Closed Bug 432801 Opened 16 years ago Closed 15 years ago

Crash [@ nsRuleNode::GetStylePosition] with xul:menuitem, xul:tooltip, math:sup and position: absolute

Tracking

()

Status:

RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?][maybe not critical after bug 475128?])

Crash Data

Attachments

(2 files)

testcase 16 years ago Martijn Wargers (dead) 313 bytes, application/xhtml+xml		Details
Patch rev. 1 16 years ago Mats Palmgren (inactive) 5.46 KB, patch		Details \| Diff \| Splinter Review

Martijn Wargers (dead)

Reporter

Description

•

16 years ago

Attached file testcase — Details

See testcase, which crashes in current trunk build.

This seems to have regressed between 2008-01-10 and 2008-01-11:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-10+04&maxdate=2008-01-11+07&cvsroot=%2Fcvsroot
I guess a regression from bug 408933.

http://crash-stats.mozilla.com/report/index/55119c4a-1cf3-11dd-b62d-001cc4e2bf68?p=1
0  	xul.dll  	nsRuleNode::GetStylePosition  	 mozilla/layout/style/nsStyleStructList.h:87
1 	xul.dll 	nsStyleContext::GetStylePosition 	mozilla/layout/style/nsStyleStructList.h:87
2 	xul.dll 	nsIFrame::GetStylePosition 	nsStyleStructList.h:87
3 	xul.dll 	nsHTMLReflowState::Init 	mozilla/layout/generic/nsHTMLReflowState.cpp:296
4 	xul.dll 	nsHTMLReflowState::nsHTMLReflowState 	mozilla/layout/generic/nsHTMLReflowState.cpp:176
5 	xul.dll 	nsAbsoluteContainingBlock::ReflowAbsoluteFrame 	mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:414
6 		@0x3fffffff

Mats Palmgren (inactive)

Assignee

Comment 1

•

16 years ago

Fix coming up...

Assignee: nobody → mats.palmgren

Group: security

OS: Windows XP → All

Hardware: PC → All

Whiteboard: [sg:critical?]

Mats Palmgren (inactive)

Assignee

Comment 2

•

16 years ago

When calling nsMenuFrame::Append/InsertFrames with a child list that
contains a MenuPopupFrame + one or more children we simply forget to
insert/append the rest of the children:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsMenuFrame.cpp&rev=1.368&root=/cvsroot&mark=1207,1218,1241,1251,1211,1245#1200
For the testcase it's the placeholder that get's lost, then we call
nsCSSFrameConstructor::RebuildAllStyleData() which will use the old
style context since we didn't find the placeholder on any child list.

Also, we intended to propagate the debug bit to mPopupFrame there, right?

Mats Palmgren (inactive)

Assignee

Comment 3

•

16 years ago

Attached patch Patch rev. 1 — Details — Splinter Review

1. call nsBoxFrame::Append/InsertFrames for the remaining frames
2. propagate the debug bit to mPopupFrame

nsBoxFrame will take care of setting the debug bit for the
remaining frames and call FrameNeedsReflow(eTreeChange).

Attachment #320041 - Flags: superreview?(roc)

Attachment #320041 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 4

•

16 years ago

It seems wrong that someone is calling Append/InsertFrames with null aListName with a frame list including the popup frame and expecting the popup frame to be magically moved to the popup list. That seems like a bug in the caller.

Martijn Wargers (dead)

Reporter

Comment 5

•

16 years ago

I was wrong, this actually regressed between 2008-01-09 and 2008-01-10:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-09+14&maxdate=2008-01-10+07&cvsroot=%2Fcvsroot
I guess a regression from bug 404146, then.

Blocks: 404146
No longer blocks: 408933

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 6

•

16 years ago

Comment on attachment 320041 [details] [diff] [review]
Patch rev. 1

Need a response to comment #4

Attachment #320041 - Flags: superreview?(roc)

Attachment #320041 - Flags: review?(roc)

Martijn Wargers (dead)

Reporter

Comment 7

•

16 years ago

Still crashes in current trunk build.

Flags: blocking1.9.1?

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

16 years ago

Flags: blocking1.9.1? → wanted1.9.1+

Martijn Wargers (dead)

Reporter

Comment 8

•

16 years ago

Still crashes in current trunk build.

Flags: blocking1.9.2?

Olli Pettay [:smaug][bugs@pettay.fi]

Comment 9

•

15 years ago

Can't reproduce the crash, but there sure are some evil assertions
###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /mozilla/layout/style/nsStyleSet.cpp, line 181
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /home/smaug/mozilla/layout/style/nsStyleSet.cpp, line 947
###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /mozilla/layout/base/nsPresShell.cpp, line 681

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Comment 10

•

15 years ago

Perhaps also related to bug 474377?

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Comment 11

•

15 years ago

Is this still sg:critical after bug 475128 landed?

Whiteboard: [sg:critical?] → [sg:critical?][maybe not critical after bug 475128?]

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

15 years ago

Flags: blocking1.9.2? → wanted1.9.2+

Jesse Ruderman

Comment 12

•

15 years ago

WFM, no assertions for me on Mac.

Martijn Wargers (dead)

Reporter

Updated

•

15 years ago

Status: NEW → RESOLVED

Closed: 15 years ago

Resolution: --- → WORKSFORME

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ nsRuleNode::GetStylePosition]

BMO Automation

Updated

•

9 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.