Closed
Bug 314502
Opened 18 years ago
Closed 18 years ago
Crash [@ nsGridRowGroupLayout::CountRowsColumns] with evil xul testcase, using grid, float:left and overflow:scroll
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
750 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
4.33 KB,
patch
|
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
Upcoming testcase crashes 2005-10-28 trunk Mozilla build when clicking on the button. It doesn't crash Mozilla1.7. Talkback ID: TB11282963Q nsGridRowGroupLayout::CountRowsColumns [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowGroupLayout.cpp, line 242] nsGrid::CountRowsColumns [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 346] nsGrid::RebuildIfNeeded [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 226] nsGrid::GetExtraRowCount [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 572] nsBoxFrame::GetPrefSize [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 933] nsStackLayout::GetPrefSize [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsStackLayout.cpp, line 95] nsGridLayout2::GetPrefSize [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridLayout2.cpp, line 151] nsBoxFrame::GetPrefSize [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 933] nsSprocketLayout::PopulateBoxSizes [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 822] nsSprocketLayout::Layout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 265] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1091] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1091] nsRootBoxFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 226] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 891] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 239] IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 860] PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6506] PresShell::WillPaint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6143]
|
Reporter | |
Comment 1•18 years ago
|
||
|
|
Reporter | |
Comment 2•18 years ago
|
||
Ok, this regressed between 2005-03-17 and 2005-03-18: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-03-17+07%3A00%3A00&maxdate=2005-03-18+08%3A00%3A00&cvsroot=%2Fcvsroot Maybe regression from bug 283385?
|
Assignee | |
Comment 3•18 years ago
|
||
Quite possible. I'll look into this tonight.
|
|
Assignee | |
Comment 4•18 years ago
|
||
This is basically the same issue as bug 307809 and has the same question -- should GetScrolledBox actually return the scrollbox for cases when the scrolled thing is not a box?
|
|
Assignee | |
Comment 5•18 years ago
|
||
Comment on attachment 201465 [details] [diff] [review] This could work See question in comment 4.
Attachment #201465 -
Flags: superreview?(dbaron)
Attachment #201465 -
Flags: review?(bryner)
at least http://lxr.mozilla.org/seamonkey/source/layout/xul/base/src/nsScrollBoxObject.cpp#151 expects the function to return a null pointer.
|
|
Assignee | |
Comment 7•18 years ago
|
||
That's not the same GetScrolledBox. In this bug we care about nsGrid::GetScrolledBox...
|
||
Comment 8•18 years ago
|
||
Comment on attachment 201465 [details] [diff] [review] This could work r+sr=dbaron, but please move the |deepChild| variables into the loop and remove the bogus assignment to them near the end of the loop.
Attachment #201465 -
Flags: superreview?(dbaron)
Attachment #201465 -
Flags: superreview+
Attachment #201465 -
Flags: review?(bryner)
Attachment #201465 -
Flags: review+
|
|
Assignee | |
Comment 9•18 years ago
|
||
Attachment #201465 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•18 years ago
|
Assignee: nobody → bzbarsky
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
|
|
Assignee | |
Comment 10•18 years ago
|
||
Fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified FIXED on trunk SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051109 using https://bugzilla.mozilla.org/attachment.cgi?id=201419&action=view as a testcase. No crash.
Status: RESOLVED → VERIFIED
|
|
||
Comment 12•17 years ago
|
||
Comment on attachment 201465 [details] [diff] [review] This could work This is just like bug 307809; a null-check that at least makes some sense.
Attachment #201465 -
Flags: approval1.8.1?
|
||
Comment 13•17 years ago
|
||
You don't want the version updated to comments?
|
|
||
Updated•17 years ago
|
Attachment #201465 -
Flags: approval1.8.1?
|
|
||
Updated•17 years ago
|
Attachment #202327 -
Flags: approval1.8.1?
|
|
||
Comment 14•17 years ago
|
||
Comment on attachment 202327 [details] [diff] [review] Updated to comments a=schrep for crash patch...
Attachment #202327 -
Flags: approval1.8.1? → approval1.8.1+
|
||
Updated•12 years ago
|
Crash Signature: [@ nsGridRowGroupLayout::CountRowsColumns]
You need to log in
before you can comment on or make changes to this bug.
Description
•