What's happening here is that we enter an infinite loop by oscillating
between two states. The code assumes that (a) the available space will
never grow, only stay the same or shrink, and (b) that we should break
out of the loop if it stays the same. This also means we hit the
assertion about the available space growing every other time through the
loop.
This is in the inner loop in nsBlockFrame::ReflowBlockFrame that was
introduced in https://hg.mozilla.org/mozilla-central/rev/80ef9bb2c2e9 .
The problem is fundamentally a logic error in that code. The makes the
assumption that if you reduce the width available to a block formatting
context or replaced block-level element, its height does not shrink.
(The "replaced block" (really block formatting context) in this case, as
in the original testcase, is a scroll frame. I didn't debug the
original testcase enough to figure out what caused its sizing
characteristics, although a percentage-width image does seem like the
most likely candidate.)
Without the patch, the reftest test (but not reference) hangs, as does
the semi-simplified test in the bug (given a narrow window).
With the patch, neither the semi-simplified test in the bug nor the
reference hangs, and the reftest passes.
--HG--
extra : commitid : APy8PfXlvvz
nsImageFrame::OnSizeAvailable will update the intrinsic ratio and ask for a reflow. Then nsImageFrame::NotifyNewCurrentRequest will be called when the image is finished loading. It previously would do a predictive decode if the intrinsic size hadn't changed.
This was a mistake in http://hg.mozilla.org/mozilla-central/rev/146f1bea4147 (bug 1151359).
OnSizeAvailable has this structure:
if (intrinsicSizeChanged && gotInitialReflow) {
if (!sizeConstrained) {
requestReflow();
}
}
NotifyNewCurrentRequest has this structure:
if (gotInitialReflow) {
if (!sizeConstrained && intrinsicSizeChanged) {
requestReflow();
}
}
Bug 1151359 added a predictive decode in a new else branch to both inner if statements. The meaning of this is obviously quite different.
Since nsIFrame::GetChildList() is a const function, PrincipalChildList()
should be a const function as well.
--HG--
extra : commitid : Hjvhy6cUWTF
extra : rebase_source : 0a998e5420b81827e478b403744cd9e5a11eb584
By changing signature of those two functions, we make compiler complain about
all their existing uses, so we can find all of them and convert them.
Some of the callsites of Get() with those properties are also converted, but not
all of them. It is fine because if there is any incorrect conversion, compilers
is able to find out now. So they are completely typesafe.
--HG--
extra : source : 808415985d3d446f18941eb007a9be9d69d180ce
This patch makes methods of FramePropertyTable and FrameProperties to be
simple template wrapper functions. Then it converts all references to
FramePropertyDescriptor to use "void" parameter to simulate the current
unsafe behavior.
SmallValueHolder is used for storing small values like int32_t, float,
which can fit in the size of a pointer directly, and thus no lifetime
management is needed.
--HG--
extra : source : 88b2723cddf119d73d8a442d8238b50406e9d604
Note that nsMathMLContainerFrame and its subclasses are unchanged since
they are not target of fullscreen (and thus no backdrop frame), and they
have an assertion to ensure we really don't pass any unexpected list in.
--HG--
extra : source : a1f7ff18a69cc116120de33f14ae62f576a4b55a
