Closed Bug 282707 Opened 20 years ago Closed 20 years ago

Crash [@ nsLineBox::DeleteLineList] when hovering over select in this evil testcase

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, testcase, Whiteboard: [xul frame construction])

Crash Data

Attachments

(4 files)

Testcase
458 bytes, application/vnd.mozilla.xul+xml
Details
testcase crash onload without hover
573 bytes, application/vnd.mozilla.xul+xml
Details
table free testcase
611 bytes, application/vnd.mozilla.xul+xml
Details
Patch rev. 1
2.05 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
See upcoming testcase. When hovering over the select dropdown, Mozilla crashes. This also happens in Mozilla1.7, so no (recent) regression.
Attached file Testcase
From Talkback ID TB3777572K: nsLineBox::DeleteLineList [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineBox.cpp, line 318] nsLineBox::DeleteLineList [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsLineBox.cpp, line 318] nsFrameList::DestroyFrames [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp, line 129] nsFrameList::DestroyFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/generic/nsFrameList.cpp, line 223] nsFrameManager::RemoveFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsFrameManager.cpp, line 736] nsCSSFrameConstructor::ContentRemoved [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9935] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11761] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10332] nsCSSFrameConstructor::ProcessOneRestyle [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13738] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13783] nsCSSFrameConstructor::RestyleEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13835] SETUPAPI.DLL + 0x30c24 (0x778b0c24)
Severity: normal → critical
Keywords: crash
I just used this bug to check this nightlies talkback for Mozilla, got the same stack: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB3781872G It is also crashing with Mozilla 1.0.2, 1.4.2 and 1.6
Whiteboard: [xul frame construction]
Martijn, I just tested this one with DP alpha2 winxp: WFM?
For me it is still crashing with 20050902 trunk build.
identical talkbacks: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050902 SeaMonkey/1.1a TB8993785Y 1st testcase Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050901 Firefox/1.6a1 TB8993838Q 1st testcase Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050902 Firefox/1.6a1 TB8994014H, TB8993989W 2nd+1st testcase
Attached file table free testcase
as this crashes within form control code and does not require table elements around it I guess its more a form control issue. Maybee Mats knows how to deal with this.
Component: Layout: Tables → Layout: Form Controls
QA Contact: layout.tables → layout.form-controls
Attached patch Patch rev. 1Splinter Review
'mDisplayFrame' is supposed to be a privately allocated frame that we destroy in 'nsComboboxControlFrame::Destroy' so assigning it here is just plain wrong. We crash since we point into the AreaFrame child list and thus Destroy will be called twice.
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED
Attachment #194820 - Flags: superreview?(bzbarsky)
Attachment #194820 - Flags: review?(bzbarsky)
Comment on attachment 194820 [details] [diff] [review] Patch rev. 1 Er... how are we ending up with random frames in any case here? r+sr=bzbarsky, but this code could really use some cleanup (eg why do we have two codepaths for creating mDisplayFrame? And as I said, how is this ending up with random frames anyway?).
Attachment #194820 - Flags: superreview?(bzbarsky)
Attachment #194820 - Flags: superreview+
Attachment #194820 - Flags: review?(bzbarsky)
Attachment #194820 - Flags: review+
Mats, the patch has r+ and sr+, so you could check this in (in case you forgot this bug).
Whiteboard: [xul frame construction] → [xul frame construction][checkin needed]
I checked the patch in on trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Whiteboard: [xul frame construction][checkin needed] → [xul frame construction]
Verified FIXED using build 2005-12-09-09 of SeaMonkey trunk on Windows XP with all 3 testcases. Note: the movement of the <select> on hover in https://bugzilla.mozilla.org/attachment.cgi?id=174677 has already been filed.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsLineBox::DeleteLineList]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: