Closed
Bug 432801
Opened 17 years ago
Closed 16 years ago
Crash [@ nsRuleNode::GetStylePosition] with xul:menuitem, xul:tooltip, math:sup and position: absolute
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?][maybe not critical after bug 475128?])
Crash Data
Attachments
(2 files)
|
313 bytes,
application/xhtml+xml
|
Details | |
|
5.46 KB,
patch
|
Details | Diff | Splinter Review |
See testcase, which crashes in current trunk build.
This seems to have regressed between 2008-01-10 and 2008-01-11:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-10+04&maxdate=2008-01-11+07&cvsroot=%2Fcvsroot
I guess a regression from bug 408933.
http://crash-stats.mozilla.com/report/index/55119c4a-1cf3-11dd-b62d-001cc4e2bf68?p=1
0 xul.dll nsRuleNode::GetStylePosition mozilla/layout/style/nsStyleStructList.h:87
1 xul.dll nsStyleContext::GetStylePosition mozilla/layout/style/nsStyleStructList.h:87
2 xul.dll nsIFrame::GetStylePosition nsStyleStructList.h:87
3 xul.dll nsHTMLReflowState::Init mozilla/layout/generic/nsHTMLReflowState.cpp:296
4 xul.dll nsHTMLReflowState::nsHTMLReflowState mozilla/layout/generic/nsHTMLReflowState.cpp:176
5 xul.dll nsAbsoluteContainingBlock::ReflowAbsoluteFrame mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:414
6 @0x3fffffff
|
Assignee | |
Comment 1•17 years ago
|
||
Fix coming up...
Assignee: nobody → mats.palmgren
Group: security
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical?]
|
|
Assignee | |
Comment 2•17 years ago
|
||
When calling nsMenuFrame::Append/InsertFrames with a child list that
contains a MenuPopupFrame + one or more children we simply forget to
insert/append the rest of the children:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsMenuFrame.cpp&rev=1.368&root=/cvsroot&mark=1207,1218,1241,1251,1211,1245#1200
For the testcase it's the placeholder that get's lost, then we call
nsCSSFrameConstructor::RebuildAllStyleData() which will use the old
style context since we didn't find the placeholder on any child list.
Also, we intended to propagate the debug bit to mPopupFrame there, right?
|
|
Assignee | |
Comment 3•17 years ago
|
||
1. call nsBoxFrame::Append/InsertFrames for the remaining frames
2. propagate the debug bit to mPopupFrame
nsBoxFrame will take care of setting the debug bit for the
remaining frames and call FrameNeedsReflow(eTreeChange).
Attachment #320041 -
Flags: superreview?(roc)
Attachment #320041 -
Flags: review?(roc)
It seems wrong that someone is calling Append/InsertFrames with null aListName with a frame list including the popup frame and expecting the popup frame to be magically moved to the popup list. That seems like a bug in the caller.
|
Reporter | |
Comment 5•17 years ago
|
||
I was wrong, this actually regressed between 2008-01-09 and 2008-01-10:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-09+14&maxdate=2008-01-10+07&cvsroot=%2Fcvsroot
I guess a regression from bug 404146, then.
Attachment #320041 -
Flags: superreview?(roc)
Attachment #320041 -
Flags: review?(roc)
Flags: blocking1.9.1? → wanted1.9.1+
|
||
Comment 9•16 years ago
|
||
Can't reproduce the crash, but there sure are some evil assertions
###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /mozilla/layout/style/nsStyleSet.cpp, line 181
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /home/smaug/mozilla/layout/style/nsStyleSet.cpp, line 947
###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /mozilla/layout/base/nsPresShell.cpp, line 681
Perhaps also related to bug 474377?
Is this still sg:critical after bug 475128 landed?
Whiteboard: [sg:critical?] → [sg:critical?][maybe not critical after bug 475128?]
Flags: blocking1.9.2? → wanted1.9.2+
|
||
Comment 12•16 years ago
|
||
WFM, no assertions for me on Mac.
|
|
Reporter | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
||
Updated•14 years ago
|
Crash Signature: [@ nsRuleNode::GetStylePosition]
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•