Closed
Bug 222468
Opened 21 years ago
Closed 21 years ago
Creating a mail filter causes Mozilla to crash [@ nsLayoutUtils::CompareTreePosition]
Categories
(MailNews Core :: Filters, defect, P1)
MailNews Core
Filters
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: pkwarren, Assigned: roc)
References
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(4 files)
|
7.31 KB,
text/plain
|
Details | |
|
788 bytes,
patch
|
Details | Diff | Splinter Review | |
|
14.92 KB,
text/plain
|
Details | |
|
1.80 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Steps to reproduce: 1) Create a mail account. 2) Go to Tools->Message Filters. 3) Click "New..." button. Mozilla crashes at this point on AIX and Linux. I have not had time to test a Windows build yet.
|
Reporter | |
Comment 1•21 years ago
|
||
This is a stack trace from a non-optimized, non-debug build. I don't have a debug build handy so unfortunately there are no line numbers listed.
|
|
Reporter | |
Comment 2•21 years ago
|
||
The stack trace seems to point to the checkin for Bug 217604 as the cause of this problem.
|
|
Reporter | |
Comment 3•21 years ago
|
||
This is not occuring on a build compiled on the morning of 2003/10/14. This is occuring in yesterday's build.
|
||
Comment 4•21 years ago
|
||
this bug also seems to cause Bug 220629 and Bug 221676 (same stacktraces)
Summary: Creating a mail filter causes Mozilla to crash → Creating a mail filter causes Mozilla to crash [@ nsLayoutUtils::CompareTreePosition]
|
||
Comment 6•21 years ago
|
||
|
||
Comment 7•21 years ago
|
||
So I caught this in a debugger. The crash happens because when we call CompareTreePosition(aFrame->GetContent(), f->GetContent(), parentViewContent) in nsLayoutUtils::FindSiblingViewFor, parentViewContent is in fact no an ancestor of aFrame->GetContent(). At this point, aFrame is a nsMenuFrame The ancestors of aFrame look like this: nsMenuFrame < nsDeckFrame < nsBoxFrame < nsListItemFrame < nsListBoxBodyFrame The problem pops up with nsListItemFrame... (gdb) whats $foo 0x41948ba8 <_ZTV15nsListItemFrame+8>: 0x41452d3c <_ZN15nsListItemFrame14QueryInterfaceERK4nsIDPPv> (gdb) p $foo->GetContent()->GetParent() $35 = (nsIContent *) 0x89e0210 (gdb) p $foo->GetParent()->GetContent() $36 = (nsIContent *) 0x8a078e8 $foo->GetContent() is a "listitem"; it's parent is a "listbox". $foo->GetParent()->GetContent() is a "listboxbody". The "listbox" is the content node for a frame ancestor of $foo much higher up in the frame hierarchy (there are some frames that point to "listboxbody" and "listrows" in between). The problem is that the ListBoxBodyFrame is the ancestor with a view, so aCommonAncestor is the "listboxbody", which is not an ancestor of the "listitem" at all....
|
|
||
Updated•21 years ago
|
OS: AIX → All
Priority: -- → P1
Hardware: Other → All
|
|
Reporter | |
Comment 8•21 years ago
|
||
It sounds like the situation is already well understood, but I do have a stack trace from a debug build available now so I figured I'd go ahead and post it.
|
Assignee | |
Comment 9•21 years ago
|
||
The best thing to do is to make CompareTreePosition use aCommonAncestor as a hint. If it turns out it's not an ancestor of aContent1 or aContent2, we can just retry the function with aCommonAncestor == nsnull, which will always work. I'll cook up a patch for this tonight.
IIRC, there's code somewhere that uses |aCommonAncestor| to prevent walking of the top (i.e., as the null check for when we get to the root) and will walk off the top and try to dereference content nodes if it's not actually an ancestor.
|
|
Assignee | |
Comment 11•21 years ago
|
||
This should do the trick nicely.
|
|
Assignee | |
Updated•21 years ago
|
Attachment #133470 -
Flags: superreview?(bzbarsky)
Attachment #133470 -
Flags: review?(bzbarsky)
|
|
||
Comment 12•21 years ago
|
||
Comment on attachment 133470 [details] [diff] [review] fix >+ for (c1 = aContent1; c1 && c1 != aCommonAncestor; c1 = c1->GetParent()) { > content1Ancestors.AppendElement(c); s/c/c1/ in the AppendElement call? >+ for (c2 = aContent2; c2 && c2 != aCommonAncestor; c2 = c2->GetParent()) { > content2Ancestors.AppendElement(c); s/c/c2/ Looks good to me once it compiles, so r+sr=me, but please do build and test this patch before landing it...
Attachment #133470 -
Flags: superreview?(bzbarsky)
Attachment #133470 -
Flags: superreview+
Attachment #133470 -
Flags: review?(bzbarsky)
Attachment #133470 -
Flags: review+
|
|
Assignee | |
Comment 13•21 years ago
|
||
Er, yeah :-)
|
|
Assignee | |
Comment 14•21 years ago
|
||
I built and tested the patch, and it fixes the crash. I checked in.
|
|
||
Comment 15•21 years ago
|
||
fixed, i tested this with a cvs trunk build, mail filter behave as usual, no crash when clicking the New... Button (the deps of this bug were also fixed with this, tested that)
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•21 years ago
|
||
verified with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031018
Status: RESOLVED → VERIFIED
|
|
||
Comment 17•21 years ago
|
||
*** Bug 223527 has been marked as a duplicate of this bug. ***
|
||
Updated•20 years ago
|
Product: MailNews → Core
|
||
Updated•16 years ago
|
Product: Core → MailNews Core
|
|
||
Updated•13 years ago
|
Crash Signature: [@ nsLayoutUtils::CompareTreePosition]
You need to log in
before you can comment on or make changes to this bug.
Description
•