Closed
Bug 331679
Opened 19 years ago
Closed 19 years ago
Crash involving ::-moz-table-row-group, overflow, position, and opacity [@ nsIView::GetOffsetTo]
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: bernd_mozilla)
References
Details
(4 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(5 files)
|
652 bytes,
application/xhtml+xml
|
Details | |
|
312 bytes,
text/xml
|
Details | |
|
383 bytes,
text/xml
|
Details | |
|
5.79 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
roc
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.5+
|
Details | Diff | Splinter Review |
|
3.85 KB,
patch
|
Details | Diff | Splinter Review |
[sg:critical] because before I reduced the testcase, I got crashes with random addresses on top. The only reduced testcases I managed to make were for nondeterministic null dereferences, so I will retest with the original file once this is fixed.
Stack signatures (functions on top of the stack) included:
[@ nsIView::GetOffsetTo]
[@ nsCSSFrameConstructor::BeginBuildingScrollFrame] -- with random at top
[@ nsCSSFrameConstructor::ContentInserted]
[@ nsHTMLContainerFrame::CreateViewForFrame]
[@ IncrementalReflow::AddCommand]
[@ nsHTMLReflowState::InitConstraints]
|
Reporter | |
Comment 1•19 years ago
|
||
Usually crashes after about 10 reloads.
|
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:critical]
###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached',
file d:/moz_src/mozilla/layout/generic/nsContainerFrame.cpp, line 108
This happens on the scroll frame around the rowgroup which is a abs. containing block.
|
|
Reporter | |
Updated•19 years ago
|
Blocks: randomclasses
|
||
Comment 3•19 years ago
|
||
So what's GetAbsoluteContainingBlock returning here, and why?
Depends on: 330909
|
|
||
Updated•19 years ago
|
Flags: blocking1.9a1?
rowgroup pseudos are the parent frames at pseudoFrames.mRowGroup.mFrame. If we build however a scrollframe for the rowgroup, we have the scrollframe there and then we put the row on the childlist of the.... scrollframe allready occupied by the rowgroupframe. (The typical case of: NOBODY expects the Spanish Inquisition!)
This code is wrong since it has been written, the typical effect is that we loose the rowframe and all its children. Then its only a question what you stuffed inside this row to determine where we crash, abs. pos with opacity, seems nice, the abs.pos animated gif should work too. I guess we need to get this, once it has baked, back to branches.
Attachment #219269 -
Flags: superreview?(bzbarsky)
Attachment #219269 -
Flags: review?(bzbarsky)
|
|
||
Updated•19 years ago
|
Attachment #219269 -
Flags: superreview?(bzbarsky)
Attachment #219269 -
Flags: superreview+
Attachment #219269 -
Flags: review?(bzbarsky)
Attachment #219269 -
Flags: review+
fix checked in, open for some stress tests by Jesse
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Status: NEW → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.8.0.5?
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Attachment #219269 -
Flags: approval-branch-1.8.1?(roc)
Attachment #219269 -
Flags: approval-branch-1.8.1?(roc) → approval-branch-1.8.1+
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 219269 [details] [diff] [review]
patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #219269 -
Flags: approval1.8.0.5+
fix checked in into branches
Keywords: fixed1.8.0.5,
fixed1.8.1
|
||
Comment 9•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase.
Keywords: fixed1.8.0.5 → verified1.8.0.5
|
|
||
Comment 10•18 years ago
|
||
(In reply to comment #0)
> [sg:critical] because before I reduced the testcase, I got crashes with random
> addresses on top. The only reduced testcases I managed to make were for
> nondeterministic null dereferences, so I will retest with the original file
> once this is fixed.
Jesse: Do you still have the original testcase, and if so did this really fix it?
asac: I don't think anyone tested this on the 1.7 branch.
|
|
Reporter | |
Comment 11•18 years ago
|
||
I think I tested the original testcase (and various intermediate testcases) shortly after this was fixed and didn't hit any more crashes. I think the more recent fix for bug 331883 affects how Gecko thinks about this testcase.
|
||
Comment 12•18 years ago
|
||
|
||
Comment 13•18 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=216197
ff2b2 no crash windows, linux, macppc
https://bugzilla.mozilla.org/attachment.cgi?id=216414&action=view
ff2b2 windows, linux, macppc no crash; windows, linux no assert
https://bugzilla.mozilla.org/attachment.cgi?id=219177
ff2b2 windows, linux, macppc; windows, linux no assert
Keywords: fixed1.8.1 → verified1.8.1
|
|
||
Comment 14•18 years ago
|
||
verified fixed 1.8
|
|
||
Updated•18 years ago
|
Flags: blocking1.9a1?
|
|
||
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
|
|
Reporter | |
Comment 16•17 years ago
|
||
The crashtests trigger CSS errors because bug 331883 has been fixed -- web pages cannot reference these internal pseudo-elements at all.
|
||
Updated•13 years ago
|
Crash Signature: [@ nsIView::GetOffsetTo]
You need to log in
before you can comment on or make changes to this bug.
Description
•