Closed Bug 868906 Opened 11 years ago Closed 11 years ago

"ASSERTION: We're referring different frame" with caret browsing, bidi

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

manual testcase (see comment 0)
1014 bytes, text/html
Details
stack (gdb)
9.63 KB, text/plain
Details
fix+crashtest
4.34 KB, patch
roc
: review+
Details | Diff | Splinter Review 
1. Load the testcase.
2. Press F6 twice. The content area should now visibly have focus.
3. Press F7 to enable "caret browsing mode".
4. Press Shift, instructing the testcase to call deleteContents().

Result:

###!!! ASSERTION: We're referring different frame: 'frame == aForFrame', file layout/base/nsCaret.cpp, line 518

Masayuki added this assertion long ago in http://hg.mozilla.org/mozilla-central/rev/c746dd4dde4c.
Attached file stack (gdb) 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix+crashtestSplinter Review
      

    


  
The problem is that nsTextFrame::GetChildFrameContainingOffset
is unstable such that calling it twice with the same arguments
can give different results in some cases.

http://hg.mozilla.org/mozilla-central/annotate/b842d26dd5f0/layout/generic/nsTextFrameThebes.cpp#l6328

The first call stores the resulting frame in OffsetToFrameProperty()
and the next call will start at that frame.  The loop will step to the
next frame if it has the same offset, i.e. the cached frame was empty,
so if there's a sequence of empty continuations we'll get a new result
frame until we reach the last empty frame.

https://tbpl.mozilla.org/?tree=Try&rev=1a650140034c
https://tbpl.mozilla.org/?tree=Try&rev=7e3eabf1b9e4
Assignee: nobody → matspal

        Attachment #746113 -
        Flags: review?(roc)

    
  
Severity: normal → minor
OS: Linux → All
Hardware: x86_64 → All

    
    

    
  
Comment on attachment 746113 [details] [diff] [review]
fix+crashtest

Review of attachment 746113 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

        Attachment #746113 -
        Flags: review?(roc) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/7f1def8c39e8
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23

    
  
Blocks: fuzz-keys

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: