Bugzilla@Mozilla – Bug 430394
Crash [@ nsTreeBodyFrame::SetView] with onoverflow doing stuff and tree and treechildren
Last modified: 2009-04-24 10:24:11 PDT
Summon comment box
Created attachment 317168 [details] testcase See testcase, which crashes current trunk build on load. It doesn't crash in a 2007-06-11 build, but does crash in a 2007-06-12 build: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-06-11+04&maxdate=2007-06-12+09&cvsroot=%2Fcvsroot I guess a regression from bug 381120. http://crash-stats.mozilla.com/report/index/77703440-10dc-11dd-b0b1-001a4bd46e84 0 xul.dll nsTreeBodyFrame::SetView mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:548 1 xul.dll nsTreeBodyFrame::EnsureView mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:420 2 xul.dll nsTreeBodyFrame::ReflowFinished mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:456 3 xul.dll PresShell::HandlePostedReflowCallbacks mozilla/layout/base/nsPresShell.cpp:4498 4 xul.dll PresShell::DidDoReflow mozilla/layout/base/nsPresShell.cpp:6240 5 xul.dll PresShell::ProcessReflowCommands mozilla/layout/base/nsPresShell.cpp:6428 6 xul.dll PresShell::DoFlushPendingNotifications mozilla/layout/base/nsPresShell.cpp:4601 7 xul.dll PresShell::FlushPendingNotifications mozilla/layout/base/nsPresShell.cpp:4541 8 xul.dll DocumentViewerImpl::LoadComplete mozilla/layout/base/nsDocumentViewer.cpp:946 9 xul.dll nsDocShell::EndPageLoad mozilla/docshell/base/nsDocShell.cpp:5063 10 xul.dll nsWebShell::EndPageLoad mozilla/docshell/base/nsWebShell.cpp:1013 11 xul.dll nsCOMPtr_base::assign_from_qi nsCOMPtr.cpp:96 12 xul.dll nsDocShell::OnStateChange mozilla/docshell/base/nsDocShell.cpp:4968
So, nsTreeBodyFrame::SetView calls nsTreeContentView::SetTree which calls nsTreeBoxObject::GetTreeBody which calls nsBoxObject::GetFrame which flushes the frames including destroying the one that's on the call stack...
Still crashes in current trunk build.
Created attachment 337466 [details] [review] weakframe
Comment on attachment 337466 [details] [review] weakframe So horrible. There must be a way to make trees not suck.
Comment on attachment 337466 [details] [review] weakframe Approved for 1.9.0.4, a=dveditz for release-drivers
Doesn't crash in a recent 1.8 branch build, but if it's really a regression from bug 381120 shouldn't it crash there too?
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
crash test added http://hg.mozilla.org/mozilla-central/rev/87cfec7c7f03