Last Comment Bug 696175 - Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containing block
: Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containi...
Status: VERIFIED FIXED
[qa!]
: crash, regression, testcase
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: x86_64 Mac OS X
: P1 critical (vote)
: mozilla10
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
: 700112 (view as bug list)
Depends on:
Blocks: stirdom randomstyles 641341 505115
  Show dependency treegraph
 
Reported: 2011-10-20 12:32 PDT by Jesse Ruderman
Modified: 2012-01-05 13:27 PST (History)
11 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
testcase (crashes Firefox when loaded) (443 bytes, text/html)
2011-10-20 12:32 PDT, Jesse Ruderman
no flags Details
stack (19.17 KB, text/plain)
2011-10-20 12:33 PDT, Jesse Ruderman
no flags Details
Testcase that doesn't involve transforms (431 bytes, text/html)
2011-11-03 08:53 PDT, Boris Zbarsky [:bz]
no flags Details
testcase for abs-pos child of vertically-broken block (375 bytes, text/html)
2011-11-06 14:18 PST, Robert O'Callahan (:roc) (email my personal email if necessary)
no flags Details

Description Jesse Ruderman 2011-10-20 12:32:35 PDT
Created attachment 568472 [details]
testcase (crashes Firefox when loaded)

Opt stack: bp-42918735-b72d-489c-9a40-3b5742111020
Comment 1 Jesse Ruderman 2011-10-20 12:33:14 PDT
Created attachment 568474 [details]
stack
Comment 2 Matt Woodrow (:mattwoodrow) 2011-11-01 14:51:09 PDT
The nsLineBox here has been deleted.

The dtor stack is:

Breakpoint 8, nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
86	  MOZ_COUNT_DTOR(nsLineBox);
#0  nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
#1  0x000000010165c6d5 in nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:85
#2  0x000000010165c90c in nsLineBox::Destroy (this=0x108035f70, aPresShell=0x12098f540) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:116
#3  0x00000001015e3a3a in nsBlockReflowState::FreeLineBox (this=0x7fff5fbf0398, aLine=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowState.cpp:163
#4  0x00000001015d2ca8 in nsBlockFrame::PullFrameFrom (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine=0x108035aa0, aFromContainer=0x108034ee8, aFromOverflowLine=false, aFromLine={mCurrent = 0x108035f70, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2668
#5  0x00000001015d2541 in nsBlockFrame::PullFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2561
#6  0x00000001015d46aa in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3625
#7  0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#8  0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#9  0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962

Crash stack is:

0  0x000000010165d49e in nsLineBox::IsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:274
#1  0x000000010165d580 in nsLineBox::CachedIsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:295
#2  0x000000010164425f in nsHTMLReflowState::CalculateHypotheticalBox (this=0x7fff5fbee068, aPresContext=0x120954a00, aPlaceholderFrame=0x108035a40, aContainingBlock=0x108034ee8, aBlockLeftContentEdge=0, aBlockContentWidth=480, cbrs=0x7fff5fbee9e8, aHypotheticalBox=@0x7fff5fbed928, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:957
#3  0x0000000101644a61 in nsHTMLReflowState::InitAbsoluteConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, cbrs=0x7fff5fbee9e8, containingBlockWidth=0, containingBlockHeight=960, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1125
#4  0x0000000101642fab in nsHTMLReflowState::InitConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1812
#5  0x00000001016413c1 in nsHTMLReflowState::Init (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:289
#6  0x000000010164188c in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:179
#7  0x00000001016414c3 in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:137
#8  0x00000001015c30d0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aKidFrame=0x108035900, aStatus=@0x7fff5fbee468, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:422
#9  0x00000001015c24bf in nsAbsoluteContainingBlock::Reflow (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aReflowStatus=@0x7fff5fbeed7c, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aCBWidthChanged=true, aCBHeightChanged=true, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:155
#10 0x0000000101605f9b in nsFrame::ReflowAbsoluteFrames (this=0x108035810, aPresContext=0x120954a00, aDesiredSize=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsFrame.cpp:3899
#11 0x0000000101659156 in nsInlineFrame::Reflow (this=0x108035810, aPresContext=0x120954a00, aMetrics=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsInlineFrame.cpp:417
#12 0x00000001016618ef in nsLineLayout::ReflowFrame (this=0x7fff5fbef238, aFrame=0x108035810, aReflowStatus=@0x7fff5fbeed7c, aMetrics=0x0, aPushedFrame=@0x7fff5fbeed7b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineLayout.cpp:860
#13 0x00000001015d50b1 in nsBlockFrame::ReflowInlineFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFrame=0x108035810, aLineReflowStatus=0x7fff5fbef0e8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3801
#14 0x00000001015d4747 in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3632
#15 0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#16 0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#17 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#18 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034ee8, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf0e40, aReflowState=@0x7fff5fbf0b90, aStatus=@0x7fff5fbf0b74) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#19 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf0e10, aSpace=@0x7fff5fbf0c88, aApplyTopMargin=false, aPrevMargin=@0x7fff5fbf1f78, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108035ae0, aFrameRS=@0x7fff5fbf0b90, aFrameReflowStatus=@0x7fff5fbf0b74, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294
#20 0x00000001015d0e16 in nsBlockFrame::ReflowBlockFrame (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3173
#21 0x00000001015cf4e6 in nsBlockFrame::ReflowLine (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2480
#22 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034dc0, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#23 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034dc0, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf2960, aReflowState=@0x7fff5fbf26b0, aStatus=@0x7fff5fbf2694) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#24 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf2930, aSpace=@0x7fff5fbf27a8, aApplyTopMargin=true, aPrevMargin=@0x7fff5fbf3a98, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108034e60, aFrameRS=@0x7fff5fbf26b0, aFrameReflowStatus=@0x7fff5fbf2694, aState=@0x7fff5fbf39d8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294

They diverge at nsBlockFrame::DoReflowInlineFrames (frame 6/14 respectively).

The placeholder frame (PresContext->PresShell()->FrameManager()->GetPlaceholderFrameFor) for frame 0x108035900, is still holding a pointer to the same line box as was destroyed via PullFrame.

Anyone know more about the lifetimes of these objects?
Comment 3 Boris Zbarsky [:bz] 2011-11-01 19:41:11 PDT
Line box lifetime is "as long as there is stuff on the line"...
Comment 4 Matt Woodrow (:mattwoodrow) 2011-11-02 16:17:02 PDT
Sorry, I meant in particular, why we're deleting the line box, when a pointer to it is still held by the placeholder frame.
Comment 5 Boris Zbarsky [:bz] 2011-11-02 16:49:26 PDT
Hmm.  Is this the mCachedLineBox pointer?

That working correctly is predicated that the placeholder is always reflowed before the nsAbsoluteContainingBlock::ReflowAbsoluteFrame for its out-of-flow; nsPlaceholderFrame::Reflow updates mCachedLineBox.

Sounds like that's failing for some reason.  Do you want to debug that, or want me to?
Comment 6 Matt Woodrow (:mattwoodrow) 2011-11-02 22:30:06 PDT
It is indeed.

It might be easier for you to debug it if you know this code. I'll give it a shot if you're busy though.
Comment 7 Boris Zbarsky [:bz] 2011-11-03 08:36:45 PDT
OK.  So in this case the transformed inline is the absolute containing block.  And it has the placeholder on its overflow list when the abs pos element is being reflowed!

There's actually an XXX comment about that in CalculateHypotheticalBox:

  // XXXbz the placeholder is not fully reflowed yet if our containing block is
  // relatively positioned...

When I added mCachedLineBox, I'd thought that in that code aContainingBlock was actually the CSS containing block.  But it's not.  It's the containing block of the _placeholder_, which in this case is the nsBlockFrame.

roc, do you think we can just go through the "no line box" case for an inline parent?  Or should I try to reinstate the slow block iterator path for that case?
Comment 8 Boris Zbarsky [:bz] 2011-11-03 08:53:11 PDT
Created attachment 571659 [details]
Testcase that doesn't involve transforms
Comment 9 Boris Zbarsky [:bz] 2011-11-06 07:49:21 PST
*** Bug 700112 has been marked as a duplicate of this bug. ***
Comment 10 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-11-06 14:13:43 PST
(In reply to Boris Zbarsky (:bz) from comment #7)
> roc, do you think we can just go through the "no line box" case for an
> inline parent?

That would break auto positioning of abs-pos children of inlines, would it not?

> Or should I try to reinstate the slow block iterator path
> for that case?

Seems to me the best thing to do would be to fix layout of abs-pos elements whose container is a rel-pos inline. Although it's not clear how that should actually work in general ... consider an inline that breaks across a page, for example, with an abs-pos child with left:0, bottom:0. Which page should it be on? left:0, top:auto, where the placeholder ends up on the second page, is also interesting.
Comment 11 Robert O'Callahan (:roc) (email my personal email if necessary) 2011-11-06 14:18:28 PST
Created attachment 572336 [details]
testcase for abs-pos child of vertically-broken block

Our layout of this testcase is wrong too.

We really need to change abs-pos layout so that the abs-pos children are not positioned until we've reflowed the last continuation for the container element.

That would give us the problem of not having the right overflow areas calculated when the non-last-continuations finish Reflow(). But we can probably fix those up reusing the work in bug 524925.
Comment 12 Boris Zbarsky [:bz] 2011-11-06 18:22:28 PST
> That would break auto positioning of abs-pos children of inlines, would it not?

Well...  "break" in that it would use the placeholder position instead of the line box extents.  How much do those differ in practice?

> But we can probably fix those up reusing the work in bug 524925.

Yes.  Once that lands I'd sort of like to move to a model where we do all the abs pos reflow off a post-reflow callback or equivalent, once all the in-flow stuff is done.  That would fix a bunch of bugs we have with rel pos inlines as containing blocks.

For Firefox 10, that's not happening.  The options there are to back out bug 641341 on Aurora after the branchpoint or one of the options from comment 7.  I'm tempted to restore the slow path for the rel-pos inline case, myself.
Comment 13 Boris Zbarsky [:bz] 2011-11-06 18:55:27 PST
OK, talked to roc; I'm going to back bug 641341 out until we can do it right....
Comment 15 Marco Bonardo [::mak] 2011-11-07 03:47:51 PST
https://hg.mozilla.org/mozilla-central/rev/5b3aeb566a97
https://hg.mozilla.org/mozilla-central/rev/81583c38f47e

Boris, should this bug be resolved after the backout?
Comment 16 Boris Zbarsky [:bz] 2011-11-07 05:17:27 PST
Yes.  Thanks for merging that!
Comment 17 Ioana (away) 2011-11-21 00:44:45 PST
Verified as fixed with the first attached test case on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111117 
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111116 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20100101 Firefox/9.0

Verified as fixed with the last two attached test cases on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111114 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111115 Firefox/11.0a1
Comment 18 Ioana (away) 2011-11-21 01:17:25 PST
sorry, changed the component by mistake...

Note You need to log in before you can comment on or make changes to this bug.