Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containing block

VERIFIED FIXED in mozilla10

Status

()

Core
Layout
P1
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 3 bugs, {crash, regression, testcase})

Trunk
mozilla10
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox10-)

Details

(Whiteboard: [qa!], crash signature)

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 568472 [details]
testcase (crashes Firefox when loaded)

Opt stack: bp-42918735-b72d-489c-9a40-3b5742111020
(Reporter)

Comment 1

6 years ago
Created attachment 568474 [details]
stack
The nsLineBox here has been deleted.

The dtor stack is:

Breakpoint 8, nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
86	  MOZ_COUNT_DTOR(nsLineBox);
#0  nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:86
#1  0x000000010165c6d5 in nsLineBox::~nsLineBox (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:85
#2  0x000000010165c90c in nsLineBox::Destroy (this=0x108035f70, aPresShell=0x12098f540) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:116
#3  0x00000001015e3a3a in nsBlockReflowState::FreeLineBox (this=0x7fff5fbf0398, aLine=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowState.cpp:163
#4  0x00000001015d2ca8 in nsBlockFrame::PullFrameFrom (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine=0x108035aa0, aFromContainer=0x108034ee8, aFromOverflowLine=false, aFromLine={mCurrent = 0x108035f70, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2668
#5  0x00000001015d2541 in nsBlockFrame::PullFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2561
#6  0x00000001015d46aa in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3625
#7  0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#8  0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#9  0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962

Crash stack is:

0  0x000000010165d49e in nsLineBox::IsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:274
#1  0x000000010165d580 in nsLineBox::CachedIsEmpty (this=0x108035f70) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineBox.cpp:295
#2  0x000000010164425f in nsHTMLReflowState::CalculateHypotheticalBox (this=0x7fff5fbee068, aPresContext=0x120954a00, aPlaceholderFrame=0x108035a40, aContainingBlock=0x108034ee8, aBlockLeftContentEdge=0, aBlockContentWidth=480, cbrs=0x7fff5fbee9e8, aHypotheticalBox=@0x7fff5fbed928, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:957
#3  0x0000000101644a61 in nsHTMLReflowState::InitAbsoluteConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, cbrs=0x7fff5fbee9e8, containingBlockWidth=0, containingBlockHeight=960, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1125
#4  0x0000000101642fab in nsHTMLReflowState::InitConstraints (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0, aFrameType=0x10015e310) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:1812
#5  0x00000001016413c1 in nsHTMLReflowState::Init (this=0x7fff5fbee068, aPresContext=0x120954a00, aContainingBlockWidth=0, aContainingBlockHeight=960, aBorder=0x0, aPadding=0x0) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:289
#6  0x000000010164188c in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:179
#7  0x00000001016414c3 in nsHTMLReflowState::nsHTMLReflowState (this=0x7fff5fbee068, aPresContext=0x120954a00, aParentReflowState=@0x7fff5fbee9e8, aFrame=0x108035900, aAvailableSpace=@0x7fff5fbee060, aContainingBlockWidth=0, aContainingBlockHeight=960, aInit=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsHTMLReflowState.cpp:137
#8  0x00000001015c30d0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aKidFrame=0x108035900, aStatus=@0x7fff5fbee468, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:422
#9  0x00000001015c24bf in nsAbsoluteContainingBlock::Reflow (this=0x136507db0, aDelegatingFrame=0x108035810, aPresContext=0x120954a00, aReflowState=@0x7fff5fbee9e8, aReflowStatus=@0x7fff5fbeed7c, aContainingBlockWidth=0, aContainingBlockHeight=960, aConstrainHeight=true, aCBWidthChanged=true, aCBHeightChanged=true, aOverflowAreas=0x7fff5fbee9bc) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsAbsoluteContainingBlock.cpp:155
#10 0x0000000101605f9b in nsFrame::ReflowAbsoluteFrames (this=0x108035810, aPresContext=0x120954a00, aDesiredSize=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsFrame.cpp:3899
#11 0x0000000101659156 in nsInlineFrame::Reflow (this=0x108035810, aPresContext=0x120954a00, aMetrics=@0x7fff5fbee990, aReflowState=@0x7fff5fbee9e8, aStatus=@0x7fff5fbeed7c) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsInlineFrame.cpp:417
#12 0x00000001016618ef in nsLineLayout::ReflowFrame (this=0x7fff5fbef238, aFrame=0x108035810, aReflowStatus=@0x7fff5fbeed7c, aMetrics=0x0, aPushedFrame=@0x7fff5fbeed7b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsLineLayout.cpp:860
#13 0x00000001015d50b1 in nsBlockFrame::ReflowInlineFrame (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFrame=0x108035810, aLineReflowStatus=0x7fff5fbef0e8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3801
#14 0x00000001015d4747 in nsBlockFrame::DoReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLineLayout=@0x7fff5fbef238, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aFloatAvailableSpace=@0x7fff5fbef360, aAvailableSpaceHeight=@0x7fff5fbef358, aFloatStateBeforeLine=0x7fff5fbef330, aKeepReflowGoing=0x7fff5fbefdfb, aLineReflowStatus=0x7fff5fbef35c, aAllowPullUp=true) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3632
#15 0x00000001015d21e4 in nsBlockFrame::ReflowInlineFrames (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3449
#16 0x00000001015cf8d5 in nsBlockFrame::ReflowLine (this=0x108034ee8, aState=@0x7fff5fbf0398, aLine={mCurrent = 0x108035aa0, mListLink = 0x108034f60}, aKeepReflowGoing=0x7fff5fbefdfb) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2536
#17 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034ee8, aState=@0x7fff5fbf0398) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#18 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034ee8, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf0e40, aReflowState=@0x7fff5fbf0b90, aStatus=@0x7fff5fbf0b74) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#19 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf0e10, aSpace=@0x7fff5fbf0c88, aApplyTopMargin=false, aPrevMargin=@0x7fff5fbf1f78, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108035ae0, aFrameRS=@0x7fff5fbf0b90, aFrameReflowStatus=@0x7fff5fbf0b74, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294
#20 0x00000001015d0e16 in nsBlockFrame::ReflowBlockFrame (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:3173
#21 0x00000001015cf4e6 in nsBlockFrame::ReflowLine (this=0x108034dc0, aState=@0x7fff5fbf1eb8, aLine={mCurrent = 0x108035ae0, mListLink = 0x108034e38}, aKeepReflowGoing=0x7fff5fbf191b) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:2480
#22 0x00000001015cb3e6 in nsBlockFrame::ReflowDirtyLines (this=0x108034dc0, aState=@0x7fff5fbf1eb8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1962
#23 0x00000001015c856b in nsBlockFrame::Reflow (this=0x108034dc0, aPresContext=0x120954a00, aMetrics=@0x7fff5fbf2960, aReflowState=@0x7fff5fbf26b0, aStatus=@0x7fff5fbf2694) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockFrame.cpp:1051
#24 0x00000001015e2cfb in nsBlockReflowContext::ReflowBlock (this=0x7fff5fbf2930, aSpace=@0x7fff5fbf27a8, aApplyTopMargin=true, aPrevMargin=@0x7fff5fbf3a98, aClearance=0, aIsAdjacentWithTop=true, aLine=0x108034e60, aFrameRS=@0x7fff5fbf26b0, aFrameReflowStatus=@0x7fff5fbf2694, aState=@0x7fff5fbf39d8) at /Users/mattwoodrow/src/mozilla-central2/layout/generic/nsBlockReflowContext.cpp:294

They diverge at nsBlockFrame::DoReflowInlineFrames (frame 6/14 respectively).

The placeholder frame (PresContext->PresShell()->FrameManager()->GetPlaceholderFrameFor) for frame 0x108035900, is still holding a pointer to the same line box as was destroyed via PullFrame.

Anyone know more about the lifetimes of these objects?
Line box lifetime is "as long as there is stuff on the line"...
Sorry, I meant in particular, why we're deleting the line box, when a pointer to it is still held by the placeholder frame.
Hmm.  Is this the mCachedLineBox pointer?

That working correctly is predicated that the placeholder is always reflowed before the nsAbsoluteContainingBlock::ReflowAbsoluteFrame for its out-of-flow; nsPlaceholderFrame::Reflow updates mCachedLineBox.

Sounds like that's failing for some reason.  Do you want to debug that, or want me to?
It is indeed.

It might be easier for you to debug it if you know this code. I'll give it a shot if you're busy though.
OK.  So in this case the transformed inline is the absolute containing block.  And it has the placeholder on its overflow list when the abs pos element is being reflowed!

There's actually an XXX comment about that in CalculateHypotheticalBox:

  // XXXbz the placeholder is not fully reflowed yet if our containing block is
  // relatively positioned...

When I added mCachedLineBox, I'd thought that in that code aContainingBlock was actually the CSS containing block.  But it's not.  It's the containing block of the _placeholder_, which in this case is the nsBlockFrame.

roc, do you think we can just go through the "no line box" case for an inline parent?  Or should I try to reinstate the slow block iterator path for that case?
Assignee: nobody → bzbarsky
Blocks: 641341
tracking-firefox10: --- → ?
Keywords: regression
Priority: -- → P1
Created attachment 571659 [details]
Testcase that doesn't involve transforms
Summary: Crash [@ nsLineBox::CachedIsEmpty] with scale3d transform → Crash [@ nsLineBox::CachedIsEmpty] with inline acting as an absolute containing block
Duplicate of this bug: 700112
(In reply to Boris Zbarsky (:bz) from comment #7)
> roc, do you think we can just go through the "no line box" case for an
> inline parent?

That would break auto positioning of abs-pos children of inlines, would it not?

> Or should I try to reinstate the slow block iterator path
> for that case?

Seems to me the best thing to do would be to fix layout of abs-pos elements whose container is a rel-pos inline. Although it's not clear how that should actually work in general ... consider an inline that breaks across a page, for example, with an abs-pos child with left:0, bottom:0. Which page should it be on? left:0, top:auto, where the placeholder ends up on the second page, is also interesting.
Created attachment 572336 [details]
testcase for abs-pos child of vertically-broken block

Our layout of this testcase is wrong too.

We really need to change abs-pos layout so that the abs-pos children are not positioned until we've reflowed the last continuation for the container element.

That would give us the problem of not having the right overflow areas calculated when the non-last-continuations finish Reflow(). But we can probably fix those up reusing the work in bug 524925.
> That would break auto positioning of abs-pos children of inlines, would it not?

Well...  "break" in that it would use the placeholder position instead of the line box extents.  How much do those differ in practice?

> But we can probably fix those up reusing the work in bug 524925.

Yes.  Once that lands I'd sort of like to move to a model where we do all the abs pos reflow off a post-reflow callback or equivalent, once all the in-flow stuff is done.  That would fix a bunch of bugs we have with rel pos inlines as containing blocks.

For Firefox 10, that's not happening.  The options there are to back out bug 641341 on Aurora after the branchpoint or one of the options from comment 7.  I'm tempted to restore the slow path for the rel-pos inline case, myself.
OK, talked to roc; I'm going to back bug 641341 out until we can do it right....
Backout done:

           http://hg.mozilla.org/integration/mozilla-inbound/rev/5b3aeb566a97
           http://hg.mozilla.org/integration/mozilla-inbound/rev/81583c38f47e
https://hg.mozilla.org/mozilla-central/rev/5b3aeb566a97
https://hg.mozilla.org/mozilla-central/rev/81583c38f47e

Boris, should this bug be resolved after the backout?
Yes.  Thanks for merging that!
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 17

6 years ago
Verified as fixed with the first attached test case on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111117 
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111116 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20100101 Firefox/9.0

Verified as fixed with the last two attached test cases on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111114 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111115 Firefox/11.0a1
Status: RESOLVED → VERIFIED
Component: Layout → Keyboard: Navigation
Whiteboard: [qa!]

Comment 18

6 years ago
sorry, changed the component by mistake...
Component: Keyboard: Navigation → Layout

Updated

6 years ago
tracking-firefox10: ? → -
Target Milestone: --- → mozilla10
You need to log in before you can comment on or make changes to this bug.