Closed Bug 330903 Opened 20 years ago Closed 20 years ago

[FIX]Crash with evil testcase, using html, xforms elements in xul document

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Details

(4 keywords)

Attachments

(2 files)

testcase
509 bytes, application/vnd.mozilla.xul+xml
Details
Proposed fix
2.76 KB, patch
roc
: review+
roc
: superreview+
roc
: approval-branch-1.8.1+
Details | Diff | Splinter Review
See upcoming testcase, which crashes current trunk Mozilla build on load. You must have the xforms extension installed to get the crash. Not sure if this is in fact a layout bug, maybe it's an xforms bug (then please reassign), but the crash is happening in layout code at least. Seems a regression, doesn't crash in 2006-02-22 build, crashes in 2006-02-23 build: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-02-22+08&maxdate=2006-02-23+10&cvsroot=%2Fcvsroot Regression from bug 307421? I can't get it to crash in my debug build, there I only get an assertion: ###!!! ASSERTION: should have a parent frame: 'docParentFrame', file c:/mozilla/ mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8283 Also cc-ing Allan, I heard he was interested in fixing fuzzy bugs ;)
Attached file testcase
The testcase crashes immediately after loading for me.
Talkback ID: TB16516955Y nsLayoutUtils::GetFloatFromPlaceholder
(In reply to comment #0) > I can't get it to crash in my debug build, there I only get an assertion: > ###!!! ASSERTION: should have a parent frame: 'docParentFrame', file > c:/mozilla/ > mozilla/layout/base/nsCSSFrameConstructor.cpp, line 8283 Crashes just fine for me on my debug trunk build :( > Also cc-ing Allan, I heard he was interested in fixing fuzzy bugs ;) heh. Unfortunately on a more long term basis, I'm quite bogged down by extension/xforms land right now.
Is XTF involved in the testcase in question?
(In reply to comment #4) > Is XTF involved in the testcase in question? It's hard to avoid XTF when you use XForms :) The testcase creates a "just_some_random_name" element in the XForms namespace so it hits our (XTF) element factory ... I wonder what it gets back. A null pointer?
(In reply to comment #5) > (In reply to comment #4) > > Is XTF involved in the testcase in question? > > It's hard to avoid XTF when you use XForms :) > > The testcase creates a "just_some_random_name" element in the XForms namespace > so it hits our (XTF) element factory ... I wonder what it gets back. A null > pointer? Yes, it sure does. Something inside XTF should handle that and insert a "dummy element". We can do that in our element factory, but it should be the core handling that.
We probably create an element _somehow_. I'd be interested in seeing what the frame dump looks like before the styles are added... That said, though, is the fact that the root is "isindex" actually relevant in this bug? And the fact that the document is XUL and not XML?
Wait. Where do we get a null pointer? What does the content model look like for this testcase?
(In reply to comment #8) > Wait. Where do we get a null pointer? nsLayoutUtils::GetFloatFromPlaceholder() calls PlaceholderFrame::GetRealFrameForPlaceholder(aFrame), which returns null. But the real problem is probably earlier: "ASSERTION: should have a parent frame: 'docParentFrame', file nsCSSFrameConstructor.cpp, line 8289" inside nsCSSFrameConstructor::ReconstructDocElementHierarchy() where "nsIFrame* docParentFrame = docElementFrame->GetParent()" apparently return null. > What does the content model look like for this testcase? Is there an easy way to figure that out? :)
OS: Windows XP → All
Hardware: PC → All
Attached patch Proposed fixSplinter Review
Attachment #216995 - Flags: superreview?(roc)
Attachment #216995 - Flags: review?(roc)
Assignee: nobody → bzbarsky
Priority: -- → P1
Summary: Crash with evil testcase, using html, xforms elements in xul document → [FIX]Crash with evil testcase, using html, xforms elements in xul document
Target Milestone: --- → mozilla1.9alpha
Attachment #216995 - Flags: superreview?(roc)
Attachment #216995 - Flags: superreview+
Attachment #216995 - Flags: review?(roc)
Attachment #216995 - Flags: review+
Fixed. roc, do you think we should get this in on branches?
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Yes, if no regressions surface. I'm pretty sure the problems this hack was supposed to work around were gone before 1.8.
Attachment #216995 - Flags: approval-branch-1.8.1?(roc)
Attachment #216995 - Flags: approval-branch-1.8.1?(roc) → approval-branch-1.8.1+
This seems a little scary to me -- brings back memories of crashes related to popupsets. And I don't recall any improvements to management of popupsets or whatever other weird stuff happens in that area. Although if the only difference is destroying the scrollframe, maybe that's not an issue. In any case, I didn't dig in to the CVS history for why the change was made originally, although I do vaguely remember it.
For what it's worth, roc and I did dig into the CVS history, and the frame tree issues the original patch addresses are gone now...
Fixed on branch 1.8 branch.
Keywords: fixed1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: