Bug 490376 - Crash [@ nsDisplayList::GetBottom]; r=roc

layout/base/crashtests/490376-1.xhtml

@@ -0,0 +1,15 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script type="text/javascript">
+<![CDATA[
+
+function boom()
+{
+  document.body.innerHTML = "<table><caption><\/caption><iframe><\/iframe><\/table>";
+}
+
+]]>
+</script>
+</head>
+<body onload="boom();"></body>
+</html>

layout/base/crashtests/crashtests.list

@@ -227,3 +227,4 @@ load 471594-1.xhtml
 load 479114-1.html
 load 477333-1.xhtml
 load 488390-1.xhtml
+load 490376-1.xhtml

layout/base/nsDisplayList.cpp

@@ -500,22 +500,6 @@ void nsDisplaySolidColor::Paint(nsDisplayListBuilder* aBuilder,
   aCtx->FillRect(dirty);
 }
 
-// Even though we aren't supposed to, we need to override this because
-// we have no frame.
-PRBool
-nsDisplaySolidColor::OptimizeVisibility(nsDisplayListBuilder* aBuilder,
-                                        nsRegion* aVisibleRegion) {
-  // Do what nsDisplayItem::OptimizeVisibility would do but without a frame.
-  if (!aVisibleRegion->Intersects(mBounds))
-    return PR_FALSE;
-
-  if (IsOpaque(aBuilder)) {
-    aVisibleRegion->SimpleSubtract(mBounds);
-  }
-
-  return PR_TRUE;
-}
-
 // Returns TRUE if aContainedRect is guaranteed to be contained in
 // the rounded rect defined by aRoundedRect and aRadii. Complex cases are
 // handled conservatively by returning FALSE in some situations where

layout/base/nsDisplayList.h

@@ -1008,16 +1008,19 @@ public:
 };
 
 /**
- * A simple display item that just renders a solid color across a frame or
+ * A simple display item that just renders a solid color across the
  * specified bounds. Used in cases where we can't draw the frame tree but
  * we want to draw something to avoid an ugly flash of white when
  * navigating between pages. Also used as a bottom item to ensure that
- * something is painted everywhere.
+ * something is painted everywhere. The bounds can differ from the frame's
+ * bounds -- this is needed when a frame/iframe is loading and there is not
+ * yet a frame tree to go in the frame/iframe so we use the subdoc frame
+ * of the parent document as a standin.
  */
 class nsDisplaySolidColor : public nsDisplayItem {
 public:
-  nsDisplaySolidColor(const nsRect& aBounds, nscolor aColor)
-    : nsDisplayItem(nsnull), mBounds(aBounds), mColor(aColor) {
+  nsDisplaySolidColor(nsIFrame* aFrame, const nsRect& aBounds, nscolor aColor)
+    : nsDisplayItem(aFrame), mBounds(aBounds), mColor(aColor) {
     MOZ_COUNT_CTOR(nsDisplaySolidColor);
   }
 #ifdef NS_BUILD_REFCNT_LOGGING
@@ -1037,9 +1040,6 @@ public:
   virtual void Paint(nsDisplayListBuilder* aBuilder, nsIRenderingContext* aCtx,
      const nsRect& aDirtyRect);
 
-  virtual PRBool OptimizeVisibility(nsDisplayListBuilder* aBuilder,
-                                    nsRegion* aVisibleRegion);
-
   NS_DISPLAY_DECL_NAME("SolidColor")
 private:
   nsRect  mBounds;

layout/base/nsLayoutUtils.cpp

@@ -1078,6 +1078,7 @@ nsLayoutUtils::PaintFrame(nsIRenderingContext* aRenderingContext, nsIFrame* aFra
     // cases we might not have a root frame, so this will prevent garbage
     // from being drawn.
     rv = list.AppendNewToBottom(new (&builder) nsDisplaySolidColor(
+           aFrame,
            nsRect(builder.ToReferenceFrame(aFrame), aFrame->GetSize()),
            aBackground));
     NS_ENSURE_SUCCESS(rv, rv);

layout/generic/nsFrameFrame.cpp

@@ -351,6 +351,7 @@ nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*   aBuilder,
                          GetOffsetTo(aBuilder->ReferenceFrame());
     rv = aLists.Content()->AppendNewToBottom(
              new (aBuilder) nsDisplaySolidColor(
+                  f ? f : this,
                   shellBounds,
                   presShell->GetCanvasBackground()));
   }