Closed Bug 54850 Opened 24 years ago Closed 23 years ago

crash when plugin has an inline parent

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows 98
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME
Milestone:
mozilla0.9

People

(Reporter: doronr, Assigned: waterson)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(4 files)

Call stack on assertion
13.68 KB, text/plain
Details
the fix to nsObjectFrame.cpp
1.91 KB, patch
Details | Diff | Splinter Review
the fix to nsLineLayout.cpp
707 bytes, patch
Details | Diff | Splinter Review
stack trace
6.88 KB, text/html
Details 
This site uses flash, and loads totally different than in ns4. First, most of
the flash is gone, and 2nd, the Jobs logo keeps moving to the right. There is
also a crash on first load in mozilla 20000093008.

I think all these issue are based on the fact that the flash is not loading.
Sending to Embedding.
Actually, Plug-ins is the place for Flash, etc. (Embedding APIs is for the
case of embedding the layout engine into some other application).

By the way, on win2k, Nav4.74 doesn't load this page correctly, and IE5 offers
to install Flash5.0 Aug2000, and when I decline, it doesn't load much of
anything either.
Assignee: valeski → av
Component: Embedding APIs → Plug-ins
QA Contact: jrgm → shrir
Actually, I can see this working fine on 4.72. I see what Doron is saying. The  
"Jobs" button just keeps on going to the right ... :-)..funny !  Isee this in 
093008 m18 buils on windows.
Keywords: 4xp
jrgm - sorry, stupid me ;(

setting to windows, will try to get this tested on linux/mac.
OS: other → Windows 98
there is - repeatetly proven - a crash on windows (win32), I've just sent in a 
stack trace with the working Talkback bits from today, adding keyword crash, and 
changing to major
Severity: normal → major
Keywords: crash
It is not always consistent, but the problem is (I think) that a negative value 
is passed to nsViewManager::ResizeView as width. Actually, no plugin code 
involved here, think this is strictly layout. Adding buster. Steve if I remember  
correctly you fixed a neg-width problem once. I am attaching the stack trace 
when the assertion occurs.

    
    

    
  
I am able to reproduce this on my Win2k with the a 10/19 pull 
Netscape_20000922_BRANCH.
Looking at the HTML code, it seems that the assertion is caused by the 
interaction between the two tags:
<img width="119" height="54">
<OBJECT WIDTH=100% HEIGHT=100%>

Deleting any of them elliminates the assertion. Some bug in the layout/resize 
code?

    
    

    
  
Nominating for rtm consideration as a flash crasher. Reassigning to buster for
investigation because the cause is believed to lie in layout. Steve, could you
please investigate?
Assignee: av → buster
Keywords: rtm

    
    

    
  
looking into this now.
Status: NEW → ASSIGNED
Priority: P3 → P1

    
    

    
  
flash has a keyword
Keywords: flash

    
    

    
  
I have a stability fix for this that is a simple check to make sure we never let
the width or height of a frame go negative.  But that doesn't make the page lay
out correctly, or get to the heart of the problem.  So I'm going to spend the
rest of the day trying to fix this correctly in nsObjectFrame.cpp, which is
misbehaving badly.

    
    

    
  
I'm about to attach fixes in two files.  They are totally independent, and I
could check in either or both for rtm.

1)The important fix is in nsObjectFrame.cpp.  It applies a fix done by me long
ago for object height measurement to width measurement.  It is extremely safe
and clearly the right thing to do.
2) A second fix in nsLineLayout.cpp.  It verifies that child frames always
return a non-negative width and height.  As a purely defensive move, it sets
negative values to 0 before proceeding.  This protects the block/inline code
from misbehaving frames.  This is as close to 0 risk as a fix can be.  Negative
values are highly illegal, and guaranteed to crash.  We can do nothing but good
for release code by putting in this check (with assertions to alert developers
to misbehaving child frames.)

av, peterl:  please review
waterson:  please super-review
Whiteboard: [rtm need info] [fix in hand]

    
    

    
  
making summary more clear
this problem will cause a crash whenever any object frame (ie, plugin) is
contained within an inline frame and that inline frame is horizontally offset
from it's containing blockby more than half the width of the object frame.
Clear as mud?

The point is, any plugin can trigger the crash simply by virtue of where it is
within the geometry of the page.   So some pages will crash on page load.
Others might only crash at certain window sizes, or as the window is resized.
Other pages might crash as a result of javascript manipulating the document
content or geometry.  Still others might crash based on when and how images load
on that page.  Etc.  It's bad, and it needs to be fixed.
Severity: major → critical
Summary: Flash wierdness → crash when plugin has an inline parent

    
    

    
  
both patches look good, r=peterl

    
  
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [rtm need info] [fix in hand] → [rtm+] r=peterl, a=waterson

    
    

    
  
sr=waterson

I agree that the math is wakcy. Maybe we can get ianh or jrgm to tinker around
with object borders, padding, etc. where left!=right and top!=bottom, and file
new bugs if necessary.
OS: All → Windows 98
Hardware: All → PC
Whiteboard: [rtm+] r=peterl, a=waterson → [rtm need info] [fix in hand]

    
    

    
  
Looks like GetWidth method did not get the fix which went into GetHeight some 
time ago. r=av.

    
  
Whiteboard: [rtm need info] [fix in hand] → [rtm+] r=peterl, r=av, sr=waterson

    
    

    
  
Moving this bug into candidate limbo.
Please check it into the trunk asap, and report any regressions.
Anticipate that this will probably be changed to rtm double plus on Monday, as
we think we currently have a fall-back RTM candidate in hand.

    
    

    
  
fix checked into trunk

    
    

    
  
PDT marking [rtm++]. This bug is now out of limbo and approved for checkin to
the branch. Please check in ASAP.

Whiteboard: [rtm+] r=peterl, r=av, sr=waterson → [rtm++] r=peterl, r=av, sr=waterson

    
    

    
  
this is fixed win98 2000103004 mozilla trunk.  
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
Is this fixed in the branch ?  

    
    

    
  
yes, this fix was checked in on both the NS branch and on the trunk.

    
    

    
  
I just crashed with my Mac branch build from around 1am PST (trying to load the
url set above).  I don't think this bug is fixed.

    
    

    
  
brade: did the flash load or did the jobs icon move to the right all the time
when you crashed?

    
    

    
  
using build 2000103108 os9 g4 this site loaded - no crash - button did not migrate

    
    

    
  
I tried again and hung; waiting for new bits to test with

    
    

    
  
Using commercial release build 2000-10-31-14 (branch) on NT I do not see crash.
Keywords: vtrunk

    
    

    
  
Looks good on windows branch build 2000-10-31-14-MN6. No crash and page loads 
fine. Plugin used: flash 5.0. Adding keyword: vtrunk

    
    

    
  
The crash I saw yesterday was probably unrelated to this crash; with a Mac build
(2000103114) I can't reproduce the crash I saw (it was probably the blocker
crash bug).

    
    

    
  
verified on trunk win98, linux and mac (thanks to asa).
Status: RESOLVED → VERIFIED
Keywords: vtrunk

    
    

    
  
I still see this (crash) happening today on the branch build (20001108), 
Win2000. :/ Maybe you should check that again...

    
    

    
  
OK, I sent in two talkback reports - it now also happened on the mtrunk build to 
me. Talkback ID of crash on mtrunk build: TB20707879G
I lost the ID of the report on the branch build.

    
    

    
  
works on 11/08 branch build on windows.

    
    

    
  
I couldn't get the page to crash after several reloadings and closing/reopening
page.
AMD K6-2 350MHz, 64M
WinME
Mozilla Trunk Build 2000110804
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; m18) Gecko/20001108


    
    

    
  
This works fine for me on WinNT, 20001107.  Could somebody in QA test on
Win2000? I'm concerned that someone reports that it still crashes.  Could
somebody attach the talkback report (or at least the url) as well?

    
    

    
  
cannot reproduce crash on windows 2000 (20001107) build. Working fine.

    
    

    
  
WFM using Windows 2000 using a fresh pull of the trunk this morning and works
with the 11/9 branch build.

However, looking at the talkback report, this could still be happening.
Jonas, is there any more information you can give us to reproduce this?

    
    

    
  
Hmm, today that URL crashed my Mozilla on Win32 (Build 2001020604) again. But 
only the first time I visited that URL (http://www.x-tra.ch). Can others please 
doublecheck?

    
    

    
  
yep, crashes with today's trunk on windows 20010206. Reopening.(stack trace 
coming up..)
Status: VERIFIED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached file
          
        stack trace
      

    


  

    
    

    
  
This is working fine for me. I do have flash installed (which is what this site
appears to use). What about the people that are reporting crashes?

    
    

    
  
Yes Flash is installed. The second time I visited that page it didn't crash and 
the Flash navigation displayed properly. *shrug*

    
  
Status: REOPENED → ASSIGNED
Whiteboard: [rtm++] r=peterl, r=av, sr=waterson
Target Milestone: --- → mozilla0.9

    
    

    
  
taking
Assignee: buster → waterson
Status: ASSIGNED → NEW

    
    

    
  
Well, I cannot for the life of me reproduce this bug. If anyone can come up with
a reliable test case, attach it and re-open.
Status: NEW → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → WORKSFORME

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: