[FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles

VERIFIED FIXED in mozilla1.8.1

Status

()

defect
P1
critical
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Tracking

(5 keywords)

Trunk
mozilla1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.14 -
blocking-aviary1.0.9 -
blocking1.8.1 +
blocking1.8.0.7 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] regression from 264914, crash signature)

Attachments

(3 attachments)

Reporter

Description

13 years ago
See upcoming testcase, which crashes for me on load. Usually, it crashes for me the first time. If it doesn't, try reloading a few times.

Talkback ID: TB22114083K
nsRuleNode::GetParentData   nsStyleContext::GetStyleData   nsRuleNode::WalkRuleTree   nsRuleNode::GetVisibilityData  

This is a regression.
It doesn't crash in a 2004-10-29 build, it crashes in a 2005-05-06 build.
Reporter

Comment 1

13 years ago
Posted file testcase
Reporter

Comment 2

13 years ago
Posted file original file
Posted patch FixSplinter Review
Yeah, this is a regression from bug 264914.  The problem is that when we remove the <tfoot>'s abs pos frame we also remove the placeholder.  So we hit that first hunk in this patch, which clobbers parentFrame to be the parent of the placeholder.  Then we use parentFrame to construct the frame constructor state for recovering the letter frames.  And the patch for bug 264914 made us use the frame constructor state to determine the float parent, so we put the float on totally the wrong float list, and things break.

The first hunk of the patch makes us not clobber parentFrame and is enough to fix this bug; the second hunk just avoids an extraneous call to GetFloatContainingBlock.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #233798 - Flags: superreview?(roc)
Attachment #233798 - Flags: review?(roc)
We should get this in on branches too.
Flags: blocking1.8.1?
Flags: blocking1.8.0.7?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles → [FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles
Target Milestone: --- → mozilla1.9alpha
Flags: blocking1.8.1? → blocking1.8.1+

Updated

13 years ago
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Comment on attachment 233798 [details] [diff] [review]
Fix

looks branch-good to me
Attachment #233798 - Flags: superreview?(roc)
Attachment #233798 - Flags: superreview+
Attachment #233798 - Flags: review?(roc)
Attachment #233798 - Flags: review+
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Whiteboard: needs trunk landing
Attachment #233798 - Flags: approval1.8.1?
Attachment #233798 - Flags: approval1.8.0.7?
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 233798 [details] [diff] [review]
Fix

a=dbaron on behalf of drivers.  Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #233798 - Flags: approval1.8.1? → approval1.8.1+
Comment on attachment 233798 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #233798 - Flags: approval1.8.0.7? → approval1.8.0.7+
Fixed for 1.8.1 and 1.8.0.7.

Comment 12

13 years ago
https://bugzilla.mozilla.org/attachment.cgi?id=233782
ff2b2 debug/nightly windows/linux no crash

###!!! ASSERTION: out of bounds: 'PRInt32(aIndex) >= 0 && aIndex <= length', file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835

verified fixed 1.8
https://bugzilla.mozilla.org/attachment.cgi?id=233782&action=view should not crash browser.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre

verified 1.8.0.7
Status: RESOLVED → VERIFIED
Given the regression window this is not a problem on the 1.7/aviary branches, right?
Blocks: 264914
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Whiteboard: needs trunk landing → [sg:critical] regression from 264914
Group: security
Flags: in-testsuite?

Comment 15

10 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/f35038f6935a
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsRuleNode::GetParentData]
You need to log in before you can comment on or make changes to this bug.