Closed
Bug 321901
Opened 19 years ago
Closed 18 years ago
Orphan placeholder to destroyed out-of-flow?
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, Whiteboard: [sg:nse])
Attachments
(3 files)
(slightly edited frame dump to fit Bugzilla attachment size limit,
the deleted sections are marked "[ ... stuff deleted ... ]" - I have the
original if anyone needs it)
This is with "Patch rev. 3" from bug 310638 (which does not walk the out-of-flow
child lists), this makes us miss out-of-flow 0x8b6e9e0 (lime) because we had
no placeholder for it (bug). Since this out-of-flow contains placeholders/
out-of-flows of its own, we miss those too.
It proves that we have an external placeholder pointing into this set
of trees we are about to Destroy.
According to the FrameManager the offending placeholder is 0x8da3148 (magenta)
and it's not on any child list. Following the its mParent chain gives
0x8b99e48 (yellow) as the first frame that is still in the tree.
(the frame dump is after DoDeletingFrameSubtree() but before we start
to remove the frames in the destroy queue)
|
Assignee | |
Comment 2•19 years ago
|
||
Here's another error I found... I think it's related to the orphan placeholder
but I'm not sure... I haven't analyzed any frame dumps on this yet.
Let me know if you have any ideas on what the problem could be...
|
|
Assignee | |
Comment 3•19 years ago
|
||
|
|
Assignee | |
Comment 4•19 years ago
|
||
BTW, the bad reflow command normally causes a crash soon after the printout,
that's why I removed it... (I'm not suggesting that is the solution)
|
||
Comment 5•19 years ago
|
||
So in "Dump 1" this ancestor of the placeholder that's in the tree is the "right" frame (the one that's a containing block for the abs-pos out of flow). And the placeholder's parents aren't dead, just lost? :(
In "Trace 2", what triggers the warning:
WARNING: Positioned frame that does not handle positioned kids; looking further up the parent chain, file nsCSSFrameConstructor.cpp, line 8179
and the assertion:
###!!! ASSERTION: not in child list: 'nsFrameList(aChildFrame->GetParent()->GetFirstChild(listName)) .ContainsFrame(aChildFrame)', file nsCSSFrameConstructor.cpp, line 1894
?
I really wish we could get minimal-ish testcases out of this stuff. :(
|
||
Comment 6•19 years ago
|
||
This is marked confidential because it deals with other confidential bugs and not because it is itself a separate security problem, right?
Whiteboard: [sg:nse]
|
|
Assignee | |
Comment 7•19 years ago
|
||
(In reply to comment #6)
> This is marked confidential because it deals with other confidential bugs and
> not because it is itself a separate security problem, right?
>
Yes.
|
||
Comment 8•18 years ago
|
||
Mats/bz, is this bug still useful?
|
|
Assignee | |
Comment 9•18 years ago
|
||
I ran the tests in comment 0 to 100k without any crash.
-> WORKSFORME
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Comment 1
•