Closed Bug 325377 Opened 19 years ago Closed 18 years ago

Crash on reload with evil xul textcase, using menulist and nested tooltips

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

(Depends on 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [evil])

Attachments

(2 files)

testcase (crashes on reload)
518 bytes, application/vnd.mozilla.xul+xml
Details
backtrace
16.67 KB, text/plain
Details
See upcoming testcase, which crashes on reload. Doesn't crash in 2004-07-11 build, crashes in 2004-07-18 build (Ria, you have builds in that area to narrow it down further?)
Attached file backtrace
This is the backtrace, that I get, first I get an assertion: ###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file c:/mozill a/mozilla/layout/generic/nsPlaceholderFrame.h, line 121 Break: at file c:/mozilla/mozilla/layout/generic/nsPlaceholderFrame.h, line 121 Then the crash itself: Program received signal SIGSEGV, Segmentation fault. 0x055eb10e in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x0, aSID=eStyleStruct_Display) at c:/mozilla/mozilla/layout/generic/nsIFrame.h:595 warning: Source file is more recent than executable. 595 #undef STYLE_STRUCT Current language: auto; currently c++ (gdb) bt #0 0x055eb10e in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x0, aSID=eStyleStruct_Display) at c:/mozilla/mozilla/layout/generic/nsIFrame.h:595 #1 0x055eb31d in nsIFrame::GetStyleDisplay() const (this=0x0) at c:/mozilla/mozilla/layout/style/nsStyleStructList.h:90 #2 0x04ea5e38 in DoDeletingFrameSubtree(nsPresContext*, nsIPresShell*, nsFrameM anager*, nsVoidArray&, nsIFrame*, nsIFrame*) (aPresContext=0x1004e658, aPresShell=0x10341688, aFrameManager=0x103416a4, aDestroyQueue=@0x22e588, aRemovedFrame=0x103970e4, aFrame=0x103970e4) at c:/mozilla/mozilla/layout/base/nsCSSFrameConstructor.cpp:9649 #3 0x04ea5ff4 in DeletingFrameSubtree(nsPresContext*, nsIPresShell*, nsFrameMan ager*, nsIFrame*) (aPresContext=0x1004e658, aPresShell=0x10341688, aFrameManager=0x103416a4, aFrame=0x103970e4) at c:/mozilla/mozilla/layout/base/nsCSSFrameConstructor.cpp:9710
(In reply to comment #0) > Doesn't crash in 2004-07-11 build, crashes in 2004-07-18 build (Ria, you have > builds in that area to narrow it down further?) > No, I have only the same ones.
I bet fixing bug 324721 will help. Or at least make it clearer what's going on here.
Depends on: 324721
Blocks: ajax-demolisher
doesn't look like this will make 1.9a1, but may try for a2
Flags: blocking1.9a2?
Flags: blocking1.9a2? → blocking1.9+
Whiteboard: [wanted-1.9] [evil]
Attachment #210274 - Attachment is patch: false
This got fixed on trunk between 2007-03-04 and 2007-03-05: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+09&cvsroot=%2Fcvsroot It also doesn't crash anymore on the latest branch build. So I think this was fixed by the fix for bug 372576.
Status: NEW → RESOLVED
Closed: 18 years ago
Depends on: 372576
Flags: in-testsuite?
Resolution: --- → FIXED
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b3pre) Gecko/2008010104 Minefield/3.0b3pre ID:2008010104 and the testcase. No Crash on testcase - changing bug to verified
Status: RESOLVED → VERIFIED
Flags: wanted1.9+
Whiteboard: [wanted-1.9] [evil] → [evil]
Add crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b8bb5a15307
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: