Infinite loop shifting focus due to anonymous content parenting error

VERIFIED FIXED in M18

Status

()

P1
critical
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: mikepinkerton, Assigned: buster)

Tracking

({crash})

Trunk
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3+][PDTP1], URL)

Attachments

(3 attachments)

(Reporter)

Description

18 years ago
- go to cnn.com (build from 9/12)
- select some text on the page
- hit tab

app locks up, goes into an infinite loop in the ESM::ShiftFocus()
(Reporter)

Comment 1

18 years ago
actually, you don't event have to select text, just click in the content area. 
this is bad, nsbeta3. It's not a crash, but it hangs the machine.
Keywords: crash, nsbeta3
Summary: Infinite loop shifting focus → Infinite loop shifting focus

Comment 2

18 years ago
nsbeta3+, P1 for M18
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18

Comment 3

18 years ago
The minimum test (I am not kidding). The <HR> makes the whole CNN page go nuts.

<HTML>
<BODY>
<TABLE border>
  <TR>
    <TD><A HREF="foo">foo</a></TD>
  </TR>
  <TR>
    <TD><HR></TD>
  </TR>
</TABLE>
</BODY>
</HTML>

Comment 4

18 years ago
Created attachment 14802 [details]
testcase; simple table with HR in a cell after A HREF; TAB hangs Mac

Comment 5

18 years ago
The issue is that the leaf frame iterator is getting confused because a child 
frame is also a sibling of its parent frame in this case. As I understand it, 
this should never happen in the frame tree, and falls squarely into layout's 
domain.

frame1--------(sibling)
  | (child)  |
frame2       |
  | (child)  |
frame3<------|

Reassigning to karnaze.
Assignee: saari → karnaze

Comment 6

18 years ago
Created attachment 14940 [details]
test case with some text added

Comment 7

18 years ago
Buster, the infinite loop occurs in nsEventStateManager::GetNextTabbableContent.   
"dump frames" shows that the Frame<hr> and Inline<hr> are siblings, but the 
mParent of Inline<hr> is pointing to Frame<hr>. 

I'm changing the platform and OS from Mac to all.
Assignee: karnaze → buster
OS: Mac System 9.0 → All
Hardware: Macintosh → All
(Assignee)

Comment 8

18 years ago
my top priority bug right now.  investigating...
Status: NEW → ASSIGNED
(Assignee)

Comment 9

18 years ago
WorksForMe.  I think this was probably a side-effect of bug 52307.  Pink, could
you please pull the latest source and verify?
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 10

18 years ago
nope, still does it, build from 10am 9/19/00. sorry for the bad news.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
(Reporter)

Comment 11

18 years ago
btw, i'm on mac if that helps (where the bug was originally reported)
(Assignee)

Comment 12

18 years ago
yep, you're right, I just got it to fail too.  dang.  I was able to click on a 
control, tab all the way to the end of the document, shift-tab all the way back 
up, and then it would lock up.
Status: REOPENED → ASSIGNED

Updated

18 years ago
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]

Comment 13

18 years ago
PDT agrees P1
(Assignee)

Comment 14

18 years ago
Pink:  you diagnosed this one perfectly.  I'm testing a fix now.  Thanks for all 
the help!
(Reporter)

Comment 15

18 years ago
saari/karnaze did all the work. i just whined a lot.
(Assignee)

Comment 16

18 years ago
changing component to layout.  attaching patch.  karnaze and waterson, please 
review.

the patch simply passes the correct parent frame to the two 
CreateGeneratedContentFrame() calls (one for :before, and one for :after.)  I 
was incorrectly passing in the newly created frame, which would have been 
correct had HR been a proper container.  But the anonymous content associated 
with HR's is set up as siblings of the HR, and therefore children of HR's 
parent.  All this only occurs in quirks mode, triggered from style rules in 
quirk.css
Component: XP Toolkit/Widgets → Layout
Whiteboard: [nsbeta3+][PDTP1] → [nsbeta3+][PDTP1] [fix in hand]
(Assignee)

Comment 17

18 years ago
Created attachment 15103 [details] [diff] [review]
proposed fix, sets correct parent for generated content

Comment 18

18 years ago
makes sense. r=waterson
(Assignee)

Comment 19

18 years ago
made subject more descriptive
Summary: Infinite loop shifting focus → Infinite loop shifting focus due to anonymous content parenting error
(Assignee)

Comment 20

18 years ago
fix checked in
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago18 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta3+][PDTP1] [fix in hand] → [nsbeta3+][PDTP1]

Comment 21

18 years ago
verified fixed mac/linux/win32 20000922nn mac/linux/win32 builds, for cnn.com
and the two different testcases. No hang/loop when tabbing.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.