Closed
Bug 564063
Opened 14 years ago
Closed 14 years ago
Crash [@ nsCSSFrameConstructor::MaybeConstructLazily]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: tnikkel)
References
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(2 files)
|
3.22 KB,
text/html
|
Details | |
|
2.63 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Loading the testcase causes an assertion failure and a crash. ###!!! ASSERTION: Ancestors of nodes with frames to be constructed lazily should have frames: 'content->GetPrimaryFrame() || (content->GetFlattenedTreeParent() && content->GetFlattenedTreeParent()->GetPrimaryFrame() && content->GetFlattenedTreeParent()->GetPrimaryFrame()->IsLeaf())', file /Users/jruderman/mozilla-central/layout/base/nsCSSFrameConstructor.cpp, line 6240 Crash [@ nsCSSFrameConstructor::MaybeConstructLazily] trying to evaluate the condition of the following assertion. So much for modifying the assertion being a "safe fix" (bug 560441 comment 3) ;) I don't know why I need a timer in this testcase.
|
Assignee | |
Comment 1•14 years ago
|
||
The setTimeout is needed because, wait for it, area's suck: they don't setup their primary frame to be the image until "later", fun stuff.
|
Reporter | |
Comment 2•14 years ago
|
||
(tn says the following methods force it to hook up immediately: force the associated image to paint using drawwindow, dispatch a synth mouse event to the associated image, or dynamically modify the dom under the map element)
|
|
Assignee | |
Comment 3•14 years ago
|
||
The first two require enhanced privileges, and the third works if you insert or remove anything, even a textnode, directly as a child of the map element.
|
||
Updated•14 years ago
|
Assignee: nobody → tnikkel
|
|
Assignee | |
Comment 4•14 years ago
|
||
We insert to an area, it already has a primary frame (the image), its parent content is the map, which doesn't have a frame. Things are complicated further because the map has just been inserted after being removed (removing the map element from the document doesn't affect the image map because the image map mutation observers don't catch this case, see bug 135040 comment 10), so the map also has the NEEDS_FRAME bit set. I think we just need to detect when a node has a "bogus" primary frame like area's do, and be more lax in the assertion on the remaining ancestor nodes. This is going to make the asserts the most complicated part of that function, but what else can you do?
|
|
||
Comment 5•14 years ago
|
||
Fix bug 135040? *runs away*
|
|
Assignee | |
Comment 6•14 years ago
|
||
Attachment #443934 -
Flags: review?(bzbarsky)
|
|
||
Updated•14 years ago
|
Attachment #443934 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 7•14 years ago
|
||
Er, with s/area's/areas/
|
|
Assignee | |
Comment 8•14 years ago
|
||
Landed http://hg.mozilla.org/mozilla-central/rev/0dac5d3eeb97 but backed out because something in the push was causing orange http://hg.mozilla.org/mozilla-central/rev/01befa5163ee
|
|
Assignee | |
Comment 9•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d16b9e976729
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•14 years ago
|
||
(In reply to comment #2) > (tn says the following methods force it to hook up immediately: force the > associated image to paint using drawwindow, dispatch a synth mouse event to the > associated image, or dynamically modify the dom under the map element) Upon further thought, the third method will only work to get the image to update to changes made in a map for which the image is already hooked up to. To get an image to initially hook up to a map you need to use one of the first two methods.
|
||
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::MaybeConstructLazily]
You need to log in
before you can comment on or make changes to this bug.
Description
•