Closed Bug 348729 Opened 17 years ago Closed 17 years ago
[FIX]Crash [@ ns
Rule Node::Get Parent Data] with :first-letter anonymous content and removing styles
See upcoming testcase, which crashes for me on load. Usually, it crashes for me the first time. If it doesn't, try reloading a few times. Talkback ID: TB22114083K nsRuleNode::GetParentData nsStyleContext::GetStyleData nsRuleNode::WalkRuleTree nsRuleNode::GetVisibilityData This is a regression. It doesn't crash in a 2004-10-29 build, it crashes in a 2005-05-06 build.
So I get a regression window of 2004-10-30 and 2004-10-31: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-10-30+08&maxdate=2004-10-31+08&cvsroot=%2Fcvsroot A regression from bug 264914, somehow?
Yeah, this is a regression from bug 264914. The problem is that when we remove the <tfoot>'s abs pos frame we also remove the placeholder. So we hit that first hunk in this patch, which clobbers parentFrame to be the parent of the placeholder. Then we use parentFrame to construct the frame constructor state for recovering the letter frames. And the patch for bug 264914 made us use the frame constructor state to determine the float parent, so we put the float on totally the wrong float list, and things break. The first hunk of the patch makes us not clobber parentFrame and is enough to fix this bug; the second hunk just avoids an extraneous call to GetFloatContainingBlock.
We should get this in on branches too.
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles → [FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 233798 [details] [diff] [review] Fix looks branch-good to me
Flags: blocking184.108.40.206? → blocking220.127.116.11+
Whiteboard: needs trunk landing
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment on attachment 233798 [details] [diff] [review] Fix a=dbaron on behalf of drivers. Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #233798 - Flags: approval1.8.1? → approval1.8.1+
Comment on attachment 233798 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #233798 - Flags: approval18.104.22.168? → approval22.214.171.124+
https://bugzilla.mozilla.org/attachment.cgi?id=233782 ff2b2 debug/nightly windows/linux no crash ###!!! ASSERTION: out of bounds: 'PRInt32(aIndex) >= 0 && aIndex <= length', file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133 Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133 ###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835 Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835 verified fixed 1.8
https://bugzilla.mozilla.org/attachment.cgi?id=233782&action=view should not crash browser. Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199pre) Gecko/20060821 Firefox/188.8.131.52pre verified 184.108.40.206
Given the regression window this is not a problem on the 1.7/aviary branches, right?
Whiteboard: needs trunk landing → [sg:critical] regression from 264914
crash test landed http://hg.mozilla.org/mozilla-central/rev/f35038f6935a
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsRuleNode::GetParentData]
You need to log in before you can comment on or make changes to this bug.