Crash with layers.force-active and "display: table-caption"

RESOLVED FIXED in mozilla23

Status

()

--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: jruderman, Assigned: mattwoodrow)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla23
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 734951 [details]
testcase (requires pref)

With:
  user_pref("layers.force-active", true);
(which was added in bug 812908)

The testcase crashes with IsContentLEQ calling FindContentInDocument(NULL, ...).

Nightly: bp-3cf010b3-c1a7-4688-a1a0-febd42130409
(Reporter)

Comment 1

6 years ago
Created attachment 734953 [details]
stack (minidump_stackwalk on a Tinderbox debug build)
(Reporter)

Comment 2

6 years ago
Created attachment 734956 [details]
stack (gdb)

Comment 3

6 years ago
On Windows: bp-b6fd9bb9-4892-4988-aeba-f1fd82130409.
Crash Signature: [@ IsContentLEQ ] [@ nsINode::OwnerDoc() ]
OS: Mac OS X → All
Hardware: x86_64 → All

Comment 4

6 years ago
On 64-bit Windows build: bp-91a124a7-5259-4ef9-8294-37d6e2130409.
Crash Signature: [@ IsContentLEQ ] [@ nsINode::OwnerDoc() ] → [@ IsContentLEQ ] [@ nsINode::OwnerDoc() ] [@ FindContentInDocument ]
(Assignee)

Comment 5

6 years ago
Not entirely sure what the solution is here.

The two frames passed to IsContentLEQ are nsSubDocumentFrame and nsViewportFrame.

The latter doesn't have a Content, and we crash.

roc: What would you expect the behaviour to be in this case?
FindContentInDocument tries to walk up to find the element in aDoc for the given item/frame. In this case the frame must be the nsViewportFrame for some subdocument, so we need to fix FindContentInDocument to find the right element in aDoc for that case.

So I think we should pass the nsDisplayItem* to FindContentInDocument, have it call GetUnderlyingFrame, if the frame has no content then call PresContext()->Document() and start the search from there (i.e. taking the "parentDoc = d->GetParentDocument(), parentDoc->FindContentForSubDocument path).

Make sense?
(Assignee)

Comment 7

6 years ago
Created attachment 737354 [details] [diff] [review]
Use the PresShell's document
Attachment #737354 - Flags: review?(roc)
Comment on attachment 737354 [details] [diff] [review]
Use the PresShell's document

Review of attachment 737354 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/base/nsDisplayList.cpp
@@ +1426,5 @@
>    // of commonAncestor, because display items for subdocuments have been
>    // mixed into the same list. Ensure that we're looking at content
>    // in commonAncestor's document.
>    nsIDocument* commonAncestorDoc = commonAncestor->OwnerDoc();
> +  nsIContent* content1 = FindContentInDocument(aItem1->GetUnderlyingFrame(),

Might as well move the call to GetUnderlyingFrame into FindContentInDocument too.
Attachment #737354 - Flags: review?(roc) → review+
https://hg.mozilla.org/mozilla-central/rev/c05b48c25035
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
(Reporter)

Updated

5 years ago
Assignee: nobody → matt.woodrow
You need to log in before you can comment on or make changes to this bug.