Closed Bug 265161 Opened 20 years ago Closed 15 years ago

xul embedded in xsl embedded in xul crashes on load

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sean, Unassigned)

Details

(Keywords: crash, testcase)

Attachments

(1 file, 1 obsolete file)

Minimal testcase
215 bytes, application/vnd.mozilla.xul+xml
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616

Spreading <listbox/> etc. tags in various <xsl:template/> tags within xul seems
to cause the problem.

Reproducible: Always
Steps to Reproduce:
1. load sample page

Actual Results:  
crash

Expected Results:  
some error page about malformed xul
(or better yet, ignore everthing inside the non-xul namespace)
Attached file offending xul file with embeddes xsl (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        Minimal testcase
      

    


  

        Attachment #162623 -
        Attachment is obsolete: true

    
    

    
  
So the problem is that nsGridRowLeafLayout::ComputeChildSizes assumes that
aBox->GetParentBox() will return non-null.  But in this case the parent of the
listitem is in fact a block.  So it has no parent box, we get null, try to call
nsGrid::GetScrollBox() on it, and crash.

I can't really tell what this code is trying to do, so I don't know what the
right fix is.  Perhaps we need to make sure that we never have listitems end up
in blocks?
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Linux → All
Hardware: PC → All

    
    

    
  
(In reply to comment #3)
> I can't really tell what this code is trying to do, so I don't know what the
> right fix is.  Perhaps we need to make sure that we never have listitems end up
> in blocks?

It's not valid to have a listitem as a child of any element other than a
listbox.  How do we normally handle cases like that -- bail on constructing the
frame, error handling code in the frame, or something else?

    
    

    
  
We don't really have other cases like that... CSS allows putting a box of any
display type inside a box of any other display type, with anonymous boxes
inserted as needed (in the case of tables, basically).

We could add a return value that the functions called by ConstructFrameInternal
could use to indicate "we're done, there is no frame, just bail out".  Similar
to what happens now if the frame is display: none...

Alternately, we could change xul.css to say:

listitem { display: none !important; }
listbox > listitem { display: -moz-grid-line !important }

But wouldn't the same issue arise for other things flagged as -moz-grid-line?

    
    

    
  
So is this the bug 240542 crash?

    
    

    
  
Similar setup, but the parent of the listitem isn't even a box in this case, and
the reflow code assumes it will be.  Hence the crash.

    
    

    
  
Neil, this is similar to that menupopup bug you were working on....

    
    

    
  
Yeah... tons of null pointer dereferences :-(

    
    

    
  
Attached files do not crash
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050328 on WinXP.

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.widgets

    
    

    
  
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091221 Firefox/3.7a1pre

Doesn't crash for me.  I'll add the minimal testcase to our collection of automated crashtests.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: