Closed Bug 383709 Opened 18 years ago Closed 18 years ago

Crash [@ nsIView::GetParent] [@ nsCSSFrameConstructor::ContentInserted] with <xul:tree> and XBL

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical][dbaron-1.9:Rs])

Crash Data

Attachments

(1 file)

testcase
969 bytes, application/vnd.mozilla.xul+xml
Details
On the third load, the testcase triggers two assertions and crashes. ###!!! ASSERTION: Already have an undisplayed context entry for aContent: '!GetUndisplayedContent(aContent)', file /Users/jruderman/trunk/mozilla/layout/base/nsFrameManager.cpp, line 572 ###!!! ASSERTION: node in map twice: 'Not Reached', file /Users/jruderman/trunk/mozilla/layout/base/nsFrameManager.cpp, line 1677 The crash isn't always in the same place: [@ nsIView::GetParent] -- most frequent [@ nsCSSFrameConstructor::ContentInserted] -- first one seen [@ nsTreeBodyFrame::CalcHorzWidth] [@ nsIFrame::HasView] Possibly related: * Bug 377820 (involves XBL and crashes [@ nsIFrame::HasView]) * Bug 368641 (involves both assertions)
Attached file testcase
Only crashes when the testcase is local. I'm guessing the reasons have to do with timing.
The [@ nsIFrame::HasView] crash dereferences 0xddddde01, and the [@ nsCSSFrameConstructor::ContentInserted] crash *calls* 0xdddddddd. --> [sg:critical]
Flags: blocking1.9?
Whiteboard: [sg:critical]
I can reproduce this on Linux(, when the testcase is local) OS -> All
OS: Mac OS X → All
(In reply to comment #2) >Only crashes when the testcase is local. Interestingly when the testcase is remote I get xbl assertions.
Flags: blocking1.9? → blocking1.9+
Remote, I now get: ###!!! ASSERTION: bad index: 'aIndex >= 0 && aIndex < mRows.Count()', file /Users/jruderman/trunk/mozilla/layout/xul/base/src/tree/src/nsTreeContentView.cpp, line 284 ###!!! ASSERTION: bad row: 'aRow >= 0 && aRow < mRows.Count()', file /Users/jruderman/trunk/mozilla/layout/xul/base/src/tree/src/nsTreeContentView.cpp, line 244 Local, I now get everything mentioned in comment 0 plus: ###!!! ASSERTION: Leaking a popup frame: '!entry->mPopupFrame', file /Users/jruderman/trunk/mozilla/layout/xul/base/src/nsPopupSetFrame.cpp, line 297 The crash I got this time was at [@ nsIView::GetPosition].
Jan, are you looking into this?
Assignee: Jan.Varga → nobody
I still see the crash in a debug build from today, but it takes a minute or so to crash now (even with the testcase local). Is anyone interested in fixing this? It's both a security hole and a crash that prevents me from testing XUL trees well :(
I'll try to look at this tomorrow or later this week.
Assignee: nobody → Olli.Pettay
Whiteboard: [sg:critical] → [sg:critical][dbaron-1.9:Rs]
Didn't find yet the fix for this, so if anyone immediately notices what the problem is, feel free to take this. (The bug is somewhere in code which I'm not too familiar with.) But I'll come back to this after fixing some other 1.9+s.
WFM on trunk. I only get the "bad index" and "bad row" assertions (even with the testcase local), and I think those are covered by bug 366203. Maybe the other assertion and crash were fixed along with bug 401589 (which also triggered the "Leaking a popup frame" assertion) by roc's patch to bug 399940?
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Great. The only blocker in my list for which I had no clue (yet) how to fix it. But yes, WFM linux too.
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets
Crash Signature: [@ nsIView::GetParent] [@ nsCSSFrameConstructor::ContentInserted]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: