Closed Bug 338674 Opened 15 years ago Closed 15 years ago

Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)

Categories

(Core :: DOM: Core & HTML, defect)

PowerPC
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(6 files)

Loading the testcase makes Firefox crash.  Tested with Firefox trunk 2006-05-17 on Mac.

I'm not sure why a DOMAttributeModified event is fired here at all.  It seems to be fired at a <xul:nativescrollbar> element for an "orient" attribute and a "sborient" attribute.  In fact, I don't know if XHTML pages are supposed to know about our scrollbar implementation at all.
Summary: Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event → Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)
Attachment #222736 - Attachment description: testcase (crashes Firefox) → testcase - further DOM mutations (crashes Firefox)
All three testcases cause crashes, but with different signatures.  I'm assuming the root cause is the same.

The alert one also causes

###!!! ASSERTION: reflowing in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 833
###!!! ASSERTION: painting in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 825
[sg:critical] based on the last two stack traces.

CCing dbaron because he loves "painting in the middle of frame construction" (etc) bugs.
Whiteboard: [sg:critical]
WFM, the event doesn't seem to be firing any more.  Sicking thought the fix for bug 328885 might have been what fixed this, but that was fixed before this was filed.
This bug went away between June 1 and June 2 (Mac nightlies).  Could this have been fixed by the patch for bug 90983, "Why check for mutationlisteners during initial page load?"?
Yes, it is not unlikely that that bug fixed it.
But I am supriced bug 328885 didn't fix it, i need to investigate further.
Marking WFM.  I filed bug 345952 for the investigation mentioned in comment 12.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Group: core-security
Flags: wanted1.8.1.x-
Checked in the first testcase as a crashtest.  The other testcases are too disruptive for easy automated testing.
Flags: in-testsuite+
Crash Signature: [@ nsCSSFrameConstructor::ConstructFrame]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.