Closed Bug 394239 Opened 17 years ago Closed 17 years ago

Crash [@ nsIFrame::Invalidate] with object, positioning and bidi character

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smontagu)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

testcase
321 bytes, text/html
Details
Frame dump and some debugging output
15.74 KB, text/plain
Details
Patch
1.28 KB, patch
roc
: review+
roc
: superreview+
roc
: approval1.9+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, when hovering over the text input, I crash with current trunk build.

This seems to have regressed since yesterday:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+09&cvsroot=%2Fcvsroot
Regression from bug 384527, somehow?

http://crash-stats.mozilla.com/report/index/ec77cc47-567a-11dc-9fb9-001a4bd43ef6
0  	nsIFrame::Invalidate(nsRect const&, int)  	 mozilla/layout/generic/nsFrame.cpp:3536
1 	nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) 	mozilla/layout/base/nsFrameManager.cpp:688
2 	DeletingFrameSubtree 	mozilla/layout/base/nsCSSFrameConstructor.cpp:9338
3 	nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:9490
4 	nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:11074
5 	nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:9939
6 	nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) 	mozilla/layout/base/nsCSSFrameConstructor.cpp:12962
7 	nsCSSFrameConstructor::ProcessPendingRestyles() 	mozilla/layout/base/nsCSSFrameConstructor.cpp:13015
8 	nsCSSFrameConstructor::RestyleEvent::Run() 	mozilla/layout/base/nsCSSFrameConstructor.cpp:13086
9 	nsThread::ProcessNextEvent(int, int*) 	mozilla/xpcom/threads/nsThread.cpp:490
10 	NS_ProcessNextEvent_P(nsIThread*, int) 	nsThreadUtils.cpp:227
11 	nsBaseAppShell::Run() 	mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:154
12 	nsAppStartup::Run() 	mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
13 	XRE_main 	mozilla/toolkit/xre/nsAppRunner.cpp:3069
14 	main 	mozilla/browser/app/nsBrowserApp.cpp:153
15 	WinMain 	mozilla/browser/app/nsBrowserApp.cpp:166
16 	__tmainCRTStartup 	crtexe.c:589
I can reproduce the crash but with a rather different stack:

#6  0xb5cb91d2 in nsCachedStyleData::GetStyleDisplay (this=0xddddddf9)
    at nsStyleStructList.h:95
#7  0xb5cbc7ae in nsStyleContext::GetStyleDisplay (this=0xdddddddd)
    at nsStyleStructList.h:95
#8  0xb5acfbad in nsIFrame::GetStyleDisplay (this=0x8d5e914)
    at nsStyleStructList.h:95
#9  0xb5ab15e5 in GetChildListNameFor (aChildFrame=0x8d5e914)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:1719
#10 0xb5ab350e in DeletingFrameSubtree (aFrameManager=0x8e09b7c, aFrame=0x0)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:9338
#11 0xb5accdab in nsCSSFrameConstructor::ContentRemoved (this=0x8df17c0,
    aContainer=0x8e63c00, aChild=0x8dca1c8, aIndexInContainer=1,
    aInReinsertContent=0)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructo
r.cpp:9490
#12 0xb5acaa17 in nsCSSFrameConstructor::RecreateFramesForContent (
    this=0x8df17c0, aContent=0x8dca1c8)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:11074
#13 0xb5acb0a8 in nsCSSFrameConstructor::RestyleElement (this=0x8df17c0,
    aContent=0x8dca1c8, aPrimaryFrame=0x8d13cb8, aMinHint=0)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:9939
#14 0xb5acb2d3 in nsCSSFrameConstructor::ProcessOneRestyle (this=0x8df17c0,
    aContent=0x8dca1c8, aRestyleHint=eReStyle_Self, aChangeHint=0)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:12962
#15 0xb5acb4f9 in nsCSSFrameConstructor::ProcessPendingRestyles (
    this=0x8df17c0)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:13015
#16 0xb5acb65e in nsCSSFrameConstructor::RestyleEvent::Run (this=0x8cf5020)
    at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:13086

Reverting the patch from bug 384527 doesn't fix this.
Sorry, comment 2 is wrong: this is indeed a regression from bug 384527
Assignee: nobody → smontagu
Attached patch PatchSplinter Review 
I don't really know why this prevents the crash, but it does, and it seems more correct than the original patch to bug 384527 anyway.
Attachment #279430 - Flags: superreview?(roc)
Attachment #279430 - Flags: review?(roc)
Attachment #279430 - Flags: superreview?(roc)
Attachment #279430 - Flags: superreview+
Attachment #279430 - Flags: review?(roc)
Attachment #279430 - Flags: review+
Attachment #279430 - Flags: approval1.9+
Checked in
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsIFrame::Invalidate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: