Closed Bug 310662 Opened 19 years ago Closed 19 years ago

Evil testcase causing crash in [@ nsCSSFrameConstructor::ConstructTableRowGroupFrame]

Categories

(Core :: Layout: Tables, defect, P1)

Product:
Core
Component:
Layout: Tables
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase
492 bytes, text/html
Details
Updated to comments
8.77 KB, patch
Details | Diff | Splinter Review 
See upcoming testcase.
Hovering over the text causes a crash for me in current trunk build.
Attached file testcase 

  

  



    
    

    
  
From talkback ID: TB9941995M

nsCSSFrameConstructor::ConstructTableRowGroupFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 3591]
ProcessPseudoFrames 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 2717]
FindPreviousAnonymousSibling 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 8086]
nsCSSFrameConstructor::ProcessChildren 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11638]
nsCSSFrameConstructor::AttributeChanged 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10518]
nsCSSFrameConstructor::AttributeChanged 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 10552]

  

  



    
    

    
  
Martijn suspects bug 11011

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix (obsolete)
        — Splinter Review
      

    


  
We're now producing useful non-html frames here, so we should really create
pseudo-frames for them.  And since all this stuff is in content, we can!

  

  



        Attachment #198246 -
        Flags: superreview?(dbaron)

        Attachment #198246 -
        Flags: review?(bernd_mozilla)

    
  

        Attachment #198246 -
        Flags: review?(bernd_mozilla) → review+

    
  

        Attachment #198246 -
        Flags: review?(cbiesinger)

    
    

    
  
Comment on attachment 198246 [details] [diff] [review]
Fix

>-  nsresult rv = AdjustParentFrame(aContent, display, adjParentFrame,
>+  nsresult rv = AdjustParentFrame(aContent, aStyleContext, adjParentFrame,

Shouldn't you be using styleContext instead of aStyleContext?  That's what
corresponds to display, anyway.

  

  



    
    

    
  
Also, you may as well end the input section with a |return PR_TRUE;| and remove
it from the later list.

  

  



    
    

    
  
Er, yes.  That should use |display|.

  

  



    
    

    
  
sr=dbaron with those changes.  (Also, the "in sync" comments might be better off
being inside CreateInputFrame and CreateHTMLImageFrame, or in both places.)

  

  



    
    

    
  


  

  

  



        Attachment #198246 -
        Attachment is obsolete: true

    
  

        Attachment #198246 -
        Flags: superreview?(dbaron)

        Attachment #198246 -
        Flags: review?(cbiesinger)

    
  
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
Fixed on trunk.

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Verified FIXED using build 2005-10-05-05 SeaMonkey trunk, Windows XP on the
testcase at https://bugzilla.mozilla.org/attachment.cgi?id=198114

  

  


Status: RESOLVED → VERIFIED

    
    

    
  
This bug apparently *is not* fixed for Camino users.

The evil testcase crashes a recent Camino nightly trunk build from 20051002. 
Haven't tried it with other versions -- yet.  Will test it though, over the next
week or so.  Mac OS 10.3.9.

Request this one be left open for Camino users to note.  Have a nice day.

  

  



    
    

    
  
> The evil testcase crashes a recent Camino nightly trunk build from 20051002. 

Kurt, I checked in the fix at 2005-10-04 16:56 PDT or so.  See comment 11.

Now you're complaining that the bug is not fixed in a Camino build from
2005-10-02.  Of course it's not fixed there!  It didn't get fixed until two days
after that.

You have a nice day too.

  

  



    
    

    
  
WFM with Camino 2005100504 (v1.0a1+).  You're right Boris, sorry for the spam, all.

  

  



    
    

    
  
Comment on attachment 198525 [details] [diff] [review]
Updated to comments

belated r=biesi :)

though I spotted an else-after-return here:

@@ -3316,35 +3319,52 @@ nsCSSFrameConstructor::GetParentFrame(ns
+IsSpecialHTMLContent(nsIContent* aContent, nsStyleContext* aStyleContext)
+      if (NS_FORM_INPUT_HIDDEN == type) {
+        return PR_FALSE; // input hidden does not create a special frame
+      }
+      else if (NS_FORM_INPUT_IMAGE == type) {

  

  



    
    

    
  
I touched the code after this, I will apply the necessary changes to fit the review comment.

  

  


Crash Signature: [@ nsCSSFrameConstructor::ConstructTableRowGroupFrame]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: