Closed Bug 46964 Opened 24 years ago Closed 24 years ago

crash calling rebuild() twice

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: waterson, Assigned: waterson)

Details

(Keywords: crash, Whiteboard: fix in hand)

Attachments

(4 files)

test case
3.13 KB, text/plain
Details
clear content support map before clearing conflict set
2.13 KB, patch
Details | Diff | Splinter Review
remove ContentSupportMap
25.61 KB, patch
Details | Diff | Splinter Review
like the first patch, but better.
29.94 KB, patch
Details | Diff | Splinter Review
To reproduce: 1. Save the attached test case as "test.xul" 2. Open it in a browser window. 3. Click the button 4. Click the button again. *boom* Expected: no crash
Attached file test case
The problem is that the ContentSupportMap entries hold a pointer into the ConflictSet's arena. (Ok, I feel like I'm talking about the pyramids of Mars layout engine right now. I'll just shut up and attach a fix.)
Ok, so some explanation is in order. The "conflict set" is the data structure that keeps track of which of the template rules are currently matched. Since a template rule depends on content in the content model (e.g., if you remove a "parent" node from the tree, all the rules that matched for that nodes children clearly don't match anymore). The "content support map" keeps track of which rules are supported by elements in the content model. It maps a content node to a "match". Problem is, the conflict set owns all of the match objects. Calling mConflictSet.Clear() in nsXULTemplateBuilder::Rebuild() causes the arena pool that was containing all the match objects to be dumped en masse and re-created. This leaves the content support map to be left with a dangling pointer into the conflict set. The above test case causes us to actually try to use one of those pointers. The fix is to nuke the content support map before we nuke the conflict set.
Status: NEW → ASSIGNED
Target Milestone: --- → M18
spam: Adding crash keyword...
Keywords: crash
I don't like my first fix, and spent last night working up the one I'm going to attach shortly. I don't like it either, for reason's I'll explain momentarily...
The attached patch (besides commenting a bunch of junk) removes the ContentSupportMap structure. This structure was used to implement CreateTemplateContents(): it recorded the match from whence each piece of generated content was created so that we could quickly pick up and resume template building. I thought that removing it would be a good thing to do, unfortunately, it slows folder opening down by about 7%. I thought I'd shove it into the bug for posterity's sake (or maybe to deal with later).
Keywords: nsbeta3
Whiteboard: fix in hand
fix checked in
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: