Closed Bug 348729 Opened 18 years ago Closed 18 years ago

[FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(5 keywords, Whiteboard: [sg:critical] regression from 264914)

Crash Data

Attachments

(3 files)

testcase
735 bytes, text/html
Details
Fix
2.38 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.8.0.7+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review
Branch version of patch
2.28 KB, patch
Details | Diff | Splinter Review 
See upcoming testcase, which crashes for me on load. Usually, it crashes for me the first time. If it doesn't, try reloading a few times.

Talkback ID: TB22114083K
nsRuleNode::GetParentData   nsStyleContext::GetStyleData   nsRuleNode::WalkRuleTree   nsRuleNode::GetVisibilityData  

This is a regression.
It doesn't crash in a 2004-10-29 build, it crashes in a 2005-05-06 build.
Attached file testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        original file
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
Yeah, this is a regression from bug 264914.  The problem is that when we remove the <tfoot>'s abs pos frame we also remove the placeholder.  So we hit that first hunk in this patch, which clobbers parentFrame to be the parent of the placeholder.  Then we use parentFrame to construct the frame constructor state for recovering the letter frames.  And the patch for bug 264914 made us use the frame constructor state to determine the float parent, so we put the float on totally the wrong float list, and things break.

The first hunk of the patch makes us not clobber parentFrame and is enough to fix this bug; the second hunk just avoids an extraneous call to GetFloatContainingBlock.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #233798 -
        Flags: superreview?(roc)

        Attachment #233798 -
        Flags: review?(roc)

    
    

    
  
We should get this in on branches too.
Flags: blocking1.8.1?
Flags: blocking1.8.0.7?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles → [FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles
Target Milestone: --- → mozilla1.9alpha
Flags: blocking1.8.1? → blocking1.8.1+

    
  
Target Milestone: mozilla1.9alpha → mozilla1.8.1

    
    

    
  
Comment on attachment 233798 [details] [diff] [review]
Fix

looks branch-good to me

        Attachment #233798 -
        Flags: superreview?(roc)

        Attachment #233798 -
        Flags: superreview+

        Attachment #233798 -
        Flags: review?(roc)

        Attachment #233798 -
        Flags: review+
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Whiteboard: needs trunk landing

    
  

        Attachment #233798 -
        Flags: approval1.8.1?

        Attachment #233798 -
        Flags: approval1.8.0.7?

    
    

    
  
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 233798 [details] [diff] [review]
Fix

a=dbaron on behalf of drivers.  Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.

        Attachment #233798 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
Comment on attachment 233798 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #233798 -
        Flags: approval1.8.0.7? → approval1.8.0.7+

    
    

    
  
Fixed for 1.8.1 and 1.8.0.7.
Keywords: fixed1.8.0.7, 
          
            fixed1.8.1

    
    

    
  
https://bugzilla.mozilla.org/attachment.cgi?id=233782
ff2b2 debug/nightly windows/linux no crash

###!!! ASSERTION: out of bounds: 'PRInt32(aIndex) >= 0 && aIndex <= length', file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835

verified fixed 1.8

Keywords: fixed1.8.1verified1.8.1

    
    

    
  
https://bugzilla.mozilla.org/attachment.cgi?id=233782&action=view should not crash browser.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre

verified 1.8.0.7
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7verified1.8.0.7

    
    

    
  
Given the regression window this is not a problem on the 1.7/aviary branches, right?
Blocks: 264914
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Whiteboard: needs trunk landing → [sg:critical] regression from 264914
Group: security
Flags: in-testsuite?

    
    

    
  
crash test landed
http://hg.mozilla.org/mozilla-central/rev/f35038f6935a
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsRuleNode::GetParentData]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: