Crash [@ nsTextControlFrame::CalcIntrinsicSize] with splitter and frame and moving stuff while clicking

VERIFIED FIXED in mozilla1.9alpha5

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: martijn.martijn, Assigned: mats)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla1.9alpha5
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

Posted file testcase
See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.
It is also possible to crash the testcase online, but in that testcase, you need to do the clicking yourself (probably often) on a certain spot.
I don't think it's crashing on the branch.

The source of the iframe:
<splitter xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <splitter>
    <textbox>

        <splitter id="mw_b">
          <textbox/>
        </splitter>
        <textbox/>

      <textbox/>
      <frame xmlns="http://www.w3.org/1999/xhtml" id="mw_e"/>
    </textbox>
  </splitter>
  <statusbar>
    <splitter id="mw_a"/>
    <statusbar id="mw_d"/>
  </statusbar>


<script xmlns="http://www.w3.org/1999/xhtml">
function ctrlclick(i){
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
var wu =  window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
                .getInterface(Components.interfaces.nsIDOMWindowUtils);
//alert(wu);
wu.sendMouseEvent('mousedown',  670 , 20, 0, 1, 0);
wu.sendMouseEvent('mouseup',  670 , 20, 0, 1, 0);
i+=1;
if (i>100)
 i =0;
setTimeout(ctrlclick,10,i);
}

setTimeout(ctrlclick,0,0);


function doe() {

  document.getElementById('mw_a').parentNode.insertBefore(document.getElementById('mw_b'), document.getElementById('mw_a'));
  document.getElementById('mw_e').appendChild(document.getElementById('mw_d'));
}

setTimeout(doe, 400);
setTimeout(function() {window.location.reload()}, 600);
</script>
</splitter>

Talkback ID: TB31609293G
nsTextControlFrame::CalcIntrinsicSize  [mozilla/layout/forms/nstextcontrolframe.cpp, line 1283]
nsTextControlFrame::GetPrefSize  [mozilla/layout/forms/nstextcontrolframe.cpp, line 1749]
nsSprocketLayout::GetPrefSize  [mozilla/layout/xul/base/src/nssprocketlayout.cpp, line 1332]
nsBoxFrame::GetPrefSize  [mozilla/layout/xul/base/src/nsboxframe.cpp, line 826]
nsSprocketLayout::GetPrefSize  [mozilla/layout/xul/base/src/nssprocketlayout.cpp, line 1332]
nsBoxFrame::GetPrefSize  [mozilla/layout/xul/base/src/nsboxframe.cpp, line 826]
nsSprocketLayout::GetPrefSize  [mozilla/layout/xul/base/src/nssprocketlayout.cpp, line 1332]
nsBoxFrame::GetPrefSize  [mozilla/layout/xul/base/src/nsboxframe.cpp, line 826]
nsSprocketLayout::GetPrefSize  [mozilla/layout/xul/base/src/nssprocketlayout.cpp, line 1332]
nsBoxFrame::GetPrefSize  [mozilla/layout/xul/base/src/nsboxframe.cpp, line 826]
nsSplitterFrameInner::MouseDown  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 769]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 209]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 267]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 484]
PresShell::HandleEventInternal  [mozilla/layout/base/nspresshell.cpp, line 5779]
PresShell::HandlePositionedEvent  [mozilla/layout/base/nspresshell.cpp, line 5670]
PresShell::HandleEvent  [mozilla/layout/base/nspresshell.cpp, line 5506]
nsViewManager::HandleEvent  [mozilla/view/src/nsviewmanager.cpp, line 1457]
nsViewManager::DispatchEvent  [mozilla/view/src/nsviewmanager.cpp, line 1410]
HandleEvent  [mozilla/view/src/nsview.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1107]
NS_InvokeByIndex_P  [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2246]
Posted file stack
OS: Windows XP → All
Hardware: PC → All
Posted patch wip1 (obsolete) — Splinter Review
Wallpaper until we can fix the real issue that Boris comment points out?
(removing the 'rv' is to fix an "unused variable" warning)
Attachment #263174 - Flags: superreview?(dbaron)
Attachment #263174 - Flags: review?(dbaron)
Comment on attachment 263174 [details] [diff] [review]
wip1

As far as I can tell, you're fixing exactly the bug Boris pointed out in his comment.  So I'd say you should remove both the XXXbz comment and the XXX comment you're adding.

r+sr=dbaron
Attachment #263174 - Flags: superreview?(dbaron)
Attachment #263174 - Flags: superreview+
Attachment #263174 - Flags: review?(dbaron)
Attachment #263174 - Flags: review+
Actually, could you also add:

+  NS_ASSERTION(aState.GetRenderingContext(),
+               "must have rendering context");

to nsBox::GetPrefSize, nsBox::GetMinSize, nsBox::GetMaxSize, and nsIFrame::Layout, and (with the variable name changed to aBoxLayoutState) to nsBoxFrame::GetPrefSize, nsBoxFrame::GetMinSize, and nsBoxFrame::GetMaxSize ?
I think the long term thing to do here is make all the things that don't require a rendering context not take a layout state argument at all.  Doing that probably isn't too hard -- we'd just need to split Redraw into a version not taking a layout state and one that takes a layout state, checks PaintingEnabled(), and calls the first.
Posted patch Patch rev. 2Splinter Review
The requested changes in comment 4.  I'll file comment 5 as a followup bug.
Attachment #263174 - Attachment is obsolete: true
Attachment #263177 - Flags: superreview?(dbaron)
Attachment #263177 - Flags: review?(dbaron)
Assignee: nobody → mats.palmgren
Attachment #263177 - Flags: superreview?(dbaron)
Attachment #263177 - Flags: superreview+
Attachment #263177 - Flags: review?(dbaron)
Attachment #263177 - Flags: review+
Filed bug 379215 on comment 5.

Checked in to trunk at 2007-04-29 15:24 PDT.

-> FIXED
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070430 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Target Milestone: --- → mozilla1.9alpha5
Crash Signature: [@ nsTextControlFrame::CalcIntrinsicSize]
You need to log in before you can comment on or make changes to this bug.