Closed
Bug 284001
Opened 19 years ago
Closed 19 years ago
Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;}
Categories
(Core :: MathML, defect)
Core
MathML
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: rbs)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
464 bytes,
application/xhtml+xml
|
Details | |
1.90 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
See testcase. Hovering over the text in there causes a crash in current trunk Mozilla builds. Talkback ID: 3987420 nsMathMLContainerFrame::GetType [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/mathml/base/src/nsMathMLContainerFrame.cpp, line 1156] nsCSSFrameConstructor::FindNextSibling [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8206] nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9039] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11553] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10143] nsCSSFrameConstructor::ProcessOneRestyle [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13501] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13543] nsCSSFrameConstructor::RestyleEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13595] SHELL32.dll + 0x520c24 (0x778b0c24)
Reporter | ||
Comment 1•19 years ago
|
||
Reporter | ||
Comment 2•19 years ago
|
||
Crashes also with Mozilla1.4 and 1.7, so no (recent) regression.
Severity: normal → critical
Summary: Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;} → Crash [@ nsMathMLContainerFrame::GetType] with evil MathML testcase, using mo:hover{display:block;}
Comment 3•19 years ago
|
||
So.. what happens here is that this->mEmbellishData.coreFrame is pointing to 0xdddddddd memory. Not sure why that's happening...
OS: Windows XP → All
Hardware: PC → All
display:block is the evil bit. With the markup of the testcase: <math xmlns="http://www.w3.org/1998/Math/MathML"> <munder> <mo>Hovering over this should not cause a crash</mo> <mrow><mi></mi></mrow> </munder> </math> The |this| container is <munder> and its coreFrame is <mo>. Things seem to go out of sync when :hover changes <mo> to a block, and frames get destroyed/recreated. What is interesting is that changing to inline doesn't cause any problem (maybe because the coreFrame is not taken out of the child list since it is inline).
Comment 5•19 years ago
|
||
Isn't it display:inline by default?
That's right. But the evil testcase is doing: mo:hover{display:block;}
Comment 7•19 years ago
|
||
Sure. But you said:
> What is interesting is that changing to inline doesn't cause any problem
The point is, there is no change involved there... it's already inline, right?
Yes, you are right, nothing happens, mo:hover{display:inline;} doesn't trigger any re-resolve because there is no style change. Nor is there any trouble with mo:{display:block;} if set initially in the CSS. But then adding mo:hover{display:inline;} triggers a similar crash.
MathML has a little helper |nsMathMLContainerFrame::ChildListChanged| that is called at the tail-end of its overloaded |AppendFrames|, |InsertFrames|, etc. It is meant to cater for situations such as in this crash -- where a change of children invalidates certain pointers. The old code was just doing a |ReLayoutChildren(this)|. The patch changes changes the |this| to a more suitable ancestor.
Attachment #177340 -
Flags: superreview?(bzbarsky)
Attachment #177340 -
Flags: review?(bzbarsky)
Comment 10•19 years ago
|
||
Comment on attachment 177340 [details] [diff] [review] patch r+sr=bzbarsky. Seems reasonable..
Attachment #177340 -
Flags: superreview?(bzbarsky)
Attachment #177340 -
Flags: superreview+
Attachment #177340 -
Flags: review?(bzbarsky)
Attachment #177340 -
Flags: review+
Assignee | ||
Comment 11•19 years ago
|
||
Checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsMathMLContainerFrame::GetType]
You need to log in
before you can comment on or make changes to this bug.
Description
•