Closed Bug 537624 Opened 15 years ago Closed 13 years ago

"ASSERTION: Already have an undisplayed context entry for aContent" with {ib}

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14
Tracking Flags:
Tracking Status
blocking2.0 --- -
status2.0 --- ?

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase
381 bytes, text/html
Details
Proposed fix
18.04 KB, patch
roc
: review+
Details | Diff | Splinter Review
Additional fix needed on top of the first patch to fix leaks
1.96 KB, patch
roc
: review+
Details | Diff | Splinter Review
Attached file testcase 
###!!! ASSERTION: Already have an undisplayed context entry for aContent: '!GetUndisplayedContent(aContent)', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 398

###!!! ASSERTION: node in map twice: 'Not Reached', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 1736
Hmm.  So the problem is that undisplayed entries are added during frame construction item creation.  They're only cleared during frame destruction.  In particular, if we throw away the frame construction items (e.g. due to a WipeContainingBlock) we won't remove the undisplayed entries.

This is bad.  Looks like a regression from bug 480979.  And this happens in 1.9.2 as well.

My first instinct is to flag frame construction items when frames are constructed from them, and to have the destructor clear the undisplayed map under the content if no frame has been constructed.  The other option is to create items for display:none stuff and change the various code the works with item lists to ignore them (and then not construct any frames from them).  That sounds annoying, though.

Any other bright ideas?
Blocks: 480979
Assignee: nobody → bzbarsky
blocking2.0: --- → ?
status2.0: --- → ?
blocking2.0: ? → final+
Priority: -- → P2
Priority: P2 → P1
Blocks: 597317
Blocks: 615012
Blocks: 618428
Blocks: 736924
So the approach from comment 1 doesn't work to fix this bug (though it does fix bug 736924), because it fails for the case when a frame construction item list is constructed for an already-existing parent and is then thrown away.  In that case there is no parent frame construction item.
Attached patch Proposed fixSplinter Review 

        Attachment #607228 -
        Flags: review?(roc)

    
  
Whiteboard: [need review]

    
    

    
  


  
The first patch leaked on try, because of that placement new clobbering our list which was holding refs to style contexts (and was also looking like an array leak, hence the new destructor call).

        Attachment #607263 -
        Flags: review?(roc)

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/b595743d74b6
Flags: in-testsuite+
Whiteboard: [need review]

    
  
Target Milestone: --- → mozilla14

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b595743d74b6
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: