Closed Bug 374193 Opened 17 years ago Closed 17 years ago

[FIX]Crash [@ nsCSSFrameConstructor::GetFrameFor] with mtable, th and an xbl binding

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha4

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(5 keywords)

Crash Data

Attachments

(5 files)

testcase
938 bytes, application/xhtml+xml
Details
Proposed patch
5.02 KB, patch
bernd_mozilla
: review+
rbs
: superreview+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
Non-XBL testcase that also crashes for me.
698 bytes, application/xhtml+xml
Details
Regression test
1.62 KB, patch
Details | Diff | Splinter Review
Branch patch
9.19 KB, patch
Details | Diff | Splinter Review
Attached file testcase 
See testcase, this usually crashes for me the first time, if not, try reloading a few times.
Talkback ID: TB30287494W
nsCSSFrameConstructor::GetFrameFor  [mozilla/layout/base/nscssframeconstructor.cpp, line 7708]
0x02d373e8

This doesn't crash for me in a 2007-01-02 build, but does crash in a 2007-01-03 build:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-01-02+04&maxdate=2007-01-03+09&cvsroot=%2Fcvsroot
Regression from bug 243159, somehow?

It also contains an xbl binding (conveniently embedded now, because bug 371662 is fixed, the xbl binding is this:
<bindings xmlns="http://www.mozilla.org/xbl">
<binding id="a">
<implementation>
<constructor>
  this.style.position='fixed';
</constructor>
</implementation>
<content><children/></content>
</binding>
</bindings>
Blocks: stirtable
I'm also getting this talkback sometimes: TB30287802E
nsPlaceholderFrame::CanContinueTextRun  [mozilla/layout/generic/nsplaceholderframe.cpp, line 159]
Regression from bug 243159, somehow?
sure before bug 243519 xbl on table display types was completely broken.
Blocks: 374422
Attached patch Proposed patchSplinter Review 
The key is that the patch for bug 347355 is wrong -- the <mtable> doesn't create a table frame, so we need to treat it as special.

The other changes are:

1)  <math> is special but wasn't treated as such.
2)  Once we create pseudos for the <mtable>, we need to be careful not to lose them when we construct the table frame inside it.

We probably want this on branches too...
Attachment #260026 - Flags: superreview?(rbs)
Attachment #260026 - Flags: review?(bernd_mozilla)
Martijn, does that patch fix things for you?  For me this crash was 100% reproducible, so I want to make sure I'm fixing the thing you're seeing.
Assignee: nobody → bzbarsky
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsCSSFrameConstructor::GetFrameFor] with mtable, th and an xbl binding → [FIX]Crash [@ nsCSSFrameConstructor::GetFrameFor] with mtable, th and an xbl binding
Target Milestone: --- → mozilla1.9alpha4
Yeah, the patch fixes the crash for me.
Attachment #260026 - Flags: review?(bernd_mozilla) → review+
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Blocks: 374420
Comment on attachment 260026 [details] [diff] [review]
Proposed patch

sr=rbs
Attachment #260026 - Flags: superreview?(rbs) → superreview+
Attached patch Regression testSplinter Review 

    
    

    
  
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 260026 [details] [diff] [review]
Proposed patch

We should probably take this on branches.  I think this is pretty safe, as far as this code goes.  It's certainly theoretically the "right thing".

        Attachment #260026 -
        Flags: approval1.8.1.4?

        Attachment #260026 -
        Flags: approval1.8.0.12?

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070411 Minefield/3.0a4pre
Status: RESOLVED → VERIFIED

    
    

    
  
Comment on attachment 260026 [details] [diff] [review]
Proposed patch

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers

        Attachment #260026 -
        Flags: approval1.8.1.4?

        Attachment #260026 -
        Flags: approval1.8.1.4+

        Attachment #260026 -
        Flags: approval1.8.0.12?

        Attachment #260026 -
        Flags: approval1.8.0.12+

    
    

    
  
Comment on attachment 260026 [details] [diff] [review]
Proposed patch

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Branch patchSplinter Review
      

    


  

    
    

    
  
Fixed on both branches.
Keywords: fixed1.8.0.12, 
          
            fixed1.8.1.4

    
    

    
  
verified fixed 1.8.1.4 - tested with the testcases from comment #0 and #4 with Builds:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4pre) Gecko/2007042803 BonEcho/2.0.0.4pre Fedora FC6

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.4pre) Gecko/2007042805 BonEcho/2.0.0.4pre

and verified fixed 1.8.0.12 on Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.12pre) Gecko/20070428 Firefox/1.5.0.12pre -> no crash on testcases -> adding verified keyword
Keywords: fixed1.8.0.12, 
          
            fixed1.8.1.4verified1.8.0.12, 
          
            verified1.8.1.4
Crash Signature: [@ nsCSSFrameConstructor::GetFrameFor]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: