Last Comment Bug 348049 - [FIX]Frames not destroyed with this XBL + <td> testcase
: [FIX]Frames not destroyed with this XBL + <td> testcase
: crash, testcase, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: XBL (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (TPAC)
: Hixie (not reading bugmail)
Depends on:
Blocks: 348483 323926 framedest
  Show dependency treegraph
Reported: 2006-08-09 09:52 PDT by Jesse Ruderman
Modified: 2007-12-18 08:24 PST (History)
6 users (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (non-crashing) (568 bytes, application/xhtml+xml)
2006-08-09 09:54 PDT, Jesse Ruderman
no flags Details
I think this is the right fix (1.41 KB, patch)
2006-08-13 13:35 PDT, Boris Zbarsky [:bz] (TPAC)
roc: review+
roc: superreview+
dveditz: approval1.8.0.7+
dbaron: approval1.8.1+
Details | Diff | Splinter Review

Description Jesse Ruderman 2006-08-09 09:52:46 PDT
1. Load either testcase.

Result: ###!!! ASSERTION: unsupported operation: 'PR_FALSE', nsTableCellFrame::AppendFrames

2. Reload.

Result: Assuming the patch from 334514 is applied, you'll see another assertion: "Some frame destructors were not called".

Result: If you're using the crashing testcase, you're likely to see a crash attempting to dereference 0xdadadaf6.
Comment 1 Jesse Ruderman 2006-08-09 09:54:06 PDT
Created attachment 232924 [details]
testcase (non-crashing)
Comment 2 Jesse Ruderman 2006-08-09 09:54:38 PDT
Created attachment 232925 [details]
testcase (crashing)
Comment 3 Boris Zbarsky [:bz] (TPAC) 2006-08-13 13:35:16 PDT
Created attachment 233506 [details] [diff] [review]
I think this is the right fix
Comment 4 Boris Zbarsky [:bz] (TPAC) 2006-08-13 13:36:10 PDT
roc, what do you think of the branch-safety of this patch?  I think it's pretty safe myself....
Comment 5 Robert O'Callahan (:roc) (email my personal email if necessary) 2006-08-13 20:29:04 PDT
Comment on attachment 233506 [details] [diff] [review]
I think this is the right fix

Well, it does change behaviour in several cases, but everywhere it changes behaviour it's almost certainly fixing a similar bug, so I think we should take it on branches.
Comment 6 Boris Zbarsky [:bz] (TPAC) 2006-08-14 18:38:11 PDT
Comment 7 Boris Zbarsky [:bz] (TPAC) 2006-08-14 18:38:43 PDT
Comment on attachment 233506 [details] [diff] [review]
I think this is the right fix

We should probably take this on branches.  This doesn't change behavior in most cases; all the ones where it does probably led to crashes anyway.
Comment 8 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2006-08-15 10:31:26 PDT
Comment on attachment 233506 [details] [diff] [review]
I think this is the right fix

a=dbaron on behalf of drivers.  Please check in to the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Comment 9 Daniel Veditz [:dveditz] 2006-08-15 15:58:41 PDT
Comment on attachment 233506 [details] [diff] [review]
I think this is the right fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 10 Boris Zbarsky [:bz] (TPAC) 2006-08-15 16:13:51 PDT
Fixed on branches.
Comment 11 Bob Clary [:bc:] 2006-08-22 11:26:34 PDT
ff2b2 debug windows/linux no assert
ff2b2 debug/nightly windows/linux no crash

verified fixed 1.8 (happyfish)

Comment 12 alice nodelman [:alice] [:anode] 2006-08-22 16:32:03 PDT should not crash browser

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20060821 Firefox/


more happy fishes!
Comment 13 Jesse Ruderman 2007-12-17 22:52:46 PST
Crashtest checked in.
Comment 14 Boris Zbarsky [:bz] (TPAC) 2007-12-18 08:24:33 PST
I checked in a reftest for this too.

Note You need to log in before you can comment on or make changes to this bug.