Last Comment Bug 458637 - [FIX]"ASSERTION: unexpected second call to SetInitialChildList" and more with XSLT
: [FIX]"ASSERTION: unexpected second call to SetInitialChildList" and more with...
Status: RESOLVED FIXED
: [sg:moderate]
: assertion, testcase, verified1.9.0.4
Product: Core
Classification: Components
Component: XSLT
: Trunk
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Boris Zbarsky (:bz)
: xslt
:
: 473680 473968
: 306939 framedest
  Show dependency treegraph
 
Reported: 2008-10-05 15:06 PDT by Jesse Ruderman
Modified: 2009-01-16 09:15 PST (History)
10 users (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:


Attachments
b3.html (608 bytes, text/html)
2008-10-05 15:07 PDT, Jesse Ruderman
no flags Details
inner.xhtml (184 bytes, application/xhtml+xml)
2008-10-05 15:07 PDT, Jesse Ruderman
no flags Details
Fix (1.50 KB, patch)
2008-10-08 20:19 PDT, Boris Zbarsky (:bz)
jonas: review+
jonas: superreview+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review

Summon comment box

Description Jesse Ruderman 2008-10-05 15:06:27 PDT
Steps to reproduce:
1. Save the attachments as b3.html and inner.xhtml
2. Open b3.html

Result:

###!!! ASSERTION: initial containing block already created: 'nsnull == mInitialContainingBlock', file /Users/jruderman/central/layout/base/nsCSSFrameConstructor.cpp, line 8745

###!!! ASSERTION: unexpected second call to SetInitialChildList: 'Not Reached', file /Users/jruderman/central/layout/generic/nsContainerFrame.cpp, line 111

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 676

Security-sensitive for now because the last assertion scares me.

Based on the crashtest for bug 428844.  Related to bug 61675?
Comment 1 Jesse Ruderman 2008-10-05 15:07:04 PDT
Created attachment 341856 [details]
b3.html
Comment 2 Jesse Ruderman 2008-10-05 15:07:23 PDT
Created attachment 341857 [details]
inner.xhtml
Comment 3 Boris Zbarsky (:bz) 2008-10-08 20:19:13 PDT
So the issue is that we swap in the new document into the viewer while the subframe is hidden.  Then we do a BeginUpdate() before inserting the root content, which processes restyles and unhides the subframe.  Since we didn't flag the transformation result as not being ready for initial reflow yet, the document viewer does said initial reflow.  Then we insert the root, which effectively double-notifies on it, hence the asserts.

Fix coming up.
Comment 4 Boris Zbarsky (:bz) 2008-10-08 20:19:48 PDT
Created attachment 342382 [details] [review]
Fix
Comment 5 Jonas Sicking (:sicking) 2008-10-09 00:11:24 PDT
Please check in as a crashtest (hopefully crashtests will one day fail on assertions)
Comment 6 Boris Zbarsky (:bz) 2008-10-10 11:19:15 PDT
Pushed changeset 95e6729d8079.  I didn't check in the test yet, because this is still security-sensitive.
Comment 7 Boris Zbarsky (:bz) 2008-10-10 11:19:27 PDT
Comment on attachment 342382 [details] [review]
Fix

Simple fix; should take on branch.
Comment 8 Daniel Veditz 2008-10-13 11:47:53 PDT
Comment on attachment 342382 [details] [review]
Fix

Approved for 1.9.0.4, a=dveditz for release-drivers
Comment 9 Boris Zbarsky (:bz) 2008-10-13 12:21:44 PDT
Fixed for 1.9.0.4.
Comment 10 Al Billings [:abillings] 2008-10-23 17:08:32 PDT
Tomcat, could you verify this one for 1.9.0.4 as well since you have a debug build?
Comment 11 Carsten Book [:Tomcat] 2008-10-27 17:25:01 PDT
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102800 Firefox/3.0.4pre - i don't see the assertion from comment #0 when using the testcase from Jesse.

--> Verified fixed1.9.04

Note You need to log in before you can comment on or make changes to this bug.