Closed Bug 329692 Opened 17 years ago Closed 17 years ago

Crash using canvas style display:table-footer-group and font display:table and more

Categories

(Core :: Layout: Tables, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bernd_mozilla)

References

Details

(5 keywords)

Attachments

(2 files)

See upcoming testcase, which crashes on load.

This regressed between 2005-11-30 and 2005-12-15 (Ria, could you minimise the regression period more?)
Attached file testcase
Talkback ID: TB16069311Q

nsTableRowGroupFrame::GetRowCount   nsTableFrame::GetAscent   nsTableOuterFrame::Reflow   0x0012e584
0x0259bb4c
0x0259b0a8
0x0259af04
0x02585f1c
0x02586064
no need to reduce the regression window, 
Canvas is tag based frame creation it should be mentioned inside IsSpecialContent.
Attached patch patchSplinter Review
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED
Vladimir this is bug/omission in the frame constructor part of the html canvas implementation. EVERY frame where the frame construction is not controlled by the display-type needs to be mentioned in IsSpecialContent otherwise Martijn will sooner or later create a crash testcase for this. Isn't Canvas on the 1.8 branches?
(In reply to comment #4)
> Vladimir this is bug/omission in the frame constructor part of the html canvas
> implementation. EVERY frame where the frame construction is not controlled by
> the display-type needs to be mentioned in IsSpecialContent otherwise Martijn
> will sooner or later create a crash testcase for this. Isn't Canvas on the 1.8
> branches?

Sure, I must've missed that part in the new-frame-implementation documentation.  Yes, we should land this on 1.8.0/1.8.1 as well as the trunk.
Comment on attachment 214399 [details] [diff] [review]
patch

Boris, this are the usual suspects..., (I know we need to rewrite it, but I have no idea how to do it)
Attachment #214399 - Flags: superreview?(bzbarsky)
Attachment #214399 - Flags: review?(bzbarsky)
> Sure, I must've missed that part in the new-frame-implementation documentation.

Which documentation is that?  Chances are it predates the existence of IsSpecialContent.
Comment on attachment 214399 [details] [diff] [review]
patch

r+sr=bzbarsky, and approved for 1.8.1 branch too.  Seeking 1.8.0.x approval; if not 1.8.0.2 then 1.8.0.3.  This is a very safe patch that prevents your usual deleted-object-deref type crashes.
Attachment #214399 - Flags: superreview?(bzbarsky)
Attachment #214399 - Flags: superreview+
Attachment #214399 - Flags: review?(bzbarsky)
Attachment #214399 - Flags: review+
Attachment #214399 - Flags: approval1.8.0.2?
Attachment #214399 - Flags: approval-branch-1.8.1+
Comment on attachment 214399 [details] [diff] [review]
patch

Too late for 1.8.0.2.  We have final bits.  "?"ing for  1.8.0.3.
Attachment #214399 - Flags: approval1.8.0.3?
Attachment #214399 - Flags: approval1.8.0.2?
Attachment #214399 - Flags: approval1.8.0.2-
fix checked in on trunk and 1.8 branch
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Verified FIXED using SeaMonkey trunk build 2006-03-13-09 on Windows XP trunk with https://bugzilla.mozilla.org/attachment.cgi?id=214380&action=view as the testcase.
Status: RESOLVED → VERIFIED
Comment on attachment 214399 [details] [diff] [review]
patch

Please check in promptly on the 1.8.0 branch.  Thanks!
Attachment #214399 - Flags: approval1.8.0.3? → approval1.8.0.3+
fixed on the 1.8.0 branch
Keywords: fixed1.8.0.3
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4, no crash with testcase.
You need to log in before you can comment on or make changes to this bug.