Float CSS directive causes Gecko to crash

VERIFIED FIXED in M5

Status

()

P1
major
VERIFIED FIXED
20 years ago
19 years ago

People

(Reporter: mle, Assigned: buster)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

20 years ago
When I have added a float: left; style as shown in for the
key element in the CSS stylesheet below Gecko crashes.
The XML file to which the stylesheet was applied is also
below.

Without the float request the file does display.

The problem appears to related to the fixed-size array
of trapezoidal floating frame elements.  When we iterate
through this array the last element has an invalid
frame value.

The CSS float style may not make sense here - I don't
know because it crashed and I could not play around
with it.  But even nonsensical CSS should not cause
a crash.

<?xml version="1.0"?>
<?xml-stylesheet href="keybd.css" type="text/css"?>
<!DOCTYPE keyboard [
<!ELEMENT keyboard (row+)>
<!ATTLIST keyboard type CDATA #IMPLIED>
<!ELEMENT row (key+)>
<!ELEMENT key ( #PCDATA | face )*>
<!ATTLIST key
          upper CDATA #REQUIRED
          lower CDATA #REQUIRED>
<!ELEMENT face (top, bot)>
<!ELEMENT top ( sym )>
<!ELEMENT bot ( sym )>
<!ELEMENT sym ( #PCDATA )>
]>
<keyboard type="dvorak">
<row>
<key upper="~"
lower="`"><face><top><sym>~</sym></top><bot><sym>`</sym></bot></face></key>
<key upper="!"
lower="1"><face><top><sym>!</sym></top><bot><sym>1</sym></bot></face></key>
<key upper="@"
lower="2"><face><top><sym>@</sym></top><bot><sym>2</sym></bot></face></key>
<key upper="#"
lower="3"><face><top><sym>#</sym></top><bot><sym>3</sym></bot></face></key>
<key upper="$"
lower="4"><face><top><sym>$</sym></top><bot><sym>4</sym></bot></face></key>
<key upper="%"
lower="5"><face><top><sym>%</sym></top><bot><sym>5</sym></bot></face></key>
<key upper="^"
lower="6"><face><top><sym>^</sym></top><bot><sym>6</sym></bot></face></key>
<key upper="&amp;"
lower="7"><face><top><sym>&amp;</sym></top><bot><sym>7</sym></bot></face></key>
<key upper="*"
lower="8"><face><top><sym>*</sym></top><bot><sym>8</sym></bot></face></key>
<key upper="("
lower="9"><face><top><sym>(</sym></top><bot><sym>9</sym></bot></face></key>
<key upper=")"
lower="0"><face><top><sym>)</sym></top><bot><sym>0</sym></bot></face></key>
<key upper="["
lower="]"><face><top><sym>[</sym></top><bot><sym>]</sym></bot></face></key>
<key upper="+"
lower="="><face><top><sym>+</sym></top><bot><sym>=</sym></bot></face></key>
</row>
<row>
<key upper='"'
lower="'"><face><top><sym>"</sym></top><bot><sym>'</sym></bot></face></key>
<key upper="&lt;"
lower=","><face><top><sym>&lt;</sym></top><bot><sym>,</sym></bot></face></key>
<key upper="&gt;"
lower="."><face><top><sym>&gt;</sym></top><bot><sym>.</sym></bot></face></key>
<key upper="P" lower="p">P</key>
<key upper="Y" lower="y">Y</key>
<key upper="F" lower="f">F</key>
<key upper="G" lower="g">G</key>
<key upper="C" lower="c">C</key>
<key upper="R" lower="r">R</key>
<key upper="L" lower="l">L</key>
<key upper="?"
lower="/"><face><top><sym>?</sym></top><bot><sym>/</sym></bot></face></key>
<key upper="}"
lower="{"><face><top><sym>}</sym></top><bot><sym>{</sym></bot></face></key>
<key upper="|"
lower="\"><face><top><sym>|</sym></top><bot><sym>\</sym></bot></face></key>
</row>
</keyboard>


keyboard
    {
    display: block;
    margin-left: 10pt;
    margin-right: 10pt;
    }

row
    {
    display: block;
    font-size: 12pt;
    margin-top: 6pt;
    }

key
    {
    display: block;
    width: 40px;
    border: 1px solid black;
    margin-bottom: 2px;
    float: left;
    }

face
    {
    display: block;
    }
top
    {
    display: inline;
    }
bot
    {
    display: inline;
    }
sym {
    display: inline;
    }

Updated

20 years ago
Assignee: troy → kipp

Updated

20 years ago
Status: NEW → ASSIGNED
Priority: P3 → P1
Target Milestone: M5

Updated

20 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 20 years ago
Resolution: --- → FIXED

Comment 1

20 years ago
I just checked in a fix for this. It turns out there was a static sized array
that dealt with floating elements. There was already code to return an error if
we would overflow the array, I just wasn't looking at the error code :-(

Now I do, and grow the array on demand to accomodate more floaters.

Updated

20 years ago
Status: RESOLVED → VERIFIED

Comment 2

20 years ago
Fixed in April 23rd Build.
You need to log in before you can comment on or make changes to this bug.