P" lower="p">P</key>
<key upper="Y" lower="y">Y</key>
<key upper="F" lower="f">F</key>
<key upper="G" lower="g">G</key>
<key upper="C" lower="c">C</key>
<key upper="R" lower="r">R</key>
<key upper="L" lower="l">L</key>
<key upper="?"
lower="/"><face><top><sym>?</sym></top><bot><sym>/</sym></bot></face></key>
<key upper="}"
lower="{"><face><top><sym>}</sym></top><bot><sym>{</sym></bot></face></key>
<key upper="|"
lower="\"><face><top><sym>|</sym></top><bot><sym>\</sym></bot></face></key>
</row>
</keyboard>


keyboard
    {
    display: block;
    margin-left: 10pt;
    margin-right: 10pt;
    }

row
    {
    display: block;
    font-size: 12pt;
    margin-top: 6pt;
    }

key
    {
    display: block;
    width: 40px;
    border: 1px solid black;
    margin-bottom: 2px;
    float: left;
    }

face
    {
    display: block;
    }
top
    {
    display: inline;
    }
bot
    {
    display: inline;
    }
sym {
    display: inline;
    }

Comment 1

[kipp]

I just checked in a fix for this. It turns out there was a static sized array
that dealt with floating elements. There was already code to return an error if
we would overflow the array, I just wasn't looking at the error code :-(

Now I do, and grow the array on demand to accomodate more floaters.

Comment 2

[Chris Petersen]

Fixed in April 23rd Build.