Closed
Bug 514300
Opened 15 years ago
Closed 15 years ago
Crash [@ FindBodyContent] with xul:listbox, XBL
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(4 files, 1 obsolete file)
640 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
3.41 KB,
text/plain
|
Details | |
2.29 KB,
patch
|
sicking
:
review+
|
Details | Diff | Splinter Review |
6.86 KB,
patch
|
sicking
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•15 years ago
|
||
Updated•15 years ago
|
Severity: normal → critical
Assignee | ||
Comment 2•15 years ago
|
||
In FindBodyContent, we have aParent->IsInDoc() true, but childContent->IsInDoc() is false, so we crash when trying to get the binding manager off childContent->GetDocument() in FindBodyContent when recursing on it. aParent above is a <xul:listitem> and the child is <html:span>. It looks like this: document.getElementById('listbox').removeChild(document.getElementById('span')) doesn't actually remove the <span> from the XBL child list for the <listitem> for some reason.
Assignee | ||
Comment 3•15 years ago
|
||
The xbl part is the usual mess where nsBindingManager::GetXBLChildNodesInternal will return the "other" content list, the one that doesn't get updated, if the GetAnonymousNodesInternal return value has length 0.
Assignee | ||
Comment 4•15 years ago
|
||
OK, I'm sick of the GetXBLChildNodes thing. Patch coming up for it; that patch also fixes bug 415301 and bug 495354 by doing bug 495354 comment 9 item 1. As a separate note, GetDocument here is wrong. It should be GetOwnerDoc(), and that would also fix the crash. I'll put up a patch for that too.
Assignee | ||
Comment 6•15 years ago
|
||
Assignee | ||
Comment 7•15 years ago
|
||
Attachment #420006 -
Attachment is obsolete: true
Attachment #420035 -
Flags: review?(jonas)
Attachment #420006 -
Flags: review?(jonas)
Attachment #420035 -
Flags: review?(jonas) → review+
Attachment #420005 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 8•15 years ago
|
||
Pushed: http://hg.mozilla.org/mozilla-central/rev/7963a18d3373 http://hg.mozilla.org/mozilla-central/rev/710cca46f64d Jonas, Jesse, what do you think of taking this on 1.9.2 once it's baked a bit?
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Reporter | ||
Comment 9•15 years ago
|
||
I would like that, given the kinds of assertions it fixes. How much of a behavior change is it?
Assignee | ||
Comment 10•15 years ago
|
||
And pushed http://hg.mozilla.org/mozilla-central/rev/52081e8986b7 to actually add the reftests to reftest.list. As far as behavior change... I think this should be pretty safe. Offhand I can't think of a situation where it would break something (else I wouldn't have asked). But this code is... finicky. :(
I think we should take this on 1.9.2 after some m-c baking.
Updated•13 years ago
|
Crash Signature: [@ FindBodyContent]
You need to log in
before you can comment on or make changes to this bug.
Description
•