Closed
Bug 240542
Opened 20 years ago
Closed 20 years ago
Firefox crashes on simple example
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: zbraniecki, Assigned: neil)
References
()
Details
(Keywords: crash)
Attachments
(3 files, 1 obsolete file)
30.00 KB,
application/octet-stream
|
Details | |
2.93 KB,
application/vnd.mozilla.xul+xml
|
Details | |
3.04 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
I'm totally new in RDF so I won't be much helpful in making simple testcase. I downloaded rdfds from xulplanet and runned example from taht site. It work's perfect. But to cover my needs I had to be able to add node to subnode, so I slightly changed example. 1) I made Seq from catfish node 2) And in AddShark changed |fish| to point on catfish. After this change I runned example and pressed "Add Shark" button and then "SetTemplate" - quite good for now. But try pressing first "Set Template" and after this "Add Shark" - everytime crash. TalkBack id - TB17893Z
Comment 1•20 years ago
|
||
Can you attach your testcase to the bug or point to a URL that allows to reproduce the bug?
Keywords: qawanted,
stackwanted
Reporter | ||
Comment 2•20 years ago
|
||
sure Steps to reproduce 1) unpack tar file to some folder under chrome 2) run firefox and launch xul file from chrome 3) press "Set Template" 4) press "Add Shark" 5) kaboom
Updated•20 years ago
|
Keywords: crash,
talkbackid
Reporter | ||
Comment 3•20 years ago
|
||
Ok. I finally simplified this testcase to reproduce crash without rdfds.js library . Now it's one simple xul file with 3 JS functions. Hope that helps
Assignee | ||
Comment 4•20 years ago
|
||
Basically NotifyListBoxBody stinks. It doesn't actually check that the parent of a listitem is a listbox. This causes grief in two possible ways; the one here QI's the parent's box object without null-checking the result; then when you remove the listitem later it static casts the parent's frame. Reporter, you shouldn't be using a listbox to display nested content.
Component: RDF → Layout: Misc Code
Keywords: qawanted,
stackwanted,
talkbackid
Assignee | ||
Updated•20 years ago
|
Assignee: rjc → nobody
QA Contact: core.layout.misc-code
Comment 5•20 years ago
|
||
So is there a static (or simply dynamic without the RDF garbage) way to reproduce this crash?
Assignee | ||
Comment 6•20 years ago
|
||
Well I couldn't get a dynamic test case to crash adding the list item, but removing it crashed instantly. Note that removing sometimes makes it hang rather than crash; the null comptr is a more obvious crash.
Assignee | ||
Comment 7•20 years ago
|
||
Actally, removing it did make it crash eventually, it needs patience :-)
Comment 8•20 years ago
|
||
Neil, pointers to the code in question? Stacks for the crashes?
Assignee | ||
Comment 9•20 years ago
|
||
The advertised crash happens after http://lxr.mozilla.org/seamonkey/source/layout/html/style/src/nsCSSFrameConstructor.cpp#8625 fails because the box object isn't a list box object (in that particular case the listitem parent is another listitem) so the call to GetListboxBody happens on a null com ptr. The related crash happens after http://lxr.mozilla.org/seamonkey/source/layout/html/style/src/nsCSSFrameConstructor.cpp#8613 casts a random frame (well I suppose it depends on whatever I happened to make the parent of my listitem). It then tries to call OnContentRemoved on that frame which tries to call RemoveMappingsForFrameSubtree but its mFrameConstructor pointer is invalid so that when RemoveMappingsForFrameSubtree tries to use mTempFrameTreeState the memory doesn't exist.
Assignee | ||
Comment 10•20 years ago
|
||
Based on my analysis I wrote this patch to fix the crash.
Comment 11•20 years ago
|
||
Comment on attachment 146312 [details] [diff] [review] Possible fix Oh, I see. So the problem was that there was a listitem that was misplaced in the DOM and then all hell broke loose? <sigh> OK, could you comment why you don't need to release listboxBody (or just make it an nsCOMPtr; I doubt it asserts)? Also, change the up-front check to make sure that the kid is also XUL and is a listitem. We really don't want to be running this code any time something is inserted into some random XUL element... I assume we aren't checking the tag of aContainer because XBL may be extending things and changing tagnames or something? r+sr=me with those issues fixed.
Attachment #146312 -
Flags: superreview+
Attachment #146312 -
Flags: review+
Assignee | ||
Comment 12•20 years ago
|
||
(In reply to comment #11) >OK, could you comment why you don't need to release listboxBody (or just make >it an nsCOMPtr; I doubt it asserts)? If I do that I can't seem to cast it, even with a .get()
Assignee | ||
Comment 13•20 years ago
|
||
I added listbox/listitem checks, I added printfs to check all my test examples and they were always listbox/listitem in the normal case. I added a commented-out NS_RELEASE because of the static cast issue. Oh, and so the reporter knows why the code worked if he generated incompatible RDF first, I believe that the rebuild bypasses this code.
Assignee: nobody → neil.parkwaycc.co.uk
Attachment #146312 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Comment 14•20 years ago
|
||
Comment on attachment 146341 [details] [diff] [review] Addressed comments r=bzbarsky, but hyatt really needs to look at this, since I'm not sure what assumptions this code can make about tagnames (see the ResolveTag() below that). Drop him a mail at hyatt@mozilla.org please?
Attachment #146341 -
Flags: superreview?(hyatt)
Attachment #146341 -
Flags: review+
Comment 15•20 years ago
|
||
Comment on attachment 146341 [details] [diff] [review] Addressed comments eh, forget it. sr=bzbarsky too.
Attachment #146341 -
Flags: superreview?(hyatt) → superreview+
Assignee | ||
Comment 16•20 years ago
|
||
Fix checked in. I see nsCSSFrameConstructor gets changed alot - 13 revs since patch ;-)
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 17•20 years ago
|
||
Well, there's a lot of logic in that file (some only peripherally related to frame construction, actually).... All that code's gotta have bugs, right? ;)
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•