Closed
Bug 329762
Opened 18 years ago
Closed 18 years ago
Crash with evil testcase, using rtl div with position:relative and more
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: martijn.martijn, Assigned: uriber)
References
Details
(4 keywords)
Attachments
(2 files)
|
365 bytes,
text/html
|
Details | |
|
1.70 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
See upcoming testcase which crashes Mozilla on load. Doesn't crash in 2006-02-21 build, crashes in 2006-02-22 build, I guess a regression from bug 299065.
|
Reporter | |
Comment 1•18 years ago
|
||
Talkback ID: TB16085509M 0x00000000 nsIView::Destroy nsSplittableFrame::Destroy ViewportFrame::Destroy ViewportFrame::Destroy nsBlockFrame::RemoveFrame nsFrameManager::RemoveFrame nsCSSFrameConstructor::RecreateFramesForContent nsCSSFrameConstructor::RestyleElement 0x015d7c58 0x8bdf75c0
|
Assignee | |
Updated•18 years ago
|
Assignee: nobody → uriber
|
|
Assignee | |
Comment 2•18 years ago
|
||
Much before crashing, I'm getting the following assertion: ###!!! ASSERTION: Allowed only one anonymous view between frames: 'ancestorView == view->GetParent()->GetParent()', file /Users/urib/mozilla/layout/generic/nsContainerFrame.cpp, line 272 FWIW, |view| here is the view associated with the PositionedInlineFrame corresponding to the DIV, and ancestorView (the view associated with parentFrame, which is the PositionedInlineFrame corresponding to the BODY) is nowhere to be found in the chain of |view|'s ancestors. The crash itslef happens when trying to destroy the view associated with the frame corresponding to the DIV, because this view was already destroyed as a child of another view (in nsView::~nsView), which I can't say much about. I'm dumping all this information here in hope that this will mean something to someone. I haven't dealt with views before so I'm a bit lost. Anyway, I'll keep investigating.
OS: Windows XP → All
Hardware: PC → All
|
|
Reporter | |
Updated•18 years ago
|
Blocks: ajax-demolisher
|
|
Assignee | |
Comment 3•18 years ago
|
||
Martijn, could you please CC me on bug 321107 so I don't have to guess what it is?
|
|
Reporter | |
Comment 4•18 years ago
|
||
(In reply to comment #3) > Martijn, could you please CC me on bug 321107 so I don't have to guess what it > is? Done.
|
|
Assignee | |
Comment 5•18 years ago
|
||
So, the problem is that the view of the inner inline (<div> in the testcase) still thinks that its parent is the view of the first continuation of the outer inline (<body> in this case), instead of the view of the second continuation.
|
|
Assignee | |
Comment 6•18 years ago
|
||
Reparent views when splitting inlines.
Attachment #214437 -
Flags: superreview?(bzbarsky)
Attachment #214437 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 7•18 years ago
|
||
Comment on attachment 214437 [details] [diff] [review] patch Makes sense.
Attachment #214437 -
Flags: superreview?(bzbarsky)
Attachment #214437 -
Flags: superreview+
Attachment #214437 -
Flags: review?(bzbarsky)
Attachment #214437 -
Flags: review+
|
|
Assignee | |
Comment 8•18 years ago
|
||
Checked in Checking in layout/base/nsBidiPresUtils.cpp; /cvsroot/mozilla/layout/base/nsBidiPresUtils.cpp,v <-- nsBidiPresUtils.cpp new revision: 1.66; previous revision: 1.65 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
|
||
Comment 9•18 years ago
|
||
Verified FIXED with build 2006-03-09-09 of SeaMonkey trunk under Windows XP with the testcase at: https://bugzilla.mozilla.org/attachment.cgi?id=214421&action=view
Status: RESOLVED → VERIFIED
|
||
Comment 10•16 years ago
|
||
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
You need to log in
before you can comment on or make changes to this bug.
Description
•