Closed Bug 338674 Opened 18 years ago Closed 18 years ago

Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(6 files)

testcase - further DOM mutations (crashes Firefox)
742 bytes, application/xhtml+xml
Details
stack trace (mac debug)
7.19 KB, text/plain
Details
testcase - close the window during the event
827 bytes, application/xhtml+xml
Details
testcase - alert() during the event
833 bytes, application/xhtml+xml
Details
stack trace: nsIFrame::GetContent, nsGfxScrollFrameInner::SetCoordAttribute, ...
36.23 KB, text/plain
Details
stack trace: nsCachedStyleData::GetStyleData
8.93 KB, text/plain
Details 
Loading the testcase makes Firefox crash.  Tested with Firefox trunk 2006-05-17 on Mac.

I'm not sure why a DOMAttributeModified event is fired here at all.  It seems to be fired at a <xul:nativescrollbar> element for an "orient" attribute and a "sborient" attribute.  In fact, I don't know if XHTML pages are supposed to know about our scrollbar implementation at all.

    
  
Summary: Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event → Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)

    
  

        Attachment #222736 -
        Attachment description: testcase (crashes Firefox) → testcase - further DOM mutations (crashes Firefox)

    
    

    
  


  

    
    

    
  
All three testcases cause crashes, but with different signatures.  I'm assuming the root cause is the same.

The alert one also causes

###!!! ASSERTION: reflowing in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 833
###!!! ASSERTION: painting in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 825


    
    

    
  
[sg:critical] based on the last two stack traces.

CCing dbaron because he loves "painting in the middle of frame construction" (etc) bugs.
Whiteboard: [sg:critical]

    
    

    
  
WFM, the event doesn't seem to be firing any more.  Sicking thought the fix for bug 328885 might have been what fixed this, but that was fixed before this was filed.

    
    

    
  
This bug went away between June 1 and June 2 (Mac nightlies).  Could this have been fixed by the patch for bug 90983, "Why check for mutationlisteners during initial page load?"?

    
    

    
  
Yes, it is not unlikely that that bug fixed it.

    
    

    
  
But I am supriced bug 328885 didn't fix it, i need to investigate further.

    
    

    
  
Marking WFM.  I filed bug 345952 for the investigation mentioned in comment 12.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Group: core-security
Flags: wanted1.8.1.x-

    
    

    
  
Checked in the first testcase as a crashtest.  The other testcases are too disruptive for easy automated testing.
Flags: in-testsuite+
Crash Signature: [@ nsCSSFrameConstructor::ConstructFrame]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: