Closed Bug 949932 Opened 11 years ago Closed 11 years ago

Crash [@ mozilla::StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary] with sticky, fieldset

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla29

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded) 11 years ago Jesse Ruderman 251 bytes, text/html		Details
stack 11 years ago Jesse Ruderman 9.27 KB, text/plain		Details
fix+test 11 years ago Mats Palmgren (inactive) 1.99 KB, patch	roc : review+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

11 years ago

Attached file testcase (crashes Firefox when loaded) — Details

No description provided.

Jesse Ruderman

Reporter

Comment 1

•

11 years ago

Attached file stack — Details

Jesse Ruderman

Reporter

Comment 2

•

11 years ago

Nightly: bp-c374b5a3-803b-4dc9-a7fb-ab70a2131213

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Updated

•

11 years ago

Blocks: 916315

Mats Palmgren (inactive)

Assignee

Comment 3

•

11 years ago

(gdb) list 91 while (i-- > 0) { 92 nsIFrame* f = oldSSC->mFrames[i]; 93 StickyScrollContainer* newSSC = GetStickyScrollContainerForFrame(f); 94 if (newSSC != oldSSC) { 95 oldSSC->RemoveFrame(f); 96 newSSC->AddFrame(f); 97 } 98 } 99 } 100 (gdb) p newSSC $4 = (mozilla::StickyScrollContainer *) 0x0 (gdb) fr 5 #5 in nsCSSFrameConstructor::ConstructFieldSetFrame ... nsCSSFrameConstructor.cpp:3102 3102 StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary( (gdb) list 3097 // GetAdjustedParentFrame() below depends on this frame order. 3098 childItems.RemoveFrame(child); 3099 // Make sure to reparent the legend so it has the fieldset as the parent. 3100 fieldsetKids.InsertFrame(fieldsetFrame, nullptr, child); 3101 if (scrollFrame) { 3102 StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary( 3103 child, blockFrame); 3104 } 3105 break; 3106 } (gdb) I think a simple null-check of 'newSSC' is the right fix. The frame tree we're building has the fieldset in the fixed list, so we won't find any scroll frames walking up the ancestors (from legend): FixedList 0x603000413350 < Block(div)(1)@ ... < line : < FieldSet(fieldset)(1)@ ... < Legend(legend)(1)@ next=0x625001867f78 ...< > HTMLScroll(fieldset)(1)@ ... [sc=0x6250018686c0:-moz-fieldset-content]< Block(fieldset)(1)@ [sc=0x625001864428:-moz-scrolled-content]< > > > > > >

Mats Palmgren (inactive)

Assignee

Comment 4

•

11 years ago

Attached patch fix+test — Details — Splinter Review

Assignee: nobody → matspal

Attachment #8347107 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

11 years ago

Attachment #8347107 - Flags: review?(roc) → review+

Mats Palmgren (inactive)

Assignee

Updated

•

11 years ago

Flags: in-testsuite+

Keywords: checkin-needed

OS: Mac OS X → All

Hardware: x86_64 → All

Ryan VanderMeulen [:RyanVM]

Comment 5

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/b3d1f5ab7889

Keywords: checkin-needed

Ryan VanderMeulen [:RyanVM]

Comment 6

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/b3d1f5ab7889

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla29

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash [@ mozilla::StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary] with sticky, fieldset

Categories

(Core :: Layout, defect)

Tracking

()

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(3 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Updated

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type