Bug 679933: When a frame is destroyed, remove next special-sibling's pointer to it. r=roc
authorDaniel Holbert <dholbert@cs.stanford.edu>
Thu, 25 Aug 2011 01:31:11 -0700
changeset 75869 c6e432ffd5e22c49d8451e4780515067e8c6d473
parent 75868 c72e3869695026552cad35f63523fd34e41d387d
child 75870 b370f47da2972eae84405ffa39bcb561f0fa8ffb
push id1473
push userdholbert@mozilla.com
push dateThu, 25 Aug 2011 08:33:21 +0000
treeherdermozilla-inbound@c6e432ffd5e2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs679933
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 679933: When a frame is destroyed, remove next special-sibling's pointer to it. r=roc
layout/generic/crashtests/679933-1.html
layout/generic/crashtests/crashtests.list
layout/generic/nsFrame.cpp
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/679933-1.html
@@ -0,0 +1,13 @@
+<html class="reftest-wait">
+<head>
+  <script>
+    function tweak() {
+      document.body.removeAttribute('style');
+      document.documentElement.removeAttribute("class");
+    }
+  </script>
+</head>
+<body style="display: inline;  mask: url(#a);" onload="setTimeout(tweak, 50)">
+<input id="g" style="display: block; mask: url(#g);">
+</body>
+</html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -364,8 +364,9 @@ load 660416.html
 load text-overflow-form-elements.html
 load text-overflow-iframe.html
 load text-overflow-bug666751-1.html
 load text-overflow-bug666751-2.html
 asserts(2) load text-overflow-bug670564.xhtml # asserts(2) for bug 436470
 load text-overflow-bug671796.xhtml
 load 667025.html
 asserts(14) load 673770.html # bug 569193 and bug 459597
+load 679933-1.html
--- a/layout/generic/nsFrame.cpp
+++ b/layout/generic/nsFrame.cpp
@@ -436,16 +436,30 @@ nsFrame::DestroyFrom(nsIFrame* aDestruct
                  "Placeholder relationship should have been torn down already; "
                  "this might mean we have a stray placeholder in the tree.");
     if (placeholder) {
       shell->FrameManager()->UnregisterPlaceholderFrame(placeholder);
       placeholder->SetOutOfFlowFrame(nsnull);
     }
   }
 
+  // If we have an IB split special sibling, clear its reference to us.
+  // (Note: This has to happen before we call shell->NotifyDestroyingFrame,
+  // because that clears our Properties() table.)
+  if (mState & NS_FRAME_IS_SPECIAL) {
+    nsIFrame* nextSib = static_cast<nsIFrame*>
+      (Properties().Get(nsIFrame::IBSplitSpecialSibling()));
+    if (nextSib) {
+      NS_WARN_IF_FALSE(this ==
+         nextSib->Properties().Get(nsIFrame::IBSplitSpecialPrevSibling()),
+         "Next-sibling / prev-sibling chain is inconsistent");
+      nextSib->Properties().Delete(nsIFrame::IBSplitSpecialPrevSibling());
+    }
+  }
+
   shell->NotifyDestroyingFrame(this);
 
   if ((mState & NS_FRAME_EXTERNAL_REFERENCE) ||
       (mState & NS_FRAME_SELECTED_CONTENT)) {
     shell->ClearFrameRefs(this);
   }
 
   if (view) {