Crash on reload with evil xul textcase, using menulist and nested tooltips

VERIFIED FIXED

Status

()

Core
Layout
--
critical
VERIFIED FIXED
12 years ago
5 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: mats)

Tracking

(Depends on: 1 bug, {crash, regression, testcase})

Trunk
x86
Windows XP
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
wanted1.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [evil])

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
See upcoming testcase, which crashes on reload.
Doesn't crash in 2004-07-11 build, crashes in 2004-07-18 build (Ria, you have builds in that area to narrow it down further?)
(Reporter)

Comment 1

12 years ago
Created attachment 210272 [details]
testcase (crashes on reload)
(Reporter)

Comment 2

12 years ago
Created attachment 210274 [details]
backtrace

This is the backtrace, that I get, first I get an assertion:
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file c:/mozill
a/mozilla/layout/generic/nsPlaceholderFrame.h, line 121
Break: at file c:/mozilla/mozilla/layout/generic/nsPlaceholderFrame.h, line 121

Then the crash itself:
Program received signal SIGSEGV, Segmentation fault.
0x055eb10e in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x0,
    aSID=eStyleStruct_Display)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:595
warning: Source file is more recent than executable.

595       #undef STYLE_STRUCT
Current language:  auto; currently c++
(gdb) bt
#0  0x055eb10e in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x0,
    aSID=eStyleStruct_Display)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:595
#1  0x055eb31d in nsIFrame::GetStyleDisplay() const (this=0x0)
    at c:/mozilla/mozilla/layout/style/nsStyleStructList.h:90
#2  0x04ea5e38 in DoDeletingFrameSubtree(nsPresContext*, nsIPresShell*, nsFrameM
anager*, nsVoidArray&, nsIFrame*, nsIFrame*) (aPresContext=0x1004e658,
    aPresShell=0x10341688, aFrameManager=0x103416a4, aDestroyQueue=@0x22e588,
    aRemovedFrame=0x103970e4, aFrame=0x103970e4)
    at c:/mozilla/mozilla/layout/base/nsCSSFrameConstructor.cpp:9649
#3  0x04ea5ff4 in DeletingFrameSubtree(nsPresContext*, nsIPresShell*, nsFrameMan
ager*, nsIFrame*) (aPresContext=0x1004e658, aPresShell=0x10341688,
    aFrameManager=0x103416a4, aFrame=0x103970e4)
    at c:/mozilla/mozilla/layout/base/nsCSSFrameConstructor.cpp:9710
(In reply to comment #0)
> Doesn't crash in 2004-07-11 build, crashes in 2004-07-18 build (Ria, you have
> builds in that area to narrow it down further?)
> 
No, I have only the same ones.
I bet fixing bug 324721 will help.  Or at least make it clearer what's going on here.
Depends on: 324721
(Reporter)

Updated

12 years ago
Blocks: 321107

Comment 6

12 years ago
doesn't look like this will make 1.9a1, but may try for a2
Flags: blocking1.9a2?

Updated

12 years ago
Flags: blocking1.9a2? → blocking1.9+
Whiteboard: [wanted-1.9] [evil]
Attachment #210274 - Attachment is patch: false
(Reporter)

Comment 7

11 years ago
This got fixed on trunk between 2007-03-04 and 2007-03-05:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+09&cvsroot=%2Fcvsroot
It also doesn't crash anymore on the latest branch build.
So I think this was fixed by the fix for bug 372576.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Depends on: 372576
Flags: in-testsuite?
Resolution: --- → FIXED
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b3pre) Gecko/2008010104 Minefield/3.0b3pre ID:2008010104 and the testcase. No Crash on testcase - changing bug to verified
Status: RESOLVED → VERIFIED
Flags: wanted1.9+
Whiteboard: [wanted-1.9] [evil] → [evil]
(Assignee)

Comment 9

5 years ago
Add crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b8bb5a15307
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.