Closed Bug 282707 Opened 19 years ago Closed 19 years ago

Crash [@ nsLineBox::DeleteLineList] when hovering over select in this evil testcase

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, testcase, Whiteboard: [xul frame construction])

Crash Data

Attachments

(4 files)

Testcase
458 bytes, application/vnd.mozilla.xul+xml
Details
testcase crash onload without hover
573 bytes, application/vnd.mozilla.xul+xml
Details
table free testcase
611 bytes, application/vnd.mozilla.xul+xml
Details
Patch rev. 1
2.05 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
See upcoming testcase.
When hovering over the select dropdown, Mozilla crashes.
This also happens in Mozilla1.7, so no (recent) regression.
Attached file Testcase 
From Talkback ID TB3777572K:

nsLineBox::DeleteLineList 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineBox.cpp,
line 318]
nsLineBox::DeleteLineList 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineBox.cpp,
line 318]
nsFrameList::DestroyFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp,
line 129]
nsFrameList::DestroyFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp,
line 223]
nsFrameManager::RemoveFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsFrameManager.cpp,
line 736]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9935]
nsCSSFrameConstructor::RecreateFramesForContent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11761]
nsCSSFrameConstructor::RestyleElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10332]
nsCSSFrameConstructor::ProcessOneRestyle 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13738]
nsCSSFrameConstructor::ProcessPendingRestyles 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13783]
nsCSSFrameConstructor::RestyleEvent::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13835]
SETUPAPI.DLL + 0x30c24 (0x778b0c24)
Severity: normal → critical
Keywords: crash
I just used this bug to check this nightlies talkback for Mozilla, got the same
stack:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB3781872G

It is also crashing with Mozilla 1.0.2, 1.4.2 and 1.6
Whiteboard: [xul frame construction]
Martijn, I just tested this one with DP alpha2 winxp: WFM?
For me it is still crashing with 20050902 trunk build.
identical talkbacks:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050902 SeaMonkey/1.1a
TB8993785Y 1st testcase

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050901 Firefox/1.6a1
TB8993838Q 1st testcase

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050902 Firefox/1.6a1
TB8994014H, TB8993989W 2nd+1st testcase
Attached file table free testcase 

    
    

    
  
as this crashes within form control code and does not require table elements
around it I guess its more a form control issue. Maybee Mats knows how to deal
with this.
Component: Layout: Tables → Layout: Form Controls
QA Contact: layout.tables → layout.form-controls

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1Splinter Review
      

    


  
'mDisplayFrame' is supposed to be a privately allocated frame that we destroy
in 'nsComboboxControlFrame::Destroy' so assigning it here is just plain wrong.
We crash since we point into the AreaFrame child list and thus Destroy will
be called twice.
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED

        Attachment #194820 -
        Flags: superreview?(bzbarsky)

        Attachment #194820 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 194820 [details] [diff] [review]
Patch rev. 1

Er... how are we ending up with random frames in any case here?

r+sr=bzbarsky, but this code could really use some cleanup (eg why do we have
two codepaths for creating mDisplayFrame?  And as I said, how is this ending up
with random frames anyway?).

        Attachment #194820 -
        Flags: superreview?(bzbarsky)

        Attachment #194820 -
        Flags: superreview+

        Attachment #194820 -
        Flags: review?(bzbarsky)

        Attachment #194820 -
        Flags: review+

    
    

    
  
Mats, the patch has r+ and sr+, so you could check this in (in case you forgot
this bug).

    
  
Whiteboard: [xul frame construction] → [xul frame construction][checkin needed]

    
    

    
  
I checked the patch in on trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [xul frame construction][checkin needed] → [xul frame construction]

    
    

    
  
Verified FIXED using build 2005-12-09-09 of SeaMonkey trunk on Windows XP with all 3 testcases.

Note: the movement of the <select> on hover in https://bugzilla.mozilla.org/attachment.cgi?id=174677 has already been filed.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsLineBox::DeleteLineList]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: