Closed Bug 330022 Opened 15 years ago Closed 15 years ago

CRASH using repeat + ul/li

Categories

(Core Graveyard :: XForms, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: allan, Assigned: aaronr)

References

Details

Attachments

(3 files)

Using repeats with ul/li makes FF crash:
###!!! ASSERTION: element not implementing nsIContent!?: 'content', file nsXTFFrameUtils.cpp, line 51
WARNING: NS_ENSURE_TRUE(aContent) failed: file nsFrameManager.cpp, line 338

Program dist/bin/firefox-bin (pid = 12691) received signal 11.
Stack:
UNKNOWN [dist/bin/libxul.so +0x0001F6CC]
__kernel_sigreturn+0x00000000 [ +0x00000420]
UNKNOWN [/store/mozilla/source/firefox/mozilla/dist/bin/components/libgklayout.so +0x000F5D36]
Attached file Testcase
Debugged it.  Looks like the problem is that for nsXFormsRepeatElement we don't have a GetInsertionPoint so we are falling into the default one (nsXFormsXMLVisualStub::GetInsertionPoint()) which returns null.
This patch fixes the problem with the first trap and gives the desired behavior.  But it seems like no matter what I set the insertion point to be, we crash closing the browser after loading a different repeat form (which I'll attach after this) and then closing the browser.  Maybe a ref count thing?
Apply the patch and build it.  Load this testcase then close the browser.  Browser crashes while closing.
I remeber fixing that InsertionPoint thing... maybe I should start doing things, instead of apparently just envisioning it :)

Except for crashing I guess the patch is fine. But I've been crashing on exit a lot lately using trunk, without having time to investigate it. Are you sure it is related?

BTW.: I'm not even sure that it is legal to have <ul> + <repeat> + <li> -- for the same reasons as <table> + <repeat> + <tr> is illegal. But we shouldn't crash on it...
(In reply to comment #5)

> Except for crashing I guess the patch is fine. But I've been crashing on exit a
> lot lately using trunk, without having time to investigate it. Are you sure it
> is related?
> 

I assume it is related since doing the same thing with this testcase w/o the patch doesn't crash.  But it is crashing during the javascript garbage collection so hard to pinpoint exactly what the object used to be that is no long behaving well.
Status: NEW → ASSIGNED
Blocks: 331209
Priority: -- → P2
Bug 306247 should take care of this.
Depends on: 306247
This is fixed by bug 306247
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.