432801 - Crash [@ nsRuleNode::GetStylePosition] with xul:menuitem, xul:tooltip, math:sup and position: absolute

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which crashes in current trunk build.

This seems to have regressed between 2008-01-10 and 2008-01-11:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-10+04&maxdate=2008-01-11+07&cvsroot=%2Fcvsroot
I guess a regression from bug 408933.

http://crash-stats.mozilla.com/report/index/55119c4a-1cf3-11dd-b62d-001cc4e2bf68?p=1
0  	xul.dll  	nsRuleNode::GetStylePosition  	 mozilla/layout/style/nsStyleStructList.h:87
1 	xul.dll 	nsStyleContext::GetStylePosition 	mozilla/layout/style/nsStyleStructList.h:87
2 	xul.dll 	nsIFrame::GetStylePosition 	nsStyleStructList.h:87
3 	xul.dll 	nsHTMLReflowState::Init 	mozilla/layout/generic/nsHTMLReflowState.cpp:296
4 	xul.dll 	nsHTMLReflowState::nsHTMLReflowState 	mozilla/layout/generic/nsHTMLReflowState.cpp:176
5 	xul.dll 	nsAbsoluteContainingBlock::ReflowAbsoluteFrame 	mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:414
6 		@0x3fffffff

Comment 1

[Mats Palmgren (:mats)]

Fix coming up...

Comment 2

[Mats Palmgren (:mats)]

When calling nsMenuFrame::Append/InsertFrames with a child list that
contains a MenuPopupFrame + one or more children we simply forget to
insert/append the rest of the children:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsMenuFrame.cpp&rev=1.368&root=/cvsroot&mark=1207,1218,1241,1251,1211,1245#1200
For the testcase it's the placeholder that get's lost, then we call
nsCSSFrameConstructor::RebuildAllStyleData() which will use the old
style context since we didn't find the placeholder on any child list.

Also, we intended to propagate the debug bit to mPopupFrame there, right?

Comment 3

[Mats Palmgren (:mats)]

Attachment: Patch rev. 1

1. call nsBoxFrame::Append/InsertFrames for the remaining frames
2. propagate the debug bit to mPopupFrame

nsBoxFrame will take care of setting the debug bit for the
remaining frames and call FrameNeedsReflow(eTreeChange).

Comment 4

[Robert O'Callahan (:roc) (email my personal email if necessary)]

It seems wrong that someone is calling Append/InsertFrames with null aListName with a frame list including the popup frame and expecting the popup frame to be magically moved to the popup list. That seems like a bug in the caller.

Comment 5

[Martijn Wargers (dead)]

I was wrong, this actually regressed between 2008-01-09 and 2008-01-10:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-09+14&maxdate=2008-01-10+07&cvsroot=%2Fcvsroot
I guess a regression from bug 404146, then.

Comment 6

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 320041 [details] [diff] [review]
Patch rev. 1

Need a response to comment #4

Comment 7

[Martijn Wargers (dead)]

Still crashes in current trunk build.

Comment 8

[Martijn Wargers (dead)]

Still crashes in current trunk build.

Comment 9

[Olli Pettay [:smaug]]

Can't reproduce the crash, but there sure are some evil assertions
###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file /mozilla/layout/style/nsStyleSet.cpp, line 181
###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file /home/smaug/mozilla/layout/style/nsStyleSet.cpp, line 947
###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /mozilla/layout/base/nsPresShell.cpp, line 681

Comment 10

[David Baron :dbaron:]

Perhaps also related to bug 474377?

Comment 11

[David Baron :dbaron:]

Is this still sg:critical after bug 475128 landed?

Comment 12

[Jesse Ruderman]

WFM, no assertions for me on Mac.