Closed Bug 329762 Opened 19 years ago Closed 19 years ago

Crash with evil testcase, using rtl div with position:relative and more

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: uriber)

References

Details

(4 keywords)

Attachments

(2 files)

testcase
365 bytes, text/html
Details
patch
1.70 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
See upcoming testcase which crashes Mozilla on load. Doesn't crash in 2006-02-21 build, crashes in 2006-02-22 build, I guess a regression from bug 299065.
Attached file testcase
Talkback ID: TB16085509M 0x00000000 nsIView::Destroy nsSplittableFrame::Destroy ViewportFrame::Destroy ViewportFrame::Destroy nsBlockFrame::RemoveFrame nsFrameManager::RemoveFrame nsCSSFrameConstructor::RecreateFramesForContent nsCSSFrameConstructor::RestyleElement 0x015d7c58 0x8bdf75c0
Assignee: nobody → uriber
Much before crashing, I'm getting the following assertion: ###!!! ASSERTION: Allowed only one anonymous view between frames: 'ancestorView == view->GetParent()->GetParent()', file /Users/urib/mozilla/layout/generic/nsContainerFrame.cpp, line 272 FWIW, |view| here is the view associated with the PositionedInlineFrame corresponding to the DIV, and ancestorView (the view associated with parentFrame, which is the PositionedInlineFrame corresponding to the BODY) is nowhere to be found in the chain of |view|'s ancestors. The crash itslef happens when trying to destroy the view associated with the frame corresponding to the DIV, because this view was already destroyed as a child of another view (in nsView::~nsView), which I can't say much about. I'm dumping all this information here in hope that this will mean something to someone. I haven't dealt with views before so I'm a bit lost. Anyway, I'll keep investigating.
OS: Windows XP → All
Hardware: PC → All
Blocks: ajax-demolisher
Martijn, could you please CC me on bug 321107 so I don't have to guess what it is?
(In reply to comment #3) > Martijn, could you please CC me on bug 321107 so I don't have to guess what it > is? Done.
So, the problem is that the view of the inner inline (<div> in the testcase) still thinks that its parent is the view of the first continuation of the outer inline (<body> in this case), instead of the view of the second continuation.
Attached patch patchSplinter Review
Reparent views when splitting inlines.
Attachment #214437 - Flags: superreview?(bzbarsky)
Attachment #214437 - Flags: review?(bzbarsky)
Status: NEW → ASSIGNED
Comment on attachment 214437 [details] [diff] [review] patch Makes sense.
Attachment #214437 - Flags: superreview?(bzbarsky)
Attachment #214437 - Flags: superreview+
Attachment #214437 - Flags: review?(bzbarsky)
Attachment #214437 - Flags: review+
Checked in Checking in layout/base/nsBidiPresUtils.cpp; /cvsroot/mozilla/layout/base/nsBidiPresUtils.cpp,v <-- nsBidiPresUtils.cpp new revision: 1.66; previous revision: 1.65 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
Verified FIXED with build 2006-03-09-09 of SeaMonkey trunk under Windows XP with the testcase at: https://bugzilla.mozilla.org/attachment.cgi?id=214421&action=view
Status: RESOLVED → VERIFIED
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: