326529 - Crash when setting ordinal and hidden property on tooltip

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

See upcoming testcase, it crashes on load. It also crashes Mozilla1.7.12.

Talkback ID TB14947889K

I guess this depends on bug 324721.

Comment 1

[Martijn Wargers (dead)]

Attachment: testcase (crashes on load)

Comment 2

[Martijn Wargers (dead)]

Attachment: bt (from old debug build)

This is a backtrace for an old (and mutilated) debug build, it might be useful, still:
First, I get an assertion:
###!!! ASSERTION: aChild not in frame list?: 'foundPrevSib', file c:/mozilla/moz
illa/layout/xul/base/src/nsBoxFrame.cpp, line 2362
Break: at file c:/mozilla/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 2362

And then then the crash:
Program received signal SIGSEGV, Segmentation fault.
0x056cb242 in nsIFrame::GetNextSibling() const (this=0xdddddddd)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:681
warning: Source file is more recent than executable.

681                                   const nsRect&           aDirtyRect,
Current language:  auto; currently c++
(gdb) bt
#0  0x056cb242 in nsIFrame::GetNextSibling() const (this=0xdddddddd)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:681
#1  0x050201ac in nsFrameList::GetPrevSiblingFor(nsIFrame*) const (
    this=0xe6277d4, aFrame=0xe627e9c)
    at c:/mozilla/mozilla/layout/generic/nsFrameList.cpp:516
#2  0x0501f5ce in nsFrameList::RemoveFrame(nsIFrame*, nsIFrame*) (
    this=0xe6277d4, aFrame=0xe627e9c, aPrevSiblingHint=0x0)
    at c:/mozilla/mozilla/layout/generic/nsFrameList.cpp:203

Comment 3

[Martijn Wargers (dead)]

From the Talkback ID:
0x00000000
nsSprocketLayout::GetAscent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1564]
nsBoxFrame::GetAscent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 946]
nsSprocketLayout::Layout  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 260]
nsBoxFrame::DoLayout  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1065]
nsBoxFrame::DoLayout  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1065]
nsRootBoxFrame::Reflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 217]
nsContainerFrame::ReflowChild  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 742]
ViewportFrame::Reflow  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 243]
IncrementalReflow::Dispatch  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 861]
PresShell::ProcessReflowCommands  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6522]
PresShell::WillPaint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6198]
HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 176]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1169]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4294]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1358]
USER32.dll + 0x27b17 (0x77d37b17)
USER32.dll + 0x2cdce (0x77d3cdce)
USER32.dll + 0x459d (0x77d1459d)
USER32.dll + 0x47b4 (0x77d147b4)
ntdll.dll + 0x2589f (0x77f6589f)
USER32.dll + 0x9611 (0x77d19611)
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x1eb69 (0x77e5eb69)

Comment 4

[Mats Palmgren (inactive)]

Attachment: Frame dump, before and after RelayoutChildAtOrdinal()

The problem is that the tooltip is out-of-flow and lives on the 
PopupFrameList of the PopupSet although its parent is the
DocElementBox. It does not exist on the normal flow child list
of the DocElementBox and if a frame can't be found by
RelayoutChildAtOrdinal() it's inserted as the first child.

The problem is that now both the DocElementBox and the PopupSet
thinks they own it and if either destroys the frame the other
will still refer to the destroyed frame...

Comment 5

[Mats Palmgren (inactive)]

Attachment: Patch rev. 1

Move the placeholder instead.

Comment 6

[Mats Palmgren (inactive)]

Attachment: Frame dump, with patch rev. 1

Comment 7

[Martijn Wargers (dead)]

Mats, the patch never got checked in, right? (I still crash with the testcase)
Are you planning on getting it checked in or did you forget?

Comment 8

[Boris Zbarsky [:bzbarsky]]

Attachment: Merged to tip

Comment 9

[Boris Zbarsky [:bzbarsky]]

Fixed on trunk.  This is something we should consider for the branches, probably.

Comment 10

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED: no crash with trunk SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060403 SeaMonkey/1.5a

Comment 11

[Boris Zbarsky [:bzbarsky]]

Fixed on the 1.8 branch.

Comment 12

[Daniel Veditz [:dveditz]]

Comment on attachment 216994 [details] [diff] [review]
Merged to tip

approved for 1.8.0 branch, a=dveditz for drivers (we assume 1.8.0 needs this merged patch, if not we approve the older one).

Comment 13

[Boris Zbarsky [:bzbarsky]]

Fixed on 1.8.0 branch.

Comment 14

[juan becerra [:juanb]]

Also verified using test case provided on these builds: 

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4