Bug 737313: Make nsCSSFrameConstructor::ConstructInline more robust when one of its child frames fails to construct. r=bz
authorDaniel Holbert <dholbert@cs.stanford.edu>
Tue, 20 Mar 2012 10:23:03 -0700
changeset 89839 a403afe78c47a2391d99bd5346e91f1cd6ef3f36
parent 89838 4672702bf939b64a35250c2e241c07cd36c464c1
child 89840 1bbe7ea3a01e1e76470f78d5f66b36d4e63ef20d
push id7342
push userdholbert@mozilla.com
push dateTue, 20 Mar 2012 17:25:16 +0000
treeherdermozilla-inbound@a403afe78c47 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs737313
milestone14.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 737313: Make nsCSSFrameConstructor::ConstructInline more robust when one of its child frames fails to construct. r=bz
layout/base/nsCSSFrameConstructor.cpp
layout/generic/crashtests/737313-1.html
layout/generic/crashtests/737313-2.html
layout/generic/crashtests/737313-3.html
layout/generic/crashtests/crashtests.list
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -10704,23 +10704,25 @@ nsCSSFrameConstructor::ConstructInline(n
   //   Block (div)
   //     Text("e")
   // Inline (outer span)
   //   Text("f")
 
   nsIContent* const content = aItem.mContent;
   nsStyleContext* const styleContext = aItem.mStyleContext;
 
-  nsIFrame *newFrame;
-
   bool positioned =
     NS_STYLE_DISPLAY_INLINE == aDisplay->mDisplay &&
     (NS_STYLE_POSITION_RELATIVE == aDisplay->mPosition ||
      aDisplay->HasTransform());
-  newFrame = NS_NewInlineFrame(mPresShell, styleContext);
+
+  nsIFrame* newFrame = NS_NewInlineFrame(mPresShell, styleContext);
+  if (!newFrame) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
 
   // Initialize the frame
   InitAndRestoreFrame(aState, content, aParentFrame, nsnull, newFrame);
 
   nsFrameConstructorSaveState absoluteSaveState;  // definition cannot be inside next block
                                                   // because the object's destructor is significant
                                                   // this is part of the fix for bug 42372
 
@@ -10730,17 +10732,21 @@ nsCSSFrameConstructor::ConstructInline(n
     aState.PushAbsoluteContainingBlock(newFrame, absoluteSaveState);
   }
 
   // Process the child content
   nsFrameItems childItems;
   nsresult rv = ConstructFramesFromItemList(aState, aItem.mChildItems, newFrame,
                                             childItems);
   if (NS_FAILED(rv)) {
-    // Clean up?
+    // Clean up.
+    // Link up any successfully-created child frames here, so that we'll
+    // clean them up as well.
+    newFrame->SetInitialChildList(kPrincipalList, childItems);
+    newFrame->Destroy();
     return rv;
   }
 
   nsFrameList::FrameLinkEnumerator firstBlockEnumerator(childItems);
   if (!aItem.mIsAllInline) {
     FindFirstBlock(firstBlockEnumerator);
   }
 
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/737313-1.html
@@ -0,0 +1,5 @@
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+  <span><div style="display: -moz-flexbox"></div></span>
+</html>
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/737313-2.html
@@ -0,0 +1,5 @@
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+  <span>some text<img><div style="display: -moz-flexbox"></div></span>
+</html>
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/737313-3.html
@@ -0,0 +1,5 @@
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+  <span><div>a block</div><div style="display: -moz-flexbox"></div></span>
+</html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -381,8 +381,11 @@ load 682649-1.html
 load 683702-1.xhtml
 load 688996-1.html
 load 688996-2.html
 load 683712.html
 load text-overflow-bug713610.html
 load 700031.xhtml
 load first-letter-638937.html
 asserts(18) load first-letter-638937-2.html
+load 737313-1.html
+load 737313-2.html
+load 737313-3.html