Closed
Bug 411582
Opened 17 years ago
Closed 17 years ago
Crash [@ nsTableFrame::InsertFrames] with display:table-column-group and <svg:symbol>
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9beta3
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [wallpaper])
Crash Data
Attachments
(3 files, 2 obsolete files)
318 bytes,
application/xhtml+xml
|
Details | |
5.67 KB,
text/html
|
Details | |
2.57 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
mtschrep
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase triggers a null deref [@ nsTableFrame::InsertFrames].
in my pretty old debug build (2007121514) it produces only a JavaScript error: file:///C:/temp/bug411582.html, line 7: document.getElementByI d("s") is null So probably this got enabled recently by a svg fix. Pseudo frame generation with in svg probably some nsCSSFrameConstructor::ConstructDocElementFrame blues.
Assignee | ||
Comment 4•17 years ago
|
||
'aFrameList' are all pseudo frames with the root as content, which looks like a reasonably valid edge case to me. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTableFrame.cpp&rev=3.710&root=/cvsroot&mark=2284,2285,2288-2290,2292#2260
Assignee | ||
Comment 5•17 years ago
|
||
Fall through if 'container' is null (we will append the frames).
Comment 6•17 years ago
|
||
Wait. Wouldn't incoming pseudos wrapped around kids always be set to the table's content? That is, shouldn't we actually be digging inside the pseudo to find the first different content, rather than walking the parent chain?
Assignee | ||
Comment 7•17 years ago
|
||
Isn't that what the code does? but it never finds anything but the root content.
Comment 8•17 years ago
|
||
Oh, indeed. But why, then? Where're all the pseudo-frames coming from, if there is nothing inside them? That looks wrong.
Assignee | ||
Comment 9•17 years ago
|
||
We're processing a restyle event for the <svg:symbol> which calls RecreateFramesForContent() which calls ContentInserted(): http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1450&root=/cvsroot&mark=9136,9150#9134 where we try to construct a frame for it... while doing that we build up a pseudo frames state -- I'm guessing this is unavoidable since we can't tell beforehand if the innermost CreateFrame will actually create a frame or not? -- then we come back here and create the pseudo frames from the state, event though we never created a frame for the child. So maybe we should simply destroy the pseudo frames if there were no real frame created? can we really do that in general? If so, this will possibly also help fix bug 162063 by avoiding creation of unnecessary pseudo frames, at least in some cases... I'm still doing ProcessPseudoFrames() followed by Destroy() here - we could add a method on nsPseudoFrames to optimize this... (I don't think we can just skip calling ProcessPseudoFrames() because that can leak frames IIRC)
Comment 10•17 years ago
|
||
Oh, right. Any codepath that uses aHaltProcessing will screw this up right now. We really need to move to a better frame construction system, where we'll figure out exactly what will be constructed, _then_ construct pseudo-frames, and then construct it, instead of what we have now. I don't think you can tell whether the pseudo-frames were actually needed without looking into them to see whether they wrap something. That is, having an empty child list before pseudoframe processing is no guarantee of anything. We should probably just add a null-check in the table code and file a bug to remove it once we fix frame construction. Assign that bug to me?
Assignee | ||
Comment 11•17 years ago
|
||
Filed bug 411823
Assignee: nobody → mats.palmgren
Attachment #296302 -
Attachment is obsolete: true
Attachment #296308 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #296452 -
Flags: superreview?(bzbarsky)
Attachment #296452 -
Flags: review?(bzbarsky)
Updated•17 years ago
|
Attachment #296452 -
Flags: superreview?(bzbarsky)
Attachment #296452 -
Flags: superreview+
Attachment #296452 -
Flags: review?(bzbarsky)
Attachment #296452 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #296452 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #296452 -
Flags: approval1.9? → approval1.9+
Comment 12•17 years ago
|
||
Comment on attachment 296452 [details] [diff] [review] Patch rev. 1 (diff -w) a=beltzner for 1.9
Assignee | ||
Comment 13•17 years ago
|
||
mozilla/layout/tables/nsTableFrame.cpp 3.711 mozilla/layout/tables/crashtests/411582.xhtml 1.1 mozilla/layout/tables/crashtests/crashtests.list 1.32 -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [wallpaper]
Target Milestone: --- → mozilla1.9 M11
Updated•13 years ago
|
Crash Signature: [@ nsTableFrame::InsertFrames]
You need to log in
before you can comment on or make changes to this bug.
Description
•