Closed Bug 868906 Opened 12 years ago Closed 12 years ago

"ASSERTION: We're referring different frame" with caret browsing, bidi

Categories

(Core :: Layout, defect)

defect
Not set
minor

Tracking

()

RESOLVED FIXED
mozilla23

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

1. Load the testcase. 2. Press F6 twice. The content area should now visibly have focus. 3. Press F7 to enable "caret browsing mode". 4. Press Shift, instructing the testcase to call deleteContents(). Result: ###!!! ASSERTION: We're referring different frame: 'frame == aForFrame', file layout/base/nsCaret.cpp, line 518 Masayuki added this assertion long ago in http://hg.mozilla.org/mozilla-central/rev/c746dd4dde4c.
Attached file stack (gdb)
Attached patch fix+crashtestSplinter Review
The problem is that nsTextFrame::GetChildFrameContainingOffset is unstable such that calling it twice with the same arguments can give different results in some cases. http://hg.mozilla.org/mozilla-central/annotate/b842d26dd5f0/layout/generic/nsTextFrameThebes.cpp#l6328 The first call stores the resulting frame in OffsetToFrameProperty() and the next call will start at that frame. The loop will step to the next frame if it has the same offset, i.e. the cached frame was empty, so if there's a sequence of empty continuations we'll get a new result frame until we reach the last empty frame. https://tbpl.mozilla.org/?tree=Try&rev=1a650140034c https://tbpl.mozilla.org/?tree=Try&rev=7e3eabf1b9e4
Assignee: nobody → matspal
Attachment #746113 - Flags: review?(roc)
Severity: normal → minor
OS: Linux → All
Hardware: x86_64 → All
Comment on attachment 746113 [details] [diff] [review] fix+crashtest Review of attachment 746113 [details] [diff] [review]: ----------------------------------------------------------------- Nice!
Attachment #746113 - Flags: review?(roc) → review+
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Blocks: fuzz-keys
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: