Closed Bug 380217 Opened 17 years ago Closed 17 years ago

Crash [@ nsTreeBoxObject::GetColumns] with <xul:tree> and position: fixed

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
589 bytes, application/vnd.mozilla.xul+xml
Details
stack
3.81 KB, text/plain
Details
possible patch
2.89 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review 
Loading the testcase in Mac trunk debug causes Firefox to crash [@ nsTreeBoxObject::GetColumns] dereferencing 0xdddddddd.
OS: Mac OS X → All
Assignee: Jan.Varga → Olli.Pettay
Whiteboard: [sg:critical?]
Attached file stack 

    
    

    
  
It is ugly that treebodyframe implements nsITreeBoxObject, box objects 
are usually refcounted, but not in this case. (Though, treebodyframe's nsITreeBoxObject is accessed only through the real treeboxobject).
Anyway, seems to me that ClearCachedValues() doesn't get called for some reason.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        possible patchSplinter Review
      

    


  
I can't reproduce the bug on branch, so it would be good to find the
regression range. Anyway, I think EnsureBoxObject should be called already in ::Init, because it must be sure that boxObject's
ClearCachedValues() is called in ::Destroy.
And if EnsureBoxObject is called already in ::Init, there is no reason 
to call it elsewhere (mTreeBoxObject is set to null only in ::Destroy).

        Attachment #264974 -
        Flags: superreview?(roc)

        Attachment #264974 -
        Flags: review?(roc)

    
    

    
  
This is a regression from bug 377035.
Blocks: 377035

    
    

    
  
I'm getting a crash when clicking 2 times on the treecolpicker, is that the same bug or something else?

    
    

    
  
I get that crash if I backout bug 377035 and don't use the patch in this
bug. But with this patch (and no need to backout 377035) I don't get the crash.

    
    

    
  
The stack for the double click crash is totally different, but because the patch helps with that, maybe the patch could be useful also on
branches.

    
    

    
  
Note that I don't see a treecolpicker on branches, so I can't test if it crashes there.

    
    

    
  
treecolpicker is there, behind the scrollbar.
I can see basically the border of it, so only few pixels.

    
    

    
  
I tested the patch on branch and it doesn't help with the double click 
crash there. Need to file a new bug for that.

    
    

    
  
(In reply to comment #10)
>  Need to file a new bug for that.
> 
Bug 380853


        Attachment #264974 -
        Flags: superreview?(roc)

        Attachment #264974 -
        Flags: superreview+

        Attachment #264974 -
        Flags: review?(roc)

        Attachment #264974 -
        Flags: review+
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Depends on: 381502
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Keywords: regression
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Group: security
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+

    
  
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets
Crash Signature: [@ nsTreeBoxObject::GetColumns]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: