Closed Bug 362155 Opened 18 years ago Closed 18 years ago

Crash [@ nsCSSFrameConstructor::RemoveFirstLetterFrames] on 1.8 branch with the first testcase from bug 318592

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

(
URL
)

Details

(5 keywords)

Crash Data

The first testcase from bug 318592 still crashes on branches when hovering over the text, even after the fix for bug 318592 went in on branch. The testcase doesn't crash on trunk anymore.

Talkback ID: TB26627839Z
nsCSSFrameConstructor::RemoveFirstLetterFrames  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13005]
nsCSSFrameConstructor::RemoveLetterFrames  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13069]
nsCSSFrameConstructor::ContentRemoved  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9994]
nsCSSFrameConstructor::ReinsertContent  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9682]
PresShell::CharacterDataChanged  [mozilla/layout/base/nsPresShell.cpp, line 5456]
nsGenericDOMDataNode::SetText  [mozilla/content/base/src/nsGenericDOMDataNode.cpp, line 1256]
nsGenericDOMDataNode::SetData  [mozilla/content/base/src/nsGenericDOMDataNode.cpp, line 374]
nsCommentNode::SetData  [mozilla/content/base/src/nsCommentNode.cpp, line 59]
nsHTMLHtmlElement::AddRef
0xfa08e918
This is basically caused by the fact that bug 317948 wasn't fixed on branch.  While processing the style change we blow away some frames, which causes a quotes rebuild, which does SetData(), which tries to find the primary frame for the text node, but we're in the middle of frame destruction so it runs into dead frames (since we don't put text nodes into the hashtable) and crashes.

I'll post a branch patch to bug 317948; I've verified that that patch fixes this bug.
Depends on: 317948
OS: Windows XP → All
Hardware: PC → All
This testcase came from a regression bug, carrying over keyword. This bug should be given appropriate "fixed" keywords when the blocking bug is checked in to the branch to trigger a verification.
Assignee: nobody → bzbarsky
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Keywords: regression
Fixed on 1.8 and 1.8.0 branches by checkin for bug 317948.
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.9, fixed1.8.1.1
Resolution: --- → FIXED
Verified fixed with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.1pre) Gecko/20061202 BonEcho/2.0.0.1pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.9pre) Gecko/20061202 Firefox/1.5.0.9pre and Fedora FC 6
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1verified1.8.0.9, verified1.8.1.1
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Crash Signature: [@ nsCSSFrameConstructor::RemoveFirstLetterFrames]
You need to log in before you can comment on or make changes to this bug.