Closed
Bug 338674
Opened 19 years ago
Closed 19 years ago
Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Crash Data
Attachments
(6 files)
Loading the testcase makes Firefox crash. Tested with Firefox trunk 2006-05-17 on Mac.
I'm not sure why a DOMAttributeModified event is fired here at all. It seems to be fired at a <xul:nativescrollbar> element for an "orient" attribute and a "sborient" attribute. In fact, I don't know if XHTML pages are supposed to know about our scrollbar implementation at all.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
Summary: Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event → Crash [@ nsCSSFrameConstructor::ConstructFrame] involving DOMAttributeModified event and some xul:nativescrollbar (!)
|
|
Reporter | |
Updated•19 years ago
|
Attachment #222736 -
Attachment description: testcase (crashes Firefox) → testcase - further DOM mutations (crashes Firefox)
|
|
Reporter | |
Comment 3•19 years ago
|
||
|
|
Reporter | |
Comment 4•19 years ago
|
||
|
|
Reporter | |
Comment 5•19 years ago
|
||
All three testcases cause crashes, but with different signatures. I'm assuming the root cause is the same.
The alert one also causes
###!!! ASSERTION: reflowing in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 833
###!!! ASSERTION: painting in the middle of frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 825
|
|
Reporter | |
Comment 6•19 years ago
|
||
|
|
Reporter | |
Comment 7•19 years ago
|
||
|
|
Reporter | |
Comment 8•19 years ago
|
||
[sg:critical] based on the last two stack traces.
CCing dbaron because he loves "painting in the middle of frame construction" (etc) bugs.
Whiteboard: [sg:critical]
|
|
Reporter | |
Comment 9•19 years ago
|
||
WFM, the event doesn't seem to be firing any more. Sicking thought the fix for bug 328885 might have been what fixed this, but that was fixed before this was filed.
|
|
Reporter | |
Comment 10•19 years ago
|
||
This bug went away between June 1 and June 2 (Mac nightlies). Could this have been fixed by the patch for bug 90983, "Why check for mutationlisteners during initial page load?"?
Yes, it is not unlikely that that bug fixed it.
But I am supriced bug 328885 didn't fix it, i need to investigate further.
|
|
Reporter | |
Comment 13•19 years ago
|
||
Marking WFM. I filed bug 345952 for the investigation mentioned in comment 12.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
|
||
Updated•16 years ago
|
Group: core-security
Flags: wanted1.8.1.x-
|
|
Reporter | |
Comment 14•16 years ago
|
||
Checked in the first testcase as a crashtest. The other testcases are too disruptive for easy automated testing.
Flags: in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::ConstructFrame]
|
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•