Closed Bug 381502 Opened 18 years ago Closed 18 years ago

Crash [@ nsFrame::GetBoxAscent] with tree stuff, display: table-row and display: inline

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: janv)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase
389 bytes, application/xhtml+xml
Details
fixes the crash
1.42 KB, patch
Details | Diff | Splinter Review
Attached file testcase
See testcase, when loading in current trunk build it crashes. Talkback ID: TB32369804K nsFrame::GetBoxAscent [mozilla/layout/generic/nsframe.cpp, line 6038] nsBoxFrame::GetBoxAscent [mozilla/layout/xul/base/src/nsboxframe.cpp, line 823] This regressed between 2007-05-18 and 2007-05-20, so I think a regression from bug 380217, somehow.
This is a frame constructor bug; apparently the root box frame somehow thinks it has a table cell as a direct child.
Attached patch fixes the crashSplinter Review
So the return value of the Init() isn't handled properly always :( Is this patch too must like a hack? TreeBodyFrame should be used as a nsITreeBoxObject only if it has the owning reference to the real box object. Fixing all Init()s in the CSSFC is a different bug, IMO.
Attachment #265656 - Flags: superreview?(roc)
Attachment #265656 - Flags: review?(roc)
where are we doing the QI? Does that need to be fixed? How many Init() calls in the frame constructor would need to be fixed?
We are QIing in nsTreeBoxObject and once in presshell so that it can call ClearStyleAndImageCaches() return value of CSSFM::InitAndRestoreFrame isn't usually handled; it is used ~40 times and return value is handled properly only ~5 times. And there are also other calls to Init.
Ofc the number when Init can be called on treebodyframe is smaller.
Hmm, or, is there after all something else wrong. looking
Attachment #265656 - Flags: superreview?(roc)
Attachment #265656 - Flags: review?(roc)
bernd, any comments on this one?
Is this a dup of that other one where boxmetrics is also null, Bug 380853?
Haven't yet found the right fix. Someone more familiar with frame constructor might find the bug easier. The crash is gone if I replace http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1352&mark=12614#12614 with |continue;|, but that makes presshell to assert "Some frame destructors were not called". Also, the crash is gone if any frame (for example inlineframe) is created for treechildren.
Comment on attachment 265656 [details] [diff] [review] fixes the crash Because treebodyframe is currently pretty much the only frame which returns error code (when there isn't OOM or such) I'd like to use the patch until the handling of ::Init can be resolved. I mean, what should actually happen when ::Init fails? Should the frame be marked display:none or leave as it is, but then computedstyle lies.
Attachment #265656 - Flags: superreview?(roc)
Attachment #265656 - Flags: review?(roc)
Comment on attachment 265656 [details] [diff] [review] fixes the crash I'll have fix for this in bug 381502
Attachment #265656 - Flags: superreview?(roc)
Attachment #265656 - Flags: review?(roc)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070529 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets
Crash Signature: [@ nsFrame::GetBoxAscent]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: