Bug 683702: In nsFrame teardown, clear the reference to me on my prev IB sibling (as well as on my next IB sibling). r=roc
authorDaniel Holbert <dholbert@cs.stanford.edu>
Thu, 01 Sep 2011 00:10:22 -0700
changeset 76369 893d04548dd91416867f956a981b11cb52aa20ba
parent 76367 94a4a478d774833daef7aaf90f1695d003f4185f
child 76370 dc12ae87f5b92652b1fb49f725d848906d962b1b
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersroc
bugs683702
milestone9.0a1
Bug 683702: In nsFrame teardown, clear the reference to me on my prev IB sibling (as well as on my next IB sibling). r=roc
layout/generic/crashtests/682649-1.html
layout/generic/crashtests/683702-1.xhtml
layout/generic/crashtests/crashtests.list
layout/generic/nsFrame.cpp
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/682649-1.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html style="position: relative; -moz-column-count: 3;" class="reftest-wait">
+
+<head>
+<script>
+function boom()
+{
+  document.documentElement.offsetHeight;
+  document.body.style.position = "";
+  document.documentElement.offsetHeight;
+  document.documentElement.removeAttribute("class");
+}
+</script>
+</head>
+
+<body onload="boom();" style="position: absolute;">A<span><div></div>B</span></body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/layout/generic/crashtests/683702-1.xhtml
@@ -0,0 +1,24 @@
+<html xmlns="http://www.w3.org/1999/xhtml" class="reftest-wait">
+<head>
+<script>
+  function doe() {
+    document.getElementById('a').style.display = '';
+    document.documentElement.removeAttribute("class");
+  }
+</script>
+</head>
+<body onload="doe()">
+<div style="position: absolute; -moz-column-count: 2;">
+<table id="c">
+<div id="a" style="border: 100px solid black; display:none;"></div><tr>
+<td style="position: absolute;">
+  <span>
+    <div style="border: 100px solid black;"></div>
+  </span>
+
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -365,8 +365,10 @@ load text-overflow-form-elements.html
 load text-overflow-iframe.html
 load text-overflow-bug666751-1.html
 load text-overflow-bug666751-2.html
 asserts(2) load text-overflow-bug670564.xhtml # asserts(2) for bug 436470
 load text-overflow-bug671796.xhtml
 load 667025.html
 asserts(14) load 673770.html # bug 569193 and bug 459597
 load 679933-1.html
+load 682649-1.html
+load 683702-1.xhtml
--- a/layout/generic/nsFrame.cpp
+++ b/layout/generic/nsFrame.cpp
@@ -446,26 +446,37 @@ nsFrame::DestroyFrom(nsIFrame* aDestruct
                  "Placeholder relationship should have been torn down already; "
                  "this might mean we have a stray placeholder in the tree.");
     if (placeholder) {
       shell->FrameManager()->UnregisterPlaceholderFrame(placeholder);
       placeholder->SetOutOfFlowFrame(nsnull);
     }
   }
 
-  // If we have an IB split special sibling, clear its reference to us.
+  // If we have any IB split special siblings, clear their references to us.
   // (Note: This has to happen before we call shell->NotifyDestroyingFrame,
   // because that clears our Properties() table.)
   if (mState & NS_FRAME_IS_SPECIAL) {
+    // Delete previous sibling's reference to me.
+    nsIFrame* prevSib = static_cast<nsIFrame*>
+      (Properties().Get(nsIFrame::IBSplitSpecialPrevSibling()));
+    if (prevSib) {
+      NS_WARN_IF_FALSE(this ==
+         prevSib->Properties().Get(nsIFrame::IBSplitSpecialSibling()),
+         "IB sibling chain is inconsistent");
+      prevSib->Properties().Delete(nsIFrame::IBSplitSpecialSibling());
+    }
+
+    // Delete next sibling's reference to me.
     nsIFrame* nextSib = static_cast<nsIFrame*>
       (Properties().Get(nsIFrame::IBSplitSpecialSibling()));
     if (nextSib) {
       NS_WARN_IF_FALSE(this ==
          nextSib->Properties().Get(nsIFrame::IBSplitSpecialPrevSibling()),
-         "Next-sibling / prev-sibling chain is inconsistent");
+         "IB sibling chain is inconsistent");
       nextSib->Properties().Delete(nsIFrame::IBSplitSpecialPrevSibling());
     }
   }
 
   shell->NotifyDestroyingFrame(this);
 
   if ((mState & NS_FRAME_EXTERNAL_REFERENCE) ||
       (mState & NS_FRAME_SELECTED_CONTENT)) {