Closed Bug 400157 Opened 18 years ago Closed 18 years ago

[FIX]Crash [@ nsMathMLChar::~nsMathMLChar] while zooming in a page with mathml:mfenced and reloading

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta2

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Details

(Keywords: crash, regression, testcase, Whiteboard: [dbaron-1.9:RsCe])

Crash Data

Attachments

(2 files)

testcase
936 bytes, application/xhtml+xml
Details
Fix
1.28 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes current trunk build when zooming in (ctrl-+) a few times and then reloading. If you download the testcase to your computer, it will automatically crash for you. This regressed between 2007-07-25 and 2007-07-26: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-07-25+04&maxdate=2007-07-26+09&cvsroot=%2Fcvsroot A regression from bug 386640 somehow? http://crash-stats.mozilla.com/report/index/44f207ae-7cca-11dc-8a1b-001a4bd43ed6 0 @0x0 1 nsMathMLChar::~nsMathMLChar() mozilla/layout/mathml/base/src/nsMathMLChar.h:95 2 nsMathMLmfencedFrame::RemoveFencesAndSeparators() mozilla/layout/mathml/base/src/nsMathMLmfencedFrame.cpp:117 3 nsMathMLmfencedFrame::~nsMathMLmfencedFrame() mozilla/layout/mathml/base/src/nsMathMLmfencedFrame.cpp:65 4 nsMathMLmfencedFrame::`vector deleting destructor'(unsigned int) 5 nsFrame::Destroy() mozilla/layout/generic/nsFrame.cpp:510 6 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:301 7 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363 8 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300 9 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 10 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259 etc...
Flags: blocking1.9?
Presumably this can be triggered with script in the page as well, since the new text zoom codepath is more similar to the script-caused style change codepath.
Flags: blocking1.9? → blocking1.9+
I'm seeing a crash in nsStyleContext::Destroy because mRuleNode is 0xdddddddd so doing: nsCOMPtr<nsPresContext> presContext = mRuleNode->GetPresContext(); crashes.
Attached patch FixSplinter Review
mSeparatorsCount had a bogus value (-1), so the indexing in GetAdditionalStyleContext/SetAdditionalStyleContext was off, and we never reresolved one of those style contexts. So it was left pointing into the old (dead) rulenode tree.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #285845 - Flags: superreview?(dbaron)
Attachment #285845 - Flags: review?(dbaron)
Flags: in-testsuite?
Priority: -- → P2
Summary: Crash [@ nsMathMLChar::~nsMathMLChar] while zooming in a page with mathml:mfenced and reloading → [FIX]Crash [@ nsMathMLChar::~nsMathMLChar] while zooming in a page with mathml:mfenced and reloading
Target Milestone: --- → mozilla1.9 M10
Comment on attachment 285845 [details] [diff] [review] Fix r+sr=dbaron. Try to get the test in if we have a place for such tests...
Attachment #285845 - Flags: superreview?(dbaron)
Attachment #285845 - Flags: superreview+
Attachment #285845 - Flags: review?(dbaron)
Attachment #285845 - Flags: review+
Comment on attachment 285845 [details] [diff] [review] Fix I could land the test as a mochitest, but that seems somewhat suboptimal...
I mean once we figure out what we're doing for the crashtests...
Whiteboard: [dbaron-1.9:RsCe]
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007110805 Minefield/3.0b2pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsMathMLChar::~nsMathMLChar]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: