Closed
Bug 348729
Opened 19 years ago
Closed 19 years ago
[FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
Details
(5 keywords, Whiteboard: [sg:critical] regression from 264914)
Crash Data
Attachments
(3 files)
|
735 bytes,
text/html
|
Details | |
|
2.38 KB,
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.8.0.7+
dbaron
:
approval1.8.1+
|
Details | Diff | Splinter Review |
|
2.28 KB,
patch
|
Details | Diff | Splinter Review |
See upcoming testcase, which crashes for me on load. Usually, it crashes for me the first time. If it doesn't, try reloading a few times.
Talkback ID: TB22114083K
nsRuleNode::GetParentData nsStyleContext::GetStyleData nsRuleNode::WalkRuleTree nsRuleNode::GetVisibilityData
This is a regression.
It doesn't crash in a 2004-10-29 build, it crashes in a 2005-05-06 build.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Comment 3•19 years ago
|
||
So I get a regression window of 2004-10-30 and 2004-10-31:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-10-30+08&maxdate=2004-10-31+08&cvsroot=%2Fcvsroot
A regression from bug 264914, somehow?
|
Assignee | |
Comment 4•19 years ago
|
||
Yeah, this is a regression from bug 264914. The problem is that when we remove the <tfoot>'s abs pos frame we also remove the placeholder. So we hit that first hunk in this patch, which clobbers parentFrame to be the parent of the placeholder. Then we use parentFrame to construct the frame constructor state for recovering the letter frames. And the patch for bug 264914 made us use the frame constructor state to determine the float parent, so we put the float on totally the wrong float list, and things break.
The first hunk of the patch makes us not clobber parentFrame and is enough to fix this bug; the second hunk just avoids an extraneous call to GetFloatContainingBlock.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #233798 -
Flags: superreview?(roc)
Attachment #233798 -
Flags: review?(roc)
|
|
Assignee | |
Comment 5•19 years ago
|
||
We should get this in on branches too.
Flags: blocking1.8.1?
Flags: blocking1.8.0.7?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles → [FIX]Crash [@ nsRuleNode::GetParentData] with :first-letter anonymous content and removing styles
Target Milestone: --- → mozilla1.9alpha
Flags: blocking1.8.1? → blocking1.8.1+
|
||
Updated•19 years ago
|
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Comment on attachment 233798 [details] [diff] [review]
Fix
looks branch-good to me
Attachment #233798 -
Flags: superreview?(roc)
Attachment #233798 -
Flags: superreview+
Attachment #233798 -
Flags: review?(roc)
Attachment #233798 -
Flags: review+
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Whiteboard: needs trunk landing
|
|
Assignee | |
Updated•19 years ago
|
Attachment #233798 -
Flags: approval1.8.1?
Attachment #233798 -
Flags: approval1.8.0.7?
|
|
Assignee | |
Comment 7•19 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 233798 [details] [diff] [review]
Fix
a=dbaron on behalf of drivers. Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #233798 -
Flags: approval1.8.1? → approval1.8.1+
|
|
||
Comment 9•19 years ago
|
||
Comment on attachment 233798 [details] [diff] [review]
Fix
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #233798 -
Flags: approval1.8.0.7? → approval1.8.0.7+
|
|
Assignee | |
Comment 10•19 years ago
|
||
|
||
Comment 12•19 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=233782
ff2b2 debug/nightly windows/linux no crash
###!!! ASSERTION: out of bounds: 'PRInt32(aIndex) >= 0 && aIndex <= length', file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/base/nsChildIterator.h, line 133
###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835
Break: at file /work/mozilla/builds/ff/2.0/mozilla/layout/generic/nsBlockReflowState.cpp, line 835
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
|
||
Comment 13•19 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=233782&action=view should not crash browser.
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre
verified 1.8.0.7
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7 → verified1.8.0.7
|
|
||
Comment 14•18 years ago
|
||
Given the regression window this is not a problem on the 1.7/aviary branches, right?
Blocks: 264914
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Whiteboard: needs trunk landing → [sg:critical] regression from 264914
|
|
||
Updated•18 years ago
|
Group: security
Flags: in-testsuite?
|
|
||
Comment 15•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/f35038f6935a
Flags: in-testsuite? → in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ nsRuleNode::GetParentData]
You need to log in
before you can comment on or make changes to this bug.
Description
•