Closed
Bug 683712
Opened 13 years ago
Closed 13 years ago
Crash [@ CalcQuirkContainingBlockHeight]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla11
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
1.89 KB,
patch
|
MatsPalmgren_bugz
:
review+
|
Details | Diff | Splinter Review |
I have an unminimized testcase with this crash stack: https://crash-stats.mozilla.com/report/index/bp-184613e9-30b4-4e36-a653-a75352110831 0 xul.dll CalcQuirkContainingBlockHeight layout/generic/nsHTMLReflowState.cpp:1548 1 xul.dll nsHTMLReflowState::InitConstraints 2 xul.dll nsTArray<nsIFrame*,nsTArrayDefaultAllocator>::Clear obj-firefox/dist/include/nsTArray.h:886 3 xul.dll nsStyleContext::DoGetStylePadding obj-firefox/dist/include/nsStyleStructList.h:139 4 xul.dll nsHTMLReflowState::Init layout/generic/nsHTMLReflowState.cpp:282 Dumping it here, maybe someone can fix it by looking at the stack.
|
||
Comment 1•13 years ago
|
||
Is it a regression?
|
Reporter | |
Comment 2•13 years ago
|
||
It's also happening in a 2011-08-24 build, so it's not a regression from bug 679933. I'll try to get a testcase next week or so.
|
Assignee | |
Comment 3•13 years ago
|
||
It's a null deref crash on this code: rs->parentReflowState->frame->GetType() rs is known-null here, so I would guess rs->parentReflowState is null. Martijn, can you attach the unminimized testcase? Might well be fixable from that.
|
||
Comment 4•13 years ago
|
||
http://www.mxgraph.com/demo/markup/webkitbg.html Nightly, Aurora, Beta - Linux, Mac, Windows.
|
|
Assignee | |
Comment 5•13 years ago
|
||
Bob, thanks! As expected, rs->parentReflowState is null. rs->frame->mContent is a nsSVGForeignObjectElement, and rs->frame is correctly an nsBlockFrame. Sounds like our basic assumption here is that an nsBlockFrame can't be a reflow root, and that's just not true. We probably just need to add a null-check for rs->parentReflowState.
|
|
Assignee | |
Comment 6•13 years ago
|
||
Attachment #572392 -
Flags: review?(matspal)
|
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → bzbarsky
Priority: -- → P2
Whiteboard: [need review]
Shouldn't the fixed height of a foreignObject be relevant when computing percentage heights on its kids? (If it is, why are we in this code?)
|
|
Assignee | |
Comment 8•13 years ago
|
||
> Shouldn't the fixed height of a foreignObject be relevant when computing percentage
> heights on its kids?
It is, but in this case we have a percent-height kid of an auto height kid of the <foreignObject>. And the page is in quirks mode, so the innermost block ends up in CalcQuirkContainingBlockHeight.
Or did I misunderstand your question?|
|
||
Updated•13 years ago
|
Attachment #572392 -
Flags: review?(matspal) → review+
|
|
||
Updated•13 years ago
|
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [need review]
|
|
Assignee | |
Comment 9•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/898f04b9db6b
Flags: in-testsuite+
Target Milestone: --- → mozilla11
|
||
Comment 10•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/898f04b9db6b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•