Closed
Bug 380217
Opened 17 years ago
Closed 17 years ago
Crash [@ nsTreeBoxObject::GetColumns] with <xul:tree> and position: fixed
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?] post 1.8-branch)
Crash Data
Attachments
(3 files)
589 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
3.81 KB,
text/plain
|
Details | |
2.89 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
Loading the testcase in Mac trunk debug causes Firefox to crash [@ nsTreeBoxObject::GetColumns] dereferencing 0xdddddddd.
Assignee | ||
Updated•17 years ago
|
OS: Mac OS X → All
Assignee | ||
Updated•17 years ago
|
Assignee: Jan.Varga → Olli.Pettay
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical?]
Comment 1•17 years ago
|
||
Assignee | ||
Comment 2•17 years ago
|
||
It is ugly that treebodyframe implements nsITreeBoxObject, box objects are usually refcounted, but not in this case. (Though, treebodyframe's nsITreeBoxObject is accessed only through the real treeboxobject). Anyway, seems to me that ClearCachedValues() doesn't get called for some reason.
Assignee | ||
Comment 3•17 years ago
|
||
I can't reproduce the bug on branch, so it would be good to find the regression range. Anyway, I think EnsureBoxObject should be called already in ::Init, because it must be sure that boxObject's ClearCachedValues() is called in ::Destroy. And if EnsureBoxObject is called already in ::Init, there is no reason to call it elsewhere (mTreeBoxObject is set to null only in ::Destroy).
Attachment #264974 -
Flags: superreview?(roc)
Attachment #264974 -
Flags: review?(roc)
Comment 5•17 years ago
|
||
I'm getting a crash when clicking 2 times on the treecolpicker, is that the same bug or something else?
Assignee | ||
Comment 6•17 years ago
|
||
I get that crash if I backout bug 377035 and don't use the patch in this bug. But with this patch (and no need to backout 377035) I don't get the crash.
Assignee | ||
Comment 7•17 years ago
|
||
The stack for the double click crash is totally different, but because the patch helps with that, maybe the patch could be useful also on branches.
Comment 8•17 years ago
|
||
Note that I don't see a treecolpicker on branches, so I can't test if it crashes there.
Assignee | ||
Comment 9•17 years ago
|
||
treecolpicker is there, behind the scrollbar. I can see basically the border of it, so only few pixels.
Assignee | ||
Comment 10•17 years ago
|
||
I tested the patch on branch and it doesn't help with the double click crash there. Need to file a new bug for that.
Assignee | ||
Comment 11•17 years ago
|
||
(In reply to comment #10) > Need to file a new bug for that. > Bug 380853
Attachment #264974 -
Flags: superreview?(roc)
Attachment #264974 -
Flags: superreview+
Attachment #264974 -
Flags: review?(roc)
Attachment #264974 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Keywords: regression
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets
Updated•13 years ago
|
Crash Signature: [@ nsTreeBoxObject::GetColumns]
You need to log in
before you can comment on or make changes to this bug.
Description
•