Closed Bug 949932 Opened 11 years ago Closed 11 years ago

Crash [@ mozilla::StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary] with sticky, fieldset

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
(deleted), text/html
Details
stack
(deleted), text/plain
Details
fix+test
(deleted), patch
roc
: review+
Details | Diff | Splinter Review 
      No description provided.
Attached file stack (deleted) — 

  

  



    
    

    
  
Nightly: bp-c374b5a3-803b-4dc9-a7fb-ab70a2131213

  

  



    
  
Blocks: 916315

    
    

    
  
(gdb) list
91        while (i-- > 0) {
92          nsIFrame* f = oldSSC->mFrames[i];
93          StickyScrollContainer* newSSC = GetStickyScrollContainerForFrame(f);
94          if (newSSC != oldSSC) {
95            oldSSC->RemoveFrame(f);
96            newSSC->AddFrame(f);
97          }
98        }
99      }
100
(gdb) p newSSC
$4 = (mozilla::StickyScrollContainer *) 0x0
(gdb) fr 5
#5 in nsCSSFrameConstructor::ConstructFieldSetFrame ... nsCSSFrameConstructor.cpp:3102
3102            StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary(
(gdb) list
3097          // GetAdjustedParentFrame() below depends on this frame order.
3098          childItems.RemoveFrame(child);
3099          // Make sure to reparent the legend so it has the fieldset as the parent.
3100          fieldsetKids.InsertFrame(fieldsetFrame, nullptr, child);
3101          if (scrollFrame) {
3102            StickyScrollContainer::NotifyReparentedFrameAcrossScrollFrameBoundary(
3103                child, blockFrame);
3104          }
3105          break;
3106        }
(gdb) 

I think a simple null-check of 'newSSC' is the right fix.
The frame tree we're building has the fieldset in the fixed list,
so we won't find any scroll frames walking up the ancestors (from legend):

FixedList 0x603000413350 <
  Block(div)(1)@ ... <
    line : <
      FieldSet(fieldset)(1)@ ... <
        Legend(legend)(1)@ next=0x625001867f78 ...<
        >
        HTMLScroll(fieldset)(1)@ ... [sc=0x6250018686c0:-moz-fieldset-content]<
          Block(fieldset)(1)@ [sc=0x625001864428:-moz-scrolled-content]<
          >
        >
      >
    >
  >
>

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix+test (deleted)
        — Splinter Review
      

    


  

  

  


Assignee: nobody → matspal

        Attachment #8347107 -
        Flags: review?(roc)

    
  
Flags: in-testsuite+
Keywords: checkin-needed
OS: Mac OS X → All
Hardware: x86_64 → All

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b3d1f5ab7889

  

  


Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: