Closed
Bug 372685
Opened 18 years ago
Closed 17 years ago
Crash [@ DoDeletingFrameSubtree] with -moz-stack, -moz-popup, position: fixed and removing style
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?] deleted frame)
Crash Data
Attachments
(4 files)
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
application/octet-stream
|
Details | |
(deleted),
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build on load.
Talkback ID: TB29940125X
DoDeletingFrameSubtree [mozilla/layout/base/nscssframeconstructor.cpp, line 9270]
DoDeletingFrameSubtree [mozilla/layout/base/nscssframeconstructor.cpp, line 9296]
DeletingFrameSubtree [mozilla/layout/base/nscssframeconstructor.cpp, line 9350]
nsCSSFrameConstructor::RemoveMappingsForFrameSubtree [mozilla/layout/base/nscssframeconstructor.cpp, line 9381]
nsBoxFrame::RemoveFrame [mozilla/layout/xul/base/src/nsboxframe.cpp, line 1031]
nsFrameManager::RemoveFrame [mozilla/layout/base/nsframemanager.cpp, line 711]
nsCSSFrameConstructor::ContentRemoved [mozilla/layout/base/nscssframeconstructor.cpp, line 9554]
nsCSSFrameConstructor::RecreateFramesForContent [mozilla/layout/base/nscssframeconstructor.cpp, line 11113]
nsCSSFrameConstructor::RestyleElement [mozilla/layout/base/nscssframeconstructor.cpp, line 9992]
0x02a5d240
Assignee | ||
Updated•18 years ago
|
Assignee: nobody → mats.palmgren
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 1•18 years ago
|
||
Frame tree when we get a call to DeletingFrameSubtree(0x12be430):
Viewport(-1)@0xa526d8 ... <
RootBox(window)(-1)@0xa527e0 ... <
DocElementBox(window)(-1)@0xa52d28 ... <
PopupSet(popupgroup)(-1)@0xa52eb8 ... <>
Placeholder(tooltip)(-1)@0x12bdde0 ... <>
Menu(menuitem)(0)@0x12be430 {0,0,73920,240} Popup-list<
MenuPopup(box)(0)@0x12be738 ... <
Placeholder(box)(0)@0x12c5230 outOfFlowFrame=Area(box)(0)@0x12c50e8
>
>
>
>
>
Fixed-list<
Area(box)(0)@0x12c50e8 ...<>
>
we find the placeholder 0x12c5230 and put the fixed frame 0x12c50e8
in the destroy queue and eventually destroy it. Back in ContentRemoved()
we remove the frame 0x12be430 which will eventually call
DeletingFrameSubtree() through RemoveMappingsForFrameSubtree() on its
Popup-list frames... so we find the placeholder again, which now has a
mOutOfFlowFrame pointing to a destroyed frame of course...
My first thought was to add "nsGkAtoms::popupList" to the list here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1323&root=/cvsroot&mark=9291-9298#9252
It fixes the crash, but I need to think about this a bit...
Comment 2•18 years ago
|
||
That would make some sense, as we're making popups more and more like normal out-of-flows...
Updated•17 years ago
|
Whiteboard: [sg:critical?] deleted frame
Comment 4•17 years ago
|
||
Poke.
Mats, news?
Reporter | ||
Comment 5•17 years ago
|
||
The testcase is worksforme with current trunk build.
Not sure if that says anything. Can this bug be closed?
Assignee | ||
Comment 6•17 years ago
|
||
Yeah, I think this is correct as is actually.
The Popup-list is only exposed by nsMenuFrame, where the frames
are in-flow and thus *should* be traversed DeletingFrameSubtree().
The reason for the crash was that RemoveMappingsForFrameSubtree() was called
from nsMenuFrame::DestroyPopupFrames(), but that has now been removed
(I'm guessing from Neil's menu refactoring).
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsMenuFrame.cpp&rev=1.347&root=/cvsroot&mark=340#331
We still have the out-of-flow popup frames in a popupset to worry about,
but nsPopupSetFrame does not expose its Popup-list to the frame constructor
although you can add/remove frames to the Popup-list:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsPopupSetFrame.cpp&rev=1.170&root=/cvsroot&mark=111,121,132,142#107
it doesn't actually give a frame back when calling GetFirstFrame(popupList),
nor does it have GetAdditionalChildListName().
These frames are managed internally by nsPopupSetFrame so I guess that's ok,
but when nsPopupSetFrame destroys these frames it doesn't call
RemoveMappingsForFrameSubtree(), which makes me wonder:
1. Who does the frame manager notifications that DoDeletingFrameSubtree()
normally does? (i.e. RemoveAsPrimaryFrame/ClearAllUndisplayedContentIn)
2. How are fixed pos frames inside such a popup handled? if they can
escape outside (fixed pos) that could cause a crash...(I did a quick test
and it seems we don't create out-of-flows at all, which is good I guess,
but I didn't run any extensive tests...)
I don't know how severe 1. is, if it's not actually done. Boris?
Comment 7•17 years ago
|
||
Not doing 1 could lead to effective memory leaks for the lifetime of the page, and could lead to GetPrimaryFrameFor returning dead frames. The latter is bad, of course.
Assignee | ||
Comment 8•17 years ago
|
||
Ok, I guess we should add back a RemoveMappingsForFrameSubtree() for
the frames that nsPopupSetFrame destroys then. I'll have a look...
Assignee | ||
Comment 9•17 years ago
|
||
Assignee | ||
Comment 10•17 years ago
|
||
layout/xul/Makefile.in:
Adding layout/xul/test directory for mochitest.
nsMenuPopupFrame.cpp:
Just fixing a couple of compile warnings: GetPopupSetFrame() and rootView
are unused.
nsPopupSetFrame.cpp/h:
Call RemoveMappingsForFrameSubtree() before destroying an "internal"
popup frame.
Remove unnecessary #includes.
Attachment #279236 -
Flags: superreview?(bzbarsky)
Attachment #279236 -
Flags: review?(bzbarsky)
Comment 11•17 years ago
|
||
Comment on attachment 279236 [details] [diff] [review]
Patch rev. 1
Looks reasonable
Attachment #279236 -
Flags: superreview?(bzbarsky)
Attachment #279236 -
Flags: superreview+
Attachment #279236 -
Flags: review?(bzbarsky)
Attachment #279236 -
Flags: review+
Comment 12•17 years ago
|
||
Mats, can we get this landed and resolved?
Reporter | ||
Comment 13•17 years ago
|
||
Mats, ping?
Assignee | ||
Comment 14•17 years ago
|
||
mozilla/layout/xul/Makefile.in 1.9
mozilla/layout/xul/test/Makefile.in 1.1
mozilla/layout/xul/test/test_bug372685.xul 1.1
mozilla/layout/xul/base/src/nsMenuPopupFrame.cpp 1.330
mozilla/layout/xul/base/src/nsPopupSetFrame.cpp 1.171
mozilla/layout/xul/base/src/nsPopupSetFrame.h 1.61
-> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M8
Updated•13 years ago
|
Crash Signature: [@ DoDeletingFrameSubtree]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•