CRASH using repeat + ul/li

RESOLVED FIXED

Status

Core Graveyard
XForms
P2
normal
RESOLVED FIXED
11 years ago
10 months ago

People

(Reporter: Allan Beaufour, Assigned: aaronr)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

11 years ago
Using repeats with ul/li makes FF crash:
###!!! ASSERTION: element not implementing nsIContent!?: 'content', file nsXTFFrameUtils.cpp, line 51
WARNING: NS_ENSURE_TRUE(aContent) failed: file nsFrameManager.cpp, line 338

Program dist/bin/firefox-bin (pid = 12691) received signal 11.
Stack:
UNKNOWN [dist/bin/libxul.so +0x0001F6CC]
__kernel_sigreturn+0x00000000 [ +0x00000420]
UNKNOWN [/store/mozilla/source/firefox/mozilla/dist/bin/components/libgklayout.so +0x000F5D36]
(Reporter)

Comment 1

11 years ago
Created attachment 214661 [details]
Testcase
(Assignee)

Comment 2

11 years ago
Debugged it.  Looks like the problem is that for nsXFormsRepeatElement we don't have a GetInsertionPoint so we are falling into the default one (nsXFormsXMLVisualStub::GetInsertionPoint()) which returns null.
(Assignee)

Comment 3

11 years ago
Created attachment 214705 [details] [diff] [review]
patch that fixes problem, but also traps on other testcases

This patch fixes the problem with the first trap and gives the desired behavior.  But it seems like no matter what I set the insertion point to be, we crash closing the browser after loading a different repeat form (which I'll attach after this) and then closing the browser.  Maybe a ref count thing?
(Assignee)

Comment 4

11 years ago
Created attachment 214706 [details]
testcase crashes with new patch

Apply the patch and build it.  Load this testcase then close the browser.  Browser crashes while closing.
(Reporter)

Comment 5

11 years ago
I remeber fixing that InsertionPoint thing... maybe I should start doing things, instead of apparently just envisioning it :)

Except for crashing I guess the patch is fine. But I've been crashing on exit a lot lately using trunk, without having time to investigate it. Are you sure it is related?

BTW.: I'm not even sure that it is legal to have <ul> + <repeat> + <li> -- for the same reasons as <table> + <repeat> + <tr> is illegal. But we shouldn't crash on it...
(Assignee)

Comment 6

11 years ago
(In reply to comment #5)

> Except for crashing I guess the patch is fine. But I've been crashing on exit a
> lot lately using trunk, without having time to investigate it. Are you sure it
> is related?
> 

I assume it is related since doing the same thing with this testcase w/o the patch doesn't crash.  But it is crashing during the javascript garbage collection so hard to pinpoint exactly what the object used to be that is no long behaving well.
(Assignee)

Updated

11 years ago
Status: NEW → ASSIGNED
(Reporter)

Updated

11 years ago
Blocks: 331209
(Reporter)

Updated

11 years ago
Priority: -- → P2
(Reporter)

Comment 7

11 years ago
Bug 306247 should take care of this.
Depends on: 306247
(Reporter)

Comment 8

11 years ago
This is fixed by bug 306247
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.